trojan horse dropper agent GIT Help Help Help Please!!!!

Unknown · February 2008

trojan horse dropper agent GIT
I have got infected with trojan horse dropper agent GIT.AVG Free detects it but doesn't seem to fix it; Here is the logile, and I would really appreciate some help in removing this!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:03:15, on 03/02/2008
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
c:\windows\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\OneStepSearch\onestep.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\OneStepSearch\onestep.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BT Home Hub\Help\bin\mpbtn.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Common Files\??curity\j?vaw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=61005
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=61005
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=61005
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\sstqq.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {436CC993-5478-7AA5-5766-5B00B7BE8CEB} - C:\WINDOWS\system32\azco.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: {94c6e9d7-0a2e-ef88-3cd4-aff189a3ad27} - {72da3a98-1ffa-4dc3-88fe-e2a07d9e6c49} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {BCC2E1D2-E991-4813-8740-8E62B1F3D861} - (no file)
O2 - BHO: (no name) - {D4576C73-52BD-4401-B966-5A128C4433D4} - (no file)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [60676266686B666D] C7CEC9CDCFD2CD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\SystemErrorFixer\strpmon.exe" dm=http://systemerrorfixer.com ad=http://systemerrorfixer.com sd=http://inspaid.systemerrorfixer.com
O4 - HKLM\..\Run: [Salestart(1)] "C:\Program Files\Common Files\SystemErrorFixer\strpmon .exe" dm=http://systemerrorfixer.com ad=http://systemerrorfixer.com sd=http://inspaid.systemerrorfixer.com
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr .exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Home Hub\Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O20 - Winlogon Notify: efcaywu - efcaywu.dll (file missing)
O20 - Winlogon Notify: snqoxhau - snqoxhau.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: OneStep Search Service - OneStepSearch.net, Inc. - C:\Program Files\OneStepSearch\onestep.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
--
End of file - 7349 bytes

gringo_pr · February 2008

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Please reply to this thread, do not start another.
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.

As I am still on training, everything that I post to you, must be checked by one of the teachers. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long.

If you follow these instructions, everything should go smoothly.

we are currently looking at your log now and will be back as soon as possible with your instructions.
while you are waiting one other thing that can be of good use is an uninstall list so please do the following

Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in your next reply.

Gringo

gringo_pr · February 2008

hello momope

: run combofix :

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: how-to-use-combofix

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall

: information and logs :

In your next post I need the following

1.log from combofix

2.new log from hijackthis
3.have you been helped before or have you used any tools by yourself

Gringo

momope · February 2008

Thanks so much for helping me out.
I did the steps that you have told me to do so ,so my new stuff is here.
1) New Hijack Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:01, on 04/02/2008
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\OneStepSearch\onestep.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\OneStepSearch\onestep.exe
C:\WINDOWS\Explorer.EXE
C:\ComboFix\kmd.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BT Home Hub\Help\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=61005
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=61005
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr .exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Home Hub\Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O20 - Winlogon Notify: efcaywu - efcaywu.dll (file missing)
O20 - Winlogon Notify: snqoxhau - snqoxhau.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: OneStep Search Service - OneStepSearch.net, Inc. - C:\Program Files\OneStepSearch\onestep.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
--
End of file - 6268 bytes

2) ComboFix Log here:

ComboFix 08-02.03.1 - user 04/02/2008 10:41:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.165 [GMT -8:00]
Running from: C:\Documents and Settings\fozia\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\fozia\Application Data\ShoppingReport
C:\Documents and Settings\fozia\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\fozia\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\fozia\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\fozia\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\fozia\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\fozia\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\fozia\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
C:\Documents and Settings\hamed.COMPUTER01\Application Data\ShoppingReport
C:\Documents and Settings\hamed.COMPUTER01\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\hamed.COMPUTER01\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\hamed.COMPUTER01\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\hamed.COMPUTER01\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\hamed.COMPUTER01\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\hamed.COMPUTER01\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\hamed.COMPUTER01\Application Data\ShoppingReport\cs\res2\WhiteList.dbs
C:\Documents and Settings\hamed\Application Data\ShoppingReport
C:\Documents and Settings\hamed\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\hamed\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\hamed\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\hamed\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\hamed\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\hamed\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\hamed\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
C:\Documents and Settings\yasar\Application Data\SEMBLY~1
C:\Documents and Settings\yasar\Application Data\SEMBLY~1\??sembly\
C:\Documents and Settings\yasar\Application Data\SEMBLY~1\javaw .exe
C:\Documents and Settings\yasar\Application Data\ShoppingReport
C:\Documents and Settings\yasar\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\yasar\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\yasar\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\yasar\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\yasar\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\yasar\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\yasar\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
C:\Documents and Settings\yasar\Application Data\SKS~1
C:\Documents and Settings\yasar\Application Data\SKS~1\w?nword.exe
C:\Documents and Settings\yasar\Start Menu\Programs\Outerinfo
C:\Documents and Settings\yasar\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\yasar\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\curity~1
C:\Program Files\Common Files\curity~1\j?vaw.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1560OinUninstaller.exe
C:\Program Files\fnts~1
C:\Program Files\Router
C:\Program Files\Router\Router.exe
C:\Program Files\Temporary
C:\Program Files\Words
C:\Program Files\Words\list.txt
C:\Program Files\Words\script.txt
C:\Program Files\Words\UnInstall.exe
C:\Program Files\Words\Words .exe
C:\Program Files\Words\Words.exe
C:\Program Files\ystem3~1
C:\Program Files\ystem3~1\dexplore .exe
C:\Program Files\ystem3~1\dexplore.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\b104.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M2210NetInstaller.exe
C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\system32\azco.dll
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ncoafnje.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pppatc~1
C:\WINDOWS\system32\ptcdetjq.dll
C:\WINDOWS\system32\qardevam.dll
C:\WINDOWS\system32\qjtedctp.ini
C:\WINDOWS\system32\qqtss.ini
C:\WINDOWS\system32\qqtss.ini2
C:\WINDOWS\system32\rcyunbsi.dll
C:\WINDOWS\system32\scurit~1
C:\WINDOWS\system32\snqoxhau.dllbox
C:\WINDOWS\system32\winio.dll

BITS: Possible infected sites

hxxp://msgr.dlservice.microsoft.com
.
((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.
2008-02-04 09:20 . 2008-02-04 09:20 <DIR> d

C:\Documents and Settings\fozia\Application Data\AVG7
2008-02-03 13:44 . 2008-02-03 13:45 <DIR> d

C:\Documents and Settings\yasar\Application Data\AVG7
2008-02-03 11:02 . 2008-02-03 11:02 <DIR> d

C:\Program Files\Trend Micro
2008-02-03 08:43 . 2008-02-03 10:58 <DIR> d

C:\Documents and Settings\user\Application Data\AVG7
2008-02-03 08:43 . 2008-02-03 08:43 <DIR> d

C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-03 08:42 . 2008-02-03 08:42 <DIR> d

C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-03 08:42 . 2008-02-03 10:58 <DIR> d

C:\Documents and Settings\All Users\Application Data\avg7
2008-02-02 15:19 . 2008-02-02 15:19 <DIR> d

C:\Documents and Settings\user\Application Data\systemerrorfixer
2008-02-02 15:14 . 2008-02-02 15:14 <DIR> dr

C:\Documents and Settings\All Users\Application Data\systemerrorfixer
2008-02-02 15:13 . 2008-02-02 15:40 <DIR> d

C:\Program Files\SystemErrorFixer
2008-02-02 15:13 . 2008-02-04 01:54 <DIR> d

C:\Program Files\Common Files\SystemErrorFixer
2008-02-02 15:13 . 2008-02-02 15:13 <DIR> dr

C:\Documents and Settings\All Users\Application Data\SalesMon
2008-02-02 15:09 . 2008-02-02 15:41 <DIR> d

C:\Program Files\Deus Cleaner
2008-02-02 05:29 . 2008-02-03 09:21 67,072 --a

C:\WINDOWS\SOUNDMAN .EXE
2008-02-02 04:26 . 2008-02-02 04:26 <DIR> d

C:\WINDOWS\A01872BE21234F1BB295E3D1774DC0C9.TMP
2008-02-02 03:54 . 2008-02-02 13:56 <DIR> d

C:\Program Files\Common Files\Symantec Shared
2008-01-24 02:38 . 2008-01-24 02:38 <DIR> d

C:\Program Files\AoA Audio Extractor
2008-01-24 02:38 . 2008-01-25 04:39 <DIR> d-a

C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-22 16:10 . 2008-01-22 16:10 <DIR> d

C:\Program Files\Transparent
2008-01-22 16:10 . 2008-01-22 16:10 <DIR> d

C:\Documents and Settings\All Users\Application Data\Transparent
2008-01-22 15:25 . 2008-02-03 15:24 <DIR> d

C:\WINDOWS\system32\pip2
2008-01-22 15:25 . 2008-02-03 15:24 <DIR> d

C:\WINDOWS\system32\nGpxx01
2008-01-22 15:25 . 2008-02-03 15:24 <DIR> d

C:\WINDOWS\system32\gig5
2008-01-22 15:25 . 2008-01-22 15:25 <DIR> d

C:\WINDOWS\system32\eck8
2008-01-22 15:25 . 2008-01-22 15:25 <DIR> d

C:\Temp\gTiis19
2008-01-22 15:25 . 2008-01-22 15:25 <DIR> d

C:\Temp\cXzz9
2008-01-22 13:25 . 2008-01-22 13:26 <DIR> d

C:\Documents and Settings\user\Contacts
2008-01-19 17:10 . 2008-01-19 17:10 <DIR> d

C:\Program Files\ASIO4ALL v2
2008-01-19 17:09 . 2002-07-07 14:14 1,294,336 --a

C:\WINDOWS\system32\vorbis.acm
2008-01-19 16:04 . 2008-02-03 10:22 <DIR> d

C:\Program Files\VstPlugins
2008-01-19 16:04 . 2006-06-20 00:56 225,280 --a

C:\WINDOWS\system32\rewire.dll
2008-01-19 16:03 . 2008-02-03 10:22 <DIR> d

C:\Program Files\Image-Line
2008-01-19 08:58 . 2008-01-19 08:58 <DIR> d

C:\WINDOWS\DA15D5355E1D4076B5208571346D6238.TMP
2008-01-19 04:24 . 2008-01-19 04:24 <DIR> d

C:\Documents and Settings\yasar\Contacts
2008-01-19 04:22 . 2008-01-19 04:23 <DIR> d

C:\Program Files\Windows Live
2008-01-19 04:22 . 2008-01-19 04:22 <DIR> d

C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-19 04:22 . 2008-01-19 04:22 <DIR> d

C:\Documents and Settings\All Users\Application Data\WindowsLiveInstaller
2008-01-18 14:15 . 2008-01-19 04:20 <DIR> d

C:\My Downloads
2008-01-15 04:01 . 2008-01-15 04:01 <DIR> d

C:\WINDOWS\system32\545B565A5C5F5A
2008-01-14 01:37 . 2008-01-19 09:20 406,016 --a

C:\WINDOWS\system32\PSDrvCheck .exe
2008-01-14 01:37 . 2008-02-03 09:21 14,336 --a

C:\WINDOWS\system32\ctfmon .exe
2008-01-14 01:34 . 2008-02-04 01:54 <DIR> d

C:\Program Files\Dot1XCfg
2008-01-14 01:30 . 2008-02-03 15:24 <DIR> d

C:\WINDOWS\system32\pe2
2008-01-14 01:30 . 2008-01-14 01:30 <DIR> d

C:\WINDOWS\system32\ka8
2008-01-14 01:29 . 2008-02-03 15:24 <DIR> d

C:\WINDOWS\system32\edcA01
2008-01-12 14:05 . 2008-02-02 07:26 <DIR> d

C:\Program Files\Norton Security Scan
2008-01-11 10:41 . 2008-01-11 10:41 <DIR> d

C:\Documents and Settings\fozia\Application Data\Zango
2008-01-11 07:16 . 2008-01-11 07:16 <DIR> d

C:\Documents and Settings\yasar\Application Data\Zango
2008-01-11 05:41 . 2008-01-11 05:41 <DIR> d

C:\Documents and Settings\user\Application Data\WeatherDPA
2008-01-05 06:05 . 2008-01-13 05:38 2,048 --a

C:\WINDOWS\system32\Tr_sttool.dat
2008-01-05 05:33 . 2008-01-05 05:41 <DIR> d

C:\Documents and Settings\user\Application Data\FairStars Recorder
2008-01-04 13:17 . 2008-01-18 04:28 <DIR> d

C:\Program Files\Dictionary
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 18:47

d

w C:\Program Files\Spyware Terminator
2008-02-04 18:34

d

w C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-02-04 17:25

d

w C:\Documents and Settings\fozia\Application Data\Spyware Terminator
2008-02-04 09:54

d

w C:\Program Files\LogMeIn
2008-02-03 18:23

d

w C:\Program Files\TuneUp Utilities 2007
2008-02-03 18:08

d

w C:\Documents and Settings\user\Application Data\Spyware Terminator
2008-02-02 13:09 407,040 ----a-w C:\WINDOWS\SOUNDMAN.EXE
2008-02-02 12:15

d

w C:\Program Files\MixVibes6
2008-02-02 12:15

d

w C:\Program Files\DJServ
2008-01-31 14:35

d

w C:\Program Files\AllToAVI
2008-01-25 13:40

d

w C:\Program Files\OneStepSearch
2008-01-23 00:10

d--h--w C:\Program Files\InstallShield Installation Information
2008-01-22 23:16

d

w C:\Program Files\VirtualDJ
2008-01-21 14:17

d

w C:\Documents and Settings\user\Application Data\Yahoo!
2008-01-19 17:17

d

w C:\Program Files\iMesh Applications
2008-01-18 12:28

d

w C:\Documents and Settings\user\Application Data\LimeWire
2008-01-18 12:27

d

w C:\Program Files\No1 Sound Recorder
2008-01-14 16:59

d

w C:\Program Files\btbb_wcm
2008-01-12 17:40

d

w C:\Documents and Settings\All Users\Application Data\ZangoSA
2008-01-12 10:22

d

w C:\Documents and Settings\user\Application Data\iMesh
2008-01-11 13:43

d

w C:\Documents and Settings\user\Application Data\Zango
2007-12-27 15:22

d

w C:\Documents and Settings\user\Application Data\Aegisub
2007-12-27 12:16

d

w C:\Program Files\Mixman Technologies
2007-12-27 12:14

d

w C:\Program Files\Visual Discomix DJ Basic
2007-12-27 11:16

d

w C:\Program Files\Doblon
2007-12-25 15:12

d

w C:\Documents and Settings\user\Application Data\user
2007-12-24 20:08

d

w C:\Documents and Settings\user\Application Data\NCH Swift Sound
2007-12-24 09:06

d

w C:\Documents and Settings\hamed.COMPUTER01\Application Data\Spyware Terminator
2007-12-23 10:06

d--h--r C:\Documents and Settings\hamed.COMPUTER01\Application Data\yahoo!
2007-12-23 10:05

d

w C:\Documents and Settings\hamed.COMPUTER01\Application Data\Teleca
2007-12-16 20:17

d

w C:\Documents and Settings\hamed\Application Data\Spyware Terminator
2007-12-16 13:24

d

w C:\Documents and Settings\hamed\Application Data\TuneUp Software
2007-12-14 19:07

d

w C:\Documents and Settings\hamed\Application Data\Media Player Classic
2007-12-14 13:30

d

w C:\Program Files\NCH Software
2007-12-14 13:30

d

w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-12-14 11:07

d

w C:\Program Files\Spuntrix1 v2.0
2007-12-14 10:51 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-12-14 10:51 372,736

w C:\WINDOWS\Setup1.exe
2007-12-14 10:44 5 ----a-w C:\Program Files\thumbsfiles3.dat
2007-12-14 10:43

d

w C:\Program Files\Windows Media Components
2007-12-14 10:29 729,088 ----a-w C:\WINDOWS\iun6002.exe
2007-12-12 13:45

d

w C:\Program Files\Free WMA to MP3 Converter
2007-12-12 12:32

d

w C:\Program Files\Power MP3 WMA Converter
2007-12-11 22:27

d

w C:\Documents and Settings\user\Application Data\CBL-Electronics
2007-12-11 22:26

d

w C:\Documents and Settings\All Users\Application Data\CBL-Electronics
2007-12-11 20:38

d

w C:\Program Files\XYLIO
2007-12-07 14:16

d

w C:\Program Files\Realtek Sound Manager
2007-12-07 14:16

d

w C:\Program Files\AvRack
2007-12-07 11:54

d

w C:\Documents and Settings\user\Application Data\AVCutty
2007-12-06 13:05

d

w C:\Program Files\GeoVid
2007-12-06 13:05

d

w C:\Documents and Settings\user\Application Data\GeoVid
2007-12-06 12:06

d

w C:\Program Files\C-Media
2007-12-06 11:46

d

w C:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
2007-12-05 17:19 23,600 ----a-w C:\WINDOWS\system32\drivers\tvichw32.sys
2007-12-05 16:52

d

w C:\Program Files\Winferno
2007-12-04 21:25

d

w C:\Documents and Settings\All Users\Application Data\Winferno
2007-12-04 10:44

d--h--r C:\Documents and Settings\hamed\Application Data\yahoo!
2007-12-04 10:41

d

w C:\Documents and Settings\hamed\Application Data\Teleca
2007-12-04 10:41

d

w C:\Documents and Settings\hamed\Application Data\.clamwin
2007-11-13 23:06 1,558,280 ----a-w C:\WINDOWS\screengenie.scr
.

<pre>
----a-w           409,600 2008-01-26 08:21:36  C:\Documents and Settings\fozia\Local Settings\Temp\kpfbunfw .exe
----a-w            74,304 2008-02-03 16:40:56  C:\Documents and Settings\fozia\Local Settings\Temp\nykdnthj .exe
----a-w           409,600 2008-01-26 08:34:15  C:\Documents and Settings\fozia\Local Settings\Temp\rxqwqjtq .exe
----a-w           462,935 2008-02-03 17:21:38  C:\Program Files\BT Home Hub\Help\SmartBridge\BTHelpNotifier .exe
----a-w           543,232 2008-01-14 16:59:07  C:\Program Files\btbb_wcm\McciTrayApp .exe
----a-w            90,112 2008-01-19 18:04:09  C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor .exe
----a-w           579,072 2008-02-03 17:21:44  C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w            63,048 2008-02-02 11:44:41  C:\Program Files\LogMeIn\x86\LogMeInSystray .exe
----a-w         1,679,360 2008-01-19 18:23:48  C:\Program Files\Messenger\msmsgs .exe
----a-w         1,123,840 2008-01-19 17:21:06  C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl .exe
----a-w           772,096 2008-01-19 17:21:05  C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray .exe
----a-w           159,744 2008-01-23 16:22:36  C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher .exe
----a-w         2,778,112 2008-02-03 17:21:59  C:\Program Files\Spyware Terminator\SpywareTerminatorShield .exe
----a-w         5,729,136 2008-02-03 17:22:12  C:\Program Files\Windows Live\Messenger\msnmsgr  .exe
----a-w         6,094,848 2008-02-03 17:21:27  C:\Program Files\Windows Live\Messenger\msnmsgr .exe
----a-w           129,536 2008-02-03 17:21:45  C:\Program Files\Yahoo!\browser\ybrwicon .exe
----a-w         4,670,704 2008-02-03 17:22:08  C:\Program Files\Yahoo!\Messenger\YahooMessenger  .exe
----a-w         5,031,424 2008-02-03 17:21:20  C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
----a-w         4,670,704 2008-02-02 14:07:47  C:\Program Files\Yahoo!\Messenger\YAHOOM~1  .EXE
----a-w         5,031,424 2008-02-02 14:39:05  C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
----a-w            67,072 2008-02-03 17:21:34  C:\WINDOWS\SOUNDMAN .EXE
----a-w            14,336 2008-02-03 17:21:44  C:\WINDOWS\system32\ctfmon .exe
----a-w           406,016 2008-01-19 17:20:36  C:\WINDOWS\system32\PSDrvCheck .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-03-11 16:18 14336]
"Router"="C:\Program Files\Router\Router.exe" [ ]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe" [2008-02-03 09:21 5031424]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr .exe" [2008-02-03 09:21 6094848]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2008-02-02 05:09 407040 C:\WINDOWS\SOUNDMAN.EXE]
"Motive SmartBridge"="C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe" [2008-02-03 09:21 823808]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-02-03 09:58 2778112]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2008-02-03 09:21 464896]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-03-11 16:18 14336]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-03 08:43 219136]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BT Broadband Desktop Help.lnk - C:\Program Files\BT Home Hub\Help\bin\matcli.exe [2007-11-02 05:44:01 217088]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 12:05:56 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcaywu]
efcaywu.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-21 11:26 87352 C:\WINDOWS\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\snqoxhau]
snqoxhau.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1 .EXE" -quiet
"InstantTray"=C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
"IW_Drop_Icon"=C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
"Words"=C:\Program Files\Words\Words.exe
"Dot1XCfg"=C:\Program Files\Dot1XCfg\Dot1XCfg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PinnacleDriverCheck"=C:\WINDOWS\system32\PSDrvCheck.exe
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
"60676266686B666D"=C7CEC9CDCFD2CD.exe
"runner1"=C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C88332017491394661A64DB7C8F0287E55E246220D9E728F9FC17D446BC57D5375FB0FB68AD6
R0 VOBID;VOBID;C:\WINDOWS\system32\DRIVERS\vobid.sys [2003-08-01 13:47]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2007-11-03 01:56]
R1 vobiw;vobiw;C:\WINDOWS\system32\drivers\vobiw.sys [2004-07-06 16:06]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-04-17 14:00]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-04-05 11:55]
R2 OneStep Search Service;OneStep Search Service;"C:\Program Files\OneStepSearch\onestep.exe" "C:\Program Files\OneStepSearch\onestep.dll" Service []
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-03-11 16:19]
R3 cdrdrv;Cdrdrv;C:\WINDOWS\system32\Drivers\Cdrdrv.sys [2004-08-03 10:10]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
"2007-12-22 01:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-02-02 11:58:45 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 10:47:17
Windows 5.1.2600 Service Pack 2, v.2096 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.

Other Running Processes

.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\OneStepSearch\onestep.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\OneStepSearch\onestep.exe
C:\Program Files\BT Home Hub\Help\bin\mpbtn.exe
.
**************************************************************************
.
Completion time: 2008-02-04 10:54:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-04 18:54:30

3) When I log in my account when start up two windows pop up appears, one stating Run error and the other stating you cannot access a certein file on C drive.

momope · February 2008

4) I have not asked anyone's help before and have not did anything by myself coz im new to this all so that's why i seems to be so messed up!

gringo_pr · February 2008

hello momope

P2P Warning!
IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

iMesh
LimeWire

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur

Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/community/columns/protection.mspx
http://www.techweb.com/wire/160500554
http://www.internetworldstats.com/articles/art053.htm

I would recommend that you uninstall LimeWire,iMesh, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

: Clean temp files :

Download and Run AFT Cleaner
Download ATF (Atribune Temp File) CleanerÂ© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

if you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

if you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

File:: 
C:\WINDOWS\A01872BE21234F1BB295E3D1774DC0C9.TMP
C:\WINDOWS\DA15D5355E1D4076B5208571346D6238.TMP
C:\WINDOWS\iun6002.exe
C:\WINDOWS\mrofinu572.exe
Folder:: 
C:\Documents and Settings\user\Application Data\systemerrorfixer
C:\Program Files\SystemErrorFixer
C:\Program Files\Common Files\SystemErrorFixer
C:\Program Files\Deus Cleaner
C:\WINDOWS\system32\pip2
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\gig5
C:\WINDOWS\system32\eck8
C:\Documents and Settings\fozia\Application Data\Zango
C:\Documents and Settings\yasar\Application Data\Zango
C:\Documents and Settings\user\Application Data\WeatherDPA
C:\Documents and Settings\All Users\Application Data\ZangoSA
C:\Documents and Settings\user\Application Data\Zango
C:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
C:\Documents and Settings\All Users\Application Data\systemerrorfixer
C:\Documents and Settings\All Users\Application Data\SalesMon
C:\Temp\gTiis19
C:\Temp\cXzz9
C:\Program Files\Dot1XCfg
C:\WINDOWS\system32\pe2
C:\WINDOWS\system32\ka8
C:\WINDOWS\system32\edcA01
C:\Program Files\OneStepSearch
Registry:: 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Router"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcaywu]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\snqoxhau]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"60676266686B666D"=-
"runner1"=-
RenV::
----a-w           409,600 2008-01-26 08:21:36  C:\Documents and Settings\fozia\Local Settings\Temp\kpfbunfw .exe
----a-w            74,304 2008-02-03 16:40:56  C:\Documents and Settings\fozia\Local Settings\Temp\nykdnthj .exe
----a-w           409,600 2008-01-26 08:34:15  C:\Documents and Settings\fozia\Local Settings\Temp\rxqwqjtq .exe
----a-w           462,935 2008-02-03 17:21:38  C:\Program Files\BT Home Hub\Help\SmartBridge\BTHelpNotifier .exe
----a-w           543,232 2008-01-14 16:59:07  C:\Program Files\btbb_wcm\McciTrayApp .exe
----a-w            90,112 2008-01-19 18:04:09  C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor .exe
----a-w           579,072 2008-02-03 17:21:44  C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w            63,048 2008-02-02 11:44:41  C:\Program Files\LogMeIn\x86\LogMeInSystray .exe
----a-w         1,679,360 2008-01-19 18:23:48  C:\Program Files\Messenger\msmsgs .exe
----a-w         1,123,840 2008-01-19 17:21:06  C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl .exe
----a-w           772,096 2008-01-19 17:21:05  C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray .exe
----a-w           159,744 2008-01-23 16:22:36  C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher .exe
----a-w         2,778,112 2008-02-03 17:21:59  C:\Program Files\Spyware Terminator\SpywareTerminatorShield .exe
----a-w         5,729,136 2008-02-03 17:22:12  C:\Program Files\Windows Live\Messenger\msnmsgr  .exe
----a-w         6,094,848 2008-02-03 17:21:27  C:\Program Files\Windows Live\Messenger\msnmsgr .exe
----a-w           129,536 2008-02-03 17:21:45  C:\Program Files\Yahoo!\browser\ybrwicon .exe
----a-w         4,670,704 2008-02-03 17:22:08  C:\Program Files\Yahoo!\Messenger\YahooMessenger  .exe
----a-w         5,031,424 2008-02-03 17:21:20  C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
----a-w         4,670,704 2008-02-02 14:07:47  C:\Program Files\Yahoo!\Messenger\YAHOOM~1  .EXE
----a-w         5,031,424 2008-02-02 14:39:05  C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
----a-w            67,072 2008-02-03 17:21:34  C:\WINDOWS\SOUNDMAN .EXE
----a-w            14,336 2008-02-03 17:21:44  C:\WINDOWS\system32\ctfmon .exe
----a-w           406,016 2008-01-19 17:20:36  C:\WINDOWS\system32\PSDrvCheck .exe
Dir Look::
C:\Program Files\Transparent
C:\Documents and Settings\user\Application Data\user
C:\Documents and Settings\hamed.COMPUTER01\Application Data\Teleca

Save it to your desktop as CFScript.txt
Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.

Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

: information and logs :

In your next post I need the following

1.new log from combo fix

2.new log from hijackthis

Gringo

gringo_pr · February 2008

Hello momope

: three day bump :

It has been three days since my last post.

do you still need help with this?
do you need more time?
are you having problems following my instructions?
if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

Trogan · February 2008

This topic is now closed due to inactivity. If you wish to reopen your topic, please send a Private Message (PM) to Trogan with a link to your thread.

If it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

If you are not the user who started this thread, you must start your own Thread instead (grin)

trojan horse dropper agent GIT Help Help Help Please!!!!

Comments