Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Ultimate Cleaner 2007 Virus 4

Status
Not open for further replies.

zouv

Vendor
Sep 22, 2005
45
I have got this on my pc. Nightmare, I have aol spyware and mcaffee anti virus and it doesn't seem to be capable of identifying all the files and removing them. It's infected internet explorer and keeps loading pages and has changed my homepage etc. Whats the best spyware to remove this? Even better if it's free, or should I just buy a product? Any tips gratefully appreciated.
 
Forgot to add that I haven't actioned anything from the hijack log. Will wait to receive your advice before I do anything with it. Thanks
 
see post 18 and do those!

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
If you read post 18 it is all in there for you!

you fix a few entries in hijakc this, then download and run sdfix, then run the combo script fix and lastly download and run if you can AVG antispyware, you have already ran dr web so you don't have to do that again!

post a new combo log, hijakc this log and the avg and the sdfix log!

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
SDFix: Version 1.171
Run by Maria on 16/04/2008 at 20:34

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Maria\Desktop\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\spnkfwad.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, Rootkit scan 2008-04-16 20:46:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
"C:\\Program Files\\AOL 9.0\\waol.exe"="C:\\Program Files\\AOL 9.0\\waol.exe:*:Enabled:AOL 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1131841800\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1131841800\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
"C:\\Program Files\\AOL 9.0\\waol.exe"="C:\\Program Files\\AOL 9.0\\waol.exe:*:Enabled:AOL 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe:*:Enabled:AOL"

Remaining Files :


File Backups: - C:\DOCUME~1\Maria\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 23 Mar 1999 16,062 ..SHR --- "C:\LOGO.SYS"
Tue 22 Jun 2004 54,384 A..H. --- "C:\Program Files\AOL 9.0\aolphx.exe"
Tue 22 Jun 2004 156,784 A..H. --- "C:\Program Files\AOL 9.0\aoltray.exe"
Tue 22 Jun 2004 31,344 A..H. --- "C:\Program Files\AOL 9.0\RBM.exe"
Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Tue 31 Jan 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 8 Apr 2007 210,944 ...H. --- "C:\Documents and Settings\John\My Documents\~WRL1545.tmp"
Sun 8 Apr 2007 213,504 ...H. --- "C:\Documents and Settings\John\My Documents\~WRL3703.tmp"
Sat 30 Jun 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Thu 13 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a67b6c406b1d7e0f5c1e6f6d44a3f6e\BIT35A.tmp"
Thu 13 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\26924cbc8132a10b438ce6e2b49d4652\BIT358.tmp"
Thu 13 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2769b111678c52099a3b3123b12f2325\BIT35C.tmp"
Thu 13 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b69c46c5109d0f8b0dee9fab84906813\BIT35B.tmp"
Thu 13 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d77b9b5b8fed23dd91f50d167cce60d3\BIT35D.tmp"
Thu 13 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa6c916bb150f8a929e7a4ffdfbc120f\BIT359.tmp"
Thu 29 Mar 2007 20,992 ...H. --- "C:\Documents and Settings\Maria\Application Data\Microsoft\Word\~WRL0001.tmp"
Sun 1 Apr 2007 19,456 ...H. --- "C:\Documents and Settings\Maria\Application Data\Microsoft\Word\~WRL0003.tmp"
Sun 1 Apr 2007 19,968 ...H. --- "C:\Documents and Settings\Maria\Application Data\Microsoft\Word\~WRL0005.tmp"
Sun 1 Apr 2007 20,992 ...H. --- "C:\Documents and Settings\Maria\Application Data\Microsoft\Word\~WRL1313.tmp"
Sun 14 May 2006 26,112 ...H. --- "C:\Documents and Settings\Maria\Application Data\Microsoft\Word\~WRL1564.tmp"
Sun 1 Apr 2007 20,480 ...H. --- "C:\Documents and Settings\Maria\Application Data\Microsoft\Word\~WRL2073.tmp"
Thu 17 Nov 2005 20,992 ...H. --- "C:\Documents and Settings\Maria\Application Data\Microsoft\Word\~WRL2594.tmp"
Mon 9 Apr 2007 31,232 ...H. --- "C:\Documents and Settings\Maria\Application Data\Microsoft\Word\~WRL3224.tmp"
Sun 1 Apr 2007 19,968 ...H. --- "C:\Documents and Settings\Maria\Application Data\Microsoft\Word\~WRL3347.tmp"
Thu 26 Jul 2007 42,496 A..H. --- "C:\Documents and Settings\Maria\My Documents\Maria's Documents\Maria's 16-9-07 Backed Up Documents Folder\~WRL0803.tmp"

Finished!



Logfile of HijackThis v1.99.1
Scan saved at 21:26:06, on 16/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Common Files\AOL\1131841800\ee\AOLSoftware.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
c:\program files\common files\aol\1131841800\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1131841800\ee\aolsoftware.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Maria\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131841800\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AOLAspSunset2] C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp2.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - O17 - HKLM\System\CCS\Services\Tcpip\..\{254A522B-1270-4CCE-8DF2-FC114BAF51E3}: NameServer = 205.188.146.145
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe


Okay, to confirm you need me to copy quote box contents into combo fix now?
Thanks again
 
yes!

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Hi I did the recommended action saving the CFScript.txt text in notepad and dragging it into combofix. It ran and said it was complete and that it was compiling a report. Unfortunately the programme just froze. I thought it had taken to long but left overnight in case, but no good. On rebooting the computer this morning the notepad file has disappeared so I assume that the action was completed? Is there anyway that I can retrieve the combofix report or should I just perform this action again?
 
try it again in safe mode!

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Did combo fix in safe mode and it completed no problems this time. Still can't get AVG, it downloads and then when I run it, it starts and quickly stops and say that it contains corrupted files and to try and download again. I've tried a few times. What would you advise I should do next? Run Majorgeeks? Thanks for your help
 
oops forgot this!

ComboFix 08-04-14.2 - Maria 2008-04-15 20:52:20.1 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\Maria\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\rs.txt
C:\WINDOWS\system32\casilnky.ini
C:\WINDOWS\system32\coojapbq.ini
C:\WINDOWS\system32\fmptdpay.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pmnLcbxw.dll
C:\WINDOWS\system32\tuvvSIyW.dll
C:\WINDOWS\system32\wvUnNfDv.dll
C:\WINDOWS\system32\WyISvvut.ini
C:\WINDOWS\system32\WyISvvut.ini2
C:\WINDOWS\system32\yapdtpmf.ini
C:\WINDOWS\system32\yknlisac.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32VBIEWER.OCX

.
((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-15 21:20 . 2008-04-15 21:20 98,304 --a------ C:\WINDOWS\system32\dgtsrmhw.exe
2008-04-15 10:55 . 2008-04-15 10:55 3,648 --a------ C:\WINDOWS\system32\ahnudvvs.dll
2008-04-15 10:52 . 2008-04-15 10:52 53,312 --a------ C:\WINDOWS\system32\fhrkewws.dll
2008-04-15 07:33 . 2008-04-15 21:20 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-15 07:33 . 2008-04-15 07:33 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-15 00:13 . 2008-04-15 00:13 5,132 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-15 00:12 . 2008-04-15 00:09 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-15 00:12 . 2008-04-15 00:09 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-15 00:12 . 2008-04-15 00:09 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-15 00:12 . 2008-04-15 00:09 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-15 00:12 . 2008-04-15 00:09 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-15 00:12 . 2008-04-15 00:09 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-15 00:12 . 2008-04-15 00:09 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-15 00:02 . 2008-04-15 00:02 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-14 20:36 . 2008-04-14 20:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-14 20:32 . 2008-04-14 20:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZipSE
2008-04-14 20:31 . 2008-04-14 20:31 <DIR> d-------- C:\Program Files\WinZip Self-Extractor
2008-04-14 10:54 . 2008-04-14 10:54 3,648 --a------ C:\WINDOWS\system32\lkpigjpp.dll
2008-04-14 10:52 . 2008-04-14 10:52 53,312 --a------ C:\WINDOWS\system32\qnugugnx.dll
2008-04-14 09:26 . 2008-04-14 09:26 106,496 --a------ C:\WINDOWS\system32\fahynilw.exe
2008-04-14 06:44 . 2008-04-14 09:14 264 --a------ C:\WINDOWS\wininit.ini
2008-04-14 01:10 . 2008-04-14 18:41 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-14 01:10 . 2008-04-14 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-14 00:28 . 2008-04-14 00:28 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-13 23:11 . 2008-04-13 23:11 90,112 --a------ C:\WINDOWS\system32\etytmniv.exe
2008-04-13 23:07 . 2008-04-13 23:07 <DIR> d-------- C:\Documents and Settings\John\Application Data\TmpRecentIcons
2008-04-13 21:01 . 2008-04-13 21:04 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-04-13 17:09 . 2002-12-06 10:21 55,936 --a------ C:\WINDOWS\system32\drivers\MpFirewall.sys
2008-04-13 17:09 . 2002-07-01 14:17 20,480 --a------ C:\WINDOWS\system32\MpfApi.dll
2008-04-13 17:00 . 2008-04-13 17:00 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-13 11:37 . 2008-04-14 21:38 <DIR> d-------- C:\Documents and Settings\Maria\Application Data\TmpRecentIcons
2008-04-13 10:49 . 2008-04-13 10:49 3,648 --a------ C:\WINDOWS\system32\mtpgfcek.dll
2008-04-13 10:48 . 2008-04-13 10:49 53,312 --------- C:\WINDOWS\system32\qtrscfep.dll_old
2008-04-13 10:34 . 2008-04-13 07:06 81,920 --a------ C:\WINDOWS\spnkfwad.exe
2008-04-13 10:32 . 2008-04-13 10:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\yhmpszip
2008-04-13 10:32 . 2008-04-13 10:32 90,112 --a------ C:\WINDOWS\system32\yvknirof.exe
2008-03-25 22:26 . 2008-03-25 22:26 1,747 --ah----- C:\hpothb07.tif
2008-03-25 22:26 . 2008-03-25 22:26 932 --ah----- C:\hpothb07.dat
2008-03-25 22:25 . 2008-03-25 22:25 175 --ah----- C:\Documents and Settings\Maria\hpothb07.dat
2008-03-25 22:25 . 2008-03-25 22:25 0 --ah----- C:\Documents and Settings\Guest\hpothb07.dat
2008-03-25 22:24 . 2008-03-25 22:34 722 --ah----- C:\Documents and Settings\All Users\hpothb07.dat
2008-03-25 16:46 . 2008-03-25 16:47 <DIR> d-------- C:\Program Files\iTunes
2008-03-25 16:27 . 2008-03-25 16:29 <DIR> d-------- C:\Program Files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 20:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-04-13 20:20 --------- d-----w C:\Program Files\Yahoo!
2008-04-13 17:22 --------- d-----w C:\Program Files\DivX
2008-04-09 14:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-25 15:47 --------- d-----w C:\Program Files\iPod
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-08 23:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\TomTom
2008-03-08 23:00 --------- d-----w C:\Program Files\TomTom HOME 2
2008-03-08 22:50 --------- d-----w C:\Program Files\Java
2008-03-08 22:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-08 21:34 --------- d-----w C:\Documents and Settings\John\Application Data\InstallShield
2008-03-08 21:29 --------- d-----w C:\Program Files\TomTom DesktopSuite
2008-03-08 21:28 --------- d-----w C:\Documents and Settings\Maria\Application Data\TomTom
2008-03-01 17:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2006-02-20 21:35 863 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CAB59B4-55A3-4737-9FD5-B93C6430BF75}]
2008-04-15 10:52 53312 --a------ C:\WINDOWS\system32\fhrkewws.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{340FFF53-1D47-41B1-93F3-CC8276227C29}"= "C:\WINDOWS\sgoblxtm.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{340fff53-1d47-41b1-93f3-cc8276227c29}]
[HKEY_CLASSES_ROOT\sgoblxtm.1]
[HKEY_CLASSES_ROOT\TypeLib\{31F44EB4-B527-4450-AE3C-DC9EDBB5D97A}]
[HKEY_CLASSES_ROOT\sgoblxtm]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [2008-02-18 11:58 206184]
"cqxpbyfo"="C:\WINDOWS\system32\yvknirof.exe" [2008-04-13 10:32 90112]
"sdoejpnr"="C:\WINDOWS\system32\fahynilw.exe" [2008-04-14 09:26 106496]
"txdbyphx"="C:\WINDOWS\system32\dgtsrmhw.exe" [2008-04-15 21:20 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"WCOLOREAL"="C:\Program Files\COMPAQ\Coloreal\coloreal.exe" [2002-01-22 16:46 131072]
"CPQEASYACC"="C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe" [2001-12-14 14:01 32768]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [ ]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [2001-10-12 15:45 69632]
"AutoLogon"="" []
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 04:19 69632]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-10-01 09:24 26112]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2003-08-08 18:02 122880]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2003-08-17 21:50 163840]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2003-08-27 11:00 245760]
"MCUpdateExe"="C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe" [2003-08-21 18:10 180224]
"HostManager"="C:\Program Files\Common Files\AOL\1131841800\ee\AOLSoftware.exe" [2006-11-17 14:21 50736]
"Camera Detector"="C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.exe" [2002-12-09 15:35 208896]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 16:30 71008]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"AOLAspSunset2"="C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp2.exe" [ ]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 14:20 227328]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2003-08-18 18:57 1048576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:56 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 16:58 1744896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"xj1krMbzVP"= C:\Documents and Settings\All Users\Application Data\yhmpszip\qjqfelyh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUnNfDv]
wvUnNfDv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AOL 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1131841800\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c8022d17-c08c-11dc-8a4a-00038a000015}]
\Shell\AutoRun\command - G:\InstallTomTomHOME.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-15 11:37:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2006-03-09 22:34:54 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1128025151.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
"2008-04-15 20:34:00 C:\WINDOWS\Tasks\McAfee.com Update Check (PAOLODICANIO-Guest).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.ex
- C:\PROGRA~1\mcafee.com\agent
"2008-04-15 20:35:00 C:\WINDOWS\Tasks\McAfee.com Update Check (PAOLODICANIO-Jessica).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.ex
- C:\PROGRA~1\mcafee.com\agent
"2008-04-15 20:37:00 C:\WINDOWS\Tasks\McAfee.com Update Check (PAOLODICANIO-John).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.ex
- C:\PROGRA~1\mcafee.com\agent
"2008-04-15 19:15:28 C:\WINDOWS\Tasks\McAfee.com Update Check (PAOLODICANIO-Maria).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.ex
- C:\PROGRA~1\McAfee.com\Agent
"2008-04-15 20:34:00 C:\WINDOWS\Tasks\McAfee.com Update Check (PAOLODICANIO-Paul).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.ex
- C:\PROGRA~1\mcafee.com\agent
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, Rootkit scan 2008-04-15 21:23:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\McAfee.com\VSO\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\PROGRA~1\McAfee.com\VSO\McShield.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\COMPAQ\Easy Access Button Support\CpqEAKSystemTray.exe
C:\Program Files\COMPAQ\Easy Access Button Support\CPQEADM.exe
C:\PROGRA~1\McAfee.com\VSO\McVSEscn.exe
C:\COMPAQ\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\BttnServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
C:\Program Files\Common Files\AOL\1131841800\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1131841800\ee\anotify.exe
.
**************************************************************************
.
Completion time: 2008-04-15 21:38:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-15 20:38:06

Pre-Run: 41,863,659,520 bytes free
Post-Run: 41,892,081,664 bytes free
.
2008-04-09 14:23:30 --- E O F ---
 
Ran the ATF cleaner, didn't get prompt to save passwords though?

Have tried doenloading AVG spyware and still getting nowhere. Any further actions I should do? Also would be grateful if you could receommend a good free anti virus and firewall. Fed up with mcafee. Assume I should stick with super anti spyware for spyware protection?
Thanks for all your help.
 
* Copy the entire contents of the Quote Box below to Notepad.
* Name the file as fix.reg
* Change the Save as Type to All Files
* and Save it on the desktop. Then double click it to enter it into the registry, click ok to the prompt.


REGEDIT4
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CAB59B4-55A3-4737-9FD5-B93C6430BF75}]
2008-04-15 10:52 53312 --a------ C:\WINDOWS\system32\fhrkewws.dll

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{340FFF53-1D47-41B1-93F3-CC8276227C29}"= "C:\WINDOWS\sgoblxtm.dll" [ ]

[-HKEY_CLASSES_ROOT\sgoblxtm.1]

[-HKEY_CLASSES_ROOT\sgoblxtm]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cqxpbyfo"="C:\WINDOWS\system32\yvknirof.exe" [2008-04-13 10:32 90112]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sdoejpnr"="C:\WINDOWS\system32\fahynilw.exe" [2008-04-14 09:26 106496]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"txdbyphx"="C:\WINDOWS\system32\dgtsrmhw.exe" [2008-04-15 21:20 98304]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"xj1krMbzVP"= C:\Documents and Settings\All Users\Application Data\yhmpszip\qjqfelyh.exe



1. Please download The Avenger by Swandog46 to your Desktop.


* Click on Avenger.zip to open the file
* Extract avenger.exe to your desktop


2. Copy all the text contained in the code box below to your Clipboard by
highlighting it and pressing (Ctrl+C):



Files to delete:
C:\WINDOWS\system32\fahynilw.exe
C:\Documents and Settings\All Users\Application Data\yhmpszip\qjqfelyh.exe
C:\WINDOWS\system32\dgtsrmhw.exe
C:\WINDOWS\system32\ahnudvvs.dll
C:\WINDOWS\system32\fhrkewws.dll
C:\WINDOWS\system32\etytmniv.exe
C:\WINDOWS\system32\mtpgfcek.dll
C:\WINDOWS\system32\qtrscfep.dll_old
C:\WINDOWS\spnkfwad.exe
C:\WINDOWS\system32\yvknirof.exe
C:\WINDOWS\sgoblxtm.dll

Note: the above code was created specifically for this user. If you are not
this user, do NOT follow these directions as they could damage the workings
of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

* Under "Script file to execute" choose "Input Script Manually".
* Now click on the Magnifying Glass icon which will open a new window
titled "View/edit script"
* Paste the text copied to clipboard into this window by pressing
(Ctrl+V).
* Click Done
* Now click on the Green Light to begin execution of the script
* Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

* It will Restart your computer. ( In cases where the code to execute
contains "Drivers to Unload", The Avenger will actually restart your system
twice.)
* On reboot, it will briefly open a black command window on your
desktop, this is normal.
* After the restart, it creates a log file that should open with the
results of Avenger’s actions. This log file will be located at
C:\avenger.txt
* The Avenger will also have backed up all the files, etc., that you
asked it to delete, and will have zipped them and moved the zip archives to
C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.



Download the HostsXpert 3.7 - Hosts File Manager.


* Unzip HostsXpert 3.7 - Hosts File Manager to a convenient folder such
as C:\HostsXpert 3.7 - Hosts File Manager
* Run HostsXpert 3.7 - Hosts File Manager from its new home
* Click "Make Hosts Writable?" in the upper right corner (If available).
* Click Restore Original Hosts and then click OK.
* Click the X to exit the program.
* Note: If you were using a custom Hosts file you will need to replace
any of those entries yourself.



post a hijack this log and the avenger log, also see if you can now download AVG.


Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Pechenegs thanks for your continuing advice. I will start on these over the weekend. I watched some sport on my pc last weekend and downloaded sopcast and think that might have been the problem? Should I avoid sopcast in future? get the feeling I should but would appreciate your opinion.
 
i have no idea, never heard of sopcast, as with all p2p networks you need to be aware of spyware and foistware being downloaded surreptitiously onto your machine.

Engaging with a good firewall and anti virus should block and warn you of any programs trying to install or run without your knowledge and then you cna block them or if in doubt google th name and find out what it is!

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Hi pechenegs, did the avenger and worked fine. The link for funkytoad download didn't work and so then went to homepage. Download version now available on there is HostsXpert 4.2 should I download this and follow your instructions? Have pasted avenger log below. You also want me to carry our another Hijack and post log?

Logfile of The Avenger Version 2.0, (c) by Swandog46

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\WINDOWS\system32\fahynilw.exe" not found!
Deletion of file "C:\WINDOWS\system32\fahynilw.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Documents and Settings\All Users\Application Data\yhmpszip\qjqfelyh.exe" not found!
Deletion of file "C:\Documents and Settings\All Users\Application Data\yhmpszip\qjqfelyh.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\dgtsrmhw.exe" not found!
Deletion of file "C:\WINDOWS\system32\dgtsrmhw.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\ahnudvvs.dll" not found!
Deletion of file "C:\WINDOWS\system32\ahnudvvs.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\fhrkewws.dll" not found!
Deletion of file "C:\WINDOWS\system32\fhrkewws.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\etytmniv.exe" not found!
Deletion of file "C:\WINDOWS\system32\etytmniv.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\mtpgfcek.dll" not found!
Deletion of file "C:\WINDOWS\system32\mtpgfcek.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\qtrscfep.dll_old" not found!
Deletion of file "C:\WINDOWS\system32\qtrscfep.dll_old" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\spnkfwad.exe" not found!
Deletion of file "C:\WINDOWS\spnkfwad.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\yvknirof.exe" not found!
Deletion of file "C:\WINDOWS\system32\yvknirof.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\sgoblxtm.dll" not found!
Deletion of file "C:\WINDOWS\sgoblxtm.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.
 
Logfile of HijackThis v1.99.1
Scan saved at 11:34:09, on 18/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\AOL\1131841800\ee\AOLSoftware.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\common files\aol\1131841800\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1131841800\ee\aolsoftware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Maria\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131841800\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AOLAspSunset2] C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp2.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - O17 - HKLM\System\CCS\Services\Tcpip\..\{254A522B-1270-4CCE-8DF2-FC114BAF51E3}: NameServer = 205.188.146.145
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
 
yes download the new version and also run another combo andpost it's log, don't run the script I posted the last time just run combo as normal and post it's log and see now after you have run funkytoad if you can download and run AVG?


Ok, the log looks clean now, but do the above as I need to make sure combo log is clean!

You should uninstall McaFee and make sure you are disconnected from the internet and then make sure you have already downloaded Anti vir and comodo firewall and then uninstall McAfee and install the other two and then reconnect to the internet and update anti vir!

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Thanks again pechenegs.

Back at work now. Will download funkytoad when I get home and run that. I disabled McAfee firewall and managed to download AVG and installed that (free trial version) I then rebooted in safe mode and started running scan. Will post that up when I get home.

Do you have an opinion on whether I should download and use the free anti virus or just pay up and use AVG after the trial, is it much better. Also should I keep all the dr webs, combo fix and all the other programmes I downloaded or should I delete them. I figured I should stick them in a folder and keep them, but thought I should ask the question. Deleted Mcafee now and hopefuly will also notice the difference as I read that it slows up your system a lot.
 
i would use anti vir as an anti virus and avg after the trial is free to use in a limited capacity which means you don't get auto updates but you cna update it yourself!

Post a new hijakc this , the combo and a AVg antispyware log.

you can delete dr web, sdfix and after you have ran the combo you can do this to uninstall combo!

Keep all the other tools!




Go to Start ---> Run ---> Type ComboFix /u and press Enter. This will
uninstall ComboFix.

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Combofix log below, and have pasted AVG log below




ComboFix 08-04-14.2 - Maria 2008-04-18 19:16:02.4 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\Maria\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-18 to 2008-04-18 )))))))))))))))))))))))))))))))
.

Scan "Command line scan" was finished.
Infections found:;"15"
Infected objects removed or healed;"0"
Not removed or healed.;"15"
Spyware found:;"4"
Spyware removed:;"0"
Not removed:;"4"
Warnings count:;"62"
Information count:;"0"
Scan started:;"18 April 2008, 12:21:08"
Total object scanned:;"828520"
Time needed:;"3 hour(s) 48 minute(s) 43 second(s) "
Errors encountered:;"0"

Infections
File;"Infection";"Result"
C:\Documents and Settings\John\My Documents\My Videos\ASE_Setup_Free.exe;"Trojan horse SHeur.BDYB";"Infected"
C:\Documents and Settings\Maria\Desktop\SDFix\backups\backups.zip:\backups\spnkfwad.exe;"Trojan horse Downloader.Adload.EZ";"Infected"
C:\Documents and Settings\Maria\Desktop\SDFix\backups\backups.zip;"Trojan horse Downloader.Adload.EZ";"Infected"
C:\Documents and Settings\Maria\DoctorWeb\Quarantine\fmptdpay.dll.vir;"Virus found Lop";"Infected"
C:\Documents and Settings\Maria\DoctorWeb\Quarantine\pmnLcbxw.dll.vir;"Trojan horse Generic10.KWR";"Infected"
C:\Documents and Settings\Maria\DoctorWeb\Quarantine\yknlisac.dll.vir;"Virus found Lop";"Infected"
C:\Program Files\Common Files\AOL\Backup\ACS\Current\Suite\comps\acsxpfix.exe:\ns_00002;"Trojan horse Startpage.CPM";"Infected"
C:\Program Files\Common Files\AOL\Backup\ACS\Current\Suite\comps\acsxpfix.exe;"Trojan horse Startpage.CPM";"Infected"
C:\Program Files\Common Files\AOL\Backup\ACS\Rollback\ACSLAN~1.EXE:\ns_00002;"Trojan horse Startpage.CPM";"Infected"
C:\Program Files\Common Files\AOL\Backup\ACS\Rollback\ACSLAN~1.EXE;"Trojan horse Startpage.CPM";"Infected"
C:\QooBox\Quarantine\C\WINDOWS\system32\qtrscfep.dll_old.vir;"Virus found Win32/Heur";"Infected"
C:\QooBox\Quarantine\catchme2008-04-15_211741.39.zip:\Documents and Settings\Maria\Desktop\catchme.zip:\tuvvSIyW.dll;"Trojan horse Generic10.KYZ";"Infected"
C:\QooBox\Quarantine\catchme2008-04-15_211741.39.zip:\Documents and Settings\Maria\Desktop\catchme.zip:\wvUnNfDv.dll;"Trojan horse Generic10.KWR";"Infected"
C:\QooBox\Quarantine\catchme2008-04-15_211741.39.zip:\Documents and Settings\Maria\Desktop\catchme.zip;"Trojan horse Generic10.KYZ";"Infected"
C:\QooBox\Quarantine\catchme2008-04-15_211741.39.zip;"Trojan horse Generic10.KYZ";"Infected"

Spyware
File;"Infection";"Result"
C:\Documents and Settings\Maria\Desktop\SDFix\apps\download.exe;"Potentially harmful program Tool.FF";"Potentially dangerous object"
C:\Documents and Settings\Maria\Desktop\SDFix.exe:\SDFix\apps\download.exe;"Potentially harmful program Tool.FF";"Potentially dangerous object"
C:\Documents and Settings\Maria\Desktop\SDFix.exe;"Potentially harmful program Tool.FF";"Potentially dangerous object"
C:\SDFix\apps\download.exe;"Potentially harmful program Tool.FF";"Potentially dangerous object"

Warnings
File;"Infection";"Result"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0EDC6C20-A31C-11DB-8AB9-0800200C9A66};"Found Adware.RogueSuspect";"Potentially dangerous object"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1C78AB3F-A857-482E-80C0-3A1E5238A565};"Found Adware.Isearch";"Potentially dangerous object"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{3AAC4C68-AFC8-11DB-80EF-8AF955D89593};"Found Adware.RogueSuspect";"Potentially dangerous object"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{5054F860-748D-4840-B7B4-DDDB428421AF};"Found Adware.Generic";"Potentially dangerous object"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{88D758A3-D33B-45FD-91E3-67749B4057FA};"Found Adware.Generic";"Potentially dangerous object"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9C691A33-7DDA-4C2F-BE4C-C176083F35CF};"Found Adware.TitanShieldAntispyware";"Potentially dangerous object"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{E2B2B5A1-B48C-4886-A318-723916A01024};"Found Adware.Generic";"Potentially dangerous object"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{E6D5237D-A6C7-4C83-A67F-F9F15586FA62};"Found Adware.Generic";"Potentially dangerous object"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{E8EDB60C-951E-4130-93DC-FAF1AD25F8E7};"Found Adware.Generic";"Potentially dangerous object"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FE6A3E85-0F6C-49AD-8843-68FF44E7EEA9};"Found Adware.SecureServicePack";"Potentially dangerous object"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF};"Found Adware.Generic";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@adbrite[2].txt:\adbrite.com.d5e309c2;"Found Tracking cookie.Adbrite";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@adbrite[2].txt:\adbrite.com.71beeff9;"Found Tracking cookie.Adbrite";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@adbrite[2].txt;"Found Tracking cookie.Adbrite";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@adtech[2].txt:\adtech.de.a9245469;"Found Tracking cookie.Adtech";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@adtech[2].txt;"Found Tracking cookie.Adtech";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@advertising[2].txt:\advertising.com.203aa218;"Found Tracking cookie.Advertising";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@advertising[2].txt:\advertising.com.f62113d5;"Found Tracking cookie.Advertising";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@advertising[2].txt:\advertising.com.1820df7a;"Found Tracking cookie.Advertising";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@advertising[2].txt:\advertising.com.b624fa46;"Found Tracking cookie.Advertising";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@advertising[2].txt;"Found Tracking cookie.Advertising";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@aoluk.122.2o7[1].txt:\aoluk.122.2o7.net.7225be6f;"Found Tracking cookie.2o7";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@aoluk.122.2o7[1].txt;"Found Tracking cookie.2o7";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@atdmt[2].txt:\atdmt.com.b3e33b5f;"Found Tracking cookie.Atdmt";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@atdmt[2].txt;"Found Tracking cookie.Atdmt";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@atdmt[3].txt:\atdmt.com.b3e33b5f;"Found Tracking cookie.Atdmt";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@atdmt[3].txt;"Found Tracking cookie.Atdmt";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@bs.serving-sys[1].txt:\bs.serving-sys.com.5bf1f00f;"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@bs.serving-sys[1].txt;"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@doubleclick[1].txt:\doubleclick.net.bf396750;"Found Tracking cookie.Doubleclick";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@doubleclick[1].txt;"Found Tracking cookie.Doubleclick";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@doubleclick[2].txt:\doubleclick.net.bf396750;"Found Tracking cookie.Doubleclick";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@doubleclick[2].txt;"Found Tracking cookie.Doubleclick";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@fastclick[1].txt:\fastclick.net.fac3d6f0;"Found Tracking cookie.Fastclick";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@fastclick[1].txt:\fastclick.net.8a6435e9;"Found Tracking cookie.Fastclick";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@fastclick[1].txt:\fastclick.net.57e8da10;"Found Tracking cookie.Fastclick";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@fastclick[1].txt:\fastclick.net.19d0b716;"Found Tracking cookie.Fastclick";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@fastclick[1].txt:\fastclick.net.6fd479aa;"Found Tracking cookie.Fastclick";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@fastclick[1].txt;"Found Tracking cookie.Fastclick";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@media.adrevolver[1].txt:\media.adrevolver.com.5fed601d;"Found Tracking cookie.Adrevolver";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@media.adrevolver[1].txt;"Found Tracking cookie.Adrevolver";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@mediaplex[1].txt:\mediaplex.com.f652b123;"Found Tracking cookie.Mediaplex";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@mediaplex[1].txt;"Found Tracking cookie.Mediaplex";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@mediaplex[2].txt:\mediaplex.com.f652b123;"Found Tracking cookie.Mediaplex";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@mediaplex[2].txt;"Found Tracking cookie.Mediaplex";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@msnportal.112.2o7[1].txt:\msnportal.112.2o7.net.7225be6f;"Found Tracking cookie.2o7";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@msnportal.112.2o7[1].txt;"Found Tracking cookie.2o7";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@msnportal.112.2o7[2].txt:\msnportal.112.2o7.net.7225be6f;"Found Tracking cookie.2o7";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@msnportal.112.2o7[2].txt;"Found Tracking cookie.2o7";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@revsci[1].txt:\revsci.net.e9dbeb91;"Found Tracking cookie.Revsci";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@revsci[1].txt:\revsci.net.2df99d79;"Found Tracking cookie.Revsci";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@revsci[1].txt:\revsci.net.44927ec;"Found Tracking cookie.Revsci";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@revsci[1].txt;"Found Tracking cookie.Revsci";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@serving-sys[2].txt:\serving-sys.com.c9034af6;"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@serving-sys[2].txt:\serving-sys.com.606c3d3b;"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@serving-sys[2].txt:\serving-sys.com.4b416ef8;"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@serving-sys[2].txt:\serving-sys.com.255d6f2f;"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@serving-sys[2].txt:\serving-sys.com.6a1cf9e8;"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@serving-sys[2].txt:\serving-sys.com.400f83f;"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@serving-sys[2].txt;"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@tradedoubler[1].txt:\tradedoubler.com.eab0972e;"Found Tracking cookie.Tradedoubler";"Potentially dangerous object"
C:\Documents and Settings\Maria\Cookies\maria@tradedoubler[1].txt;"Found Tracking cookie.Tradedoubler";"Potentially dangerous object"


2008-04-18 19:09 . 2008-04-18 19:09 <DIR> d-------- C:\Program Files\Comodo
2008-04-18 19:09 . 2005-11-03 09:06 211 --a------ C:\boot.ini.comodofirewall
2008-04-18 11:54 . 2008-04-18 11:54 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-04-18 11:54 . 2008-04-18 11:54 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-04-18 11:54 . 2008-04-18 11:54 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-04-18 11:53 . 2008-04-18 11:59 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-04-18 11:53 . 2008-04-18 11:53 <DIR> d-------- C:\Documents and Settings\Maria\Application Data\AVGTOOLBAR
2008-04-18 11:53 . 2008-04-18 11:53 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-04-18 11:52 . 2008-04-18 11:52 <DIR> d-------- C:\Program Files\AVG
2008-04-18 11:52 . 2008-04-18 11:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-04-17 19:49 . 2008-04-18 18:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-17 19:49 . 2008-04-17 19:49 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-16 20:30 . 2008-04-16 20:31 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-16 20:20 . 2008-04-15 11:39 <DIR> d-------- C:\SDFix
2008-04-15 23:56 . 2008-04-15 23:56 <DIR> d-------- C:\Documents and Settings\Maria\DoctorWeb
2008-04-15 21:54 . 2008-04-15 21:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-15 21:53 . 2008-04-15 21:53 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-15 21:53 . 2008-04-15 21:53 <DIR> d-------- C:\Documents and Settings\Maria\Application Data\SUPERAntiSpyware.com
2008-04-15 21:52 . 2008-04-15 21:52 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-15 00:13 . 2008-04-15 00:13 5,132 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-15 00:12 . 2008-04-15 00:09 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-15 00:12 . 2008-04-15 00:09 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-15 00:12 . 2008-04-15 00:09 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-15 00:12 . 2008-04-15 00:09 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-15 00:12 . 2008-04-15 00:09 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-15 00:12 . 2008-04-15 00:09 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-15 00:12 . 2008-04-15 00:09 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-15 00:02 . 2008-04-18 11:56 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-14 20:36 . 2008-04-14 20:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-14 20:32 . 2008-04-14 20:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZipSE
2008-04-14 20:31 . 2008-04-14 20:31 <DIR> d-------- C:\Program Files\WinZip Self-Extractor
2008-04-14 06:44 . 2008-04-14 09:14 264 --a------ C:\WINDOWS\wininit.ini
2008-04-14 01:10 . 2008-04-14 18:41 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-14 01:10 . 2008-04-14 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-14 00:28 . 2008-04-14 00:28 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-13 23:07 . 2008-04-13 23:07 <DIR> d-------- C:\Documents and Settings\John\Application Data\TmpRecentIcons
2008-04-13 21:01 . 2008-04-13 21:04 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-04-13 17:00 . 2008-04-13 17:00 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-13 11:37 . 2008-04-14 21:38 <DIR> d-------- C:\Documents and Settings\Maria\Application Data\TmpRecentIcons
2008-04-13 10:32 . 2008-04-15 23:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\yhmpszip
2008-03-25 22:26 . 2008-03-25 22:26 1,747 --ah----- C:\hpothb07.tif
2008-03-25 22:26 . 2008-03-25 22:26 932 --ah----- C:\hpothb07.dat
2008-03-25 22:25 . 2008-03-25 22:25 175 --ah----- C:\Documents and Settings\Maria\hpothb07.dat
2008-03-25 22:25 . 2008-03-25 22:25 0 --ah----- C:\Documents and Settings\Guest\hpothb07.dat
2008-03-25 22:24 . 2008-03-25 22:34 722 --ah----- C:\Documents and Settings\All Users\hpothb07.dat
2008-03-25 16:46 . 2008-03-25 16:47 <DIR> d-------- C:\Program Files\iTunes
2008-03-25 16:27 . 2008-03-25 16:29 <DIR> d-------- C:\Program Files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-18 17:14 --------- d-----w C:\Program Files\McAfee.com
2008-04-18 11:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-04-15 23:19 --------- d-----w C:\Program Files\Common Files\Scanner
2008-04-13 20:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-04-13 20:20 --------- d-----w C:\Program Files\Yahoo!
2008-04-13 17:22 --------- d-----w C:\Program Files\DivX
2008-04-09 14:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-25 15:47 --------- d-----w C:\Program Files\iPod
2008-03-08 23:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\TomTom
2008-03-08 23:00 --------- d-----w C:\Program Files\TomTom HOME 2
2008-03-08 22:50 --------- d-----w C:\Program Files\Java
2008-03-08 22:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-08 21:34 --------- d-----w C:\Documents and Settings\John\Application Data\InstallShield
2008-03-08 21:29 --------- d-----w C:\Program Files\TomTom DesktopSuite
2008-03-08 21:28 --------- d-----w C:\Documents and Settings\Maria\Application Data\TomTom
2006-02-20 21:35 863 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((( snapshot@2008-04-15_21.36.38.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-15 20:15:25 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-18 18:24:45 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2006-07-11 08:41:36 345,656 ----a-w C:\WINDOWS\Downloaded Program Files\ewidoOnlineScan.dll
+ 2008-04-15 10:38:48 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-04-16 19:31:24 5,730,304 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-04-16 19:31:25 155,648 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-04-15 10:38:48 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-04-16 19:31:04 5,730,304 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-04-16 19:31:04 155,648 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2008-04-15 20:53:56 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-04-15 20:53:57 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-04-18 10:53:54 26,184 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2008-04-18 18:09:09 75,520 ----a-w C:\WINDOWS\system32\drivers\cmdmon.sys
+ 2008-04-18 18:09:09 51,328 ----a-w C:\WINDOWS\system32\drivers\inspect.sys
+ 2006-12-01 21:56:00 96,256 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2006-12-01 23:25:52 1,101,824 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2006-12-01 23:25:56 1,093,120 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-01 23:25:58 69,632 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-01 23:26:00 57,856 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-01 23:08:00 40,960 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-01 23:08:00 45,056 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-01 23:08:00 65,536 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-01 23:08:00 57,344 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-01 23:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-01 23:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-01 23:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-01 23:08:00 49,152 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-01 23:08:00 49,152 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-01 23:46:44 65,536 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
2008-04-18 11:53 2051328 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-04-18 11:53 2051328]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"WCOLOREAL"="C:\Program Files\COMPAQ\Coloreal\coloreal.exe" [2002-01-22 16:46 131072]
"CPQEASYACC"="C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe" [2001-12-14 14:01 32768]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [ ]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [2001-10-12 15:45 69632]
"AutoLogon"="" []
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 04:19 69632]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-10-01 09:24 26112]
"HostManager"="C:\Program Files\Common Files\AOL\1131841800\ee\AOLSoftware.exe" [2006-11-17 14:21 50736]
"Camera Detector"="C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.exe" [2002-12-09 15:35 208896]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 16:30 71008]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"AOLAspSunset2"="C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp2.exe" [ ]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 14:20 227328]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-04-18 11:53 1177368]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2008-04-18 19:09 1115728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:56 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 16:58 1744896]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AOL 9.0 Tray Icon.lnk - C:\Program Files\AOL 9.0\aoltray.exe [2006-06-13 22:22:30 156784]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-06-27 01:20:58 323646]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-09-05 00:23:00 53317]
officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-06-27 01:21:30 147456]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AOL 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1131841800\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-04-18 11:54]
S1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-04-18 11:53]
S1 EACMOS;EACMOS;C:\WINDOWS\system32\drivers\EACMOS.SYS []
S1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys [2006-01-06 17:53]
S2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-04-18 11:53]
S2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-04-18 11:53]
S2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-04-18 11:54]
S3 52f0f2d3-1f4d-4c4c-b2c3-b42d5e1e9837;52f0f2d3-1f4d-4c4c-b2c3-b42d5e1e9837;E:\Player\cds300.dll []
S3 PPPoEWin;PPPoEWin Miniport;C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS []
S3 w550bus;Sony Ericsson W550 driver (WDM);C:\WINDOWS\system32\DRIVERS\w550bus.sys [2005-08-01 14:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c8022d17-c08c-11dc-8a4a-00038a000015}]
\Shell\AutoRun\command - G:\InstallTomTomHOME.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-15 11:37:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2006-03-09 22:34:54 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1128025151.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, Rootkit scan 2008-04-18 19:25:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-18 19:36:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-18 18:36:47
ComboFix2.txt 2008-04-17 17:12:15
ComboFix3.txt 2008-04-15 20:39:11

Pre-Run: 41,779,068,928 bytes free
Post-Run: 41,763,651,584 bytes free
.
2008-04-09 14:23:30 --- E O F ---
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top