Slow Computer; possible zlob detected
Randal-Thor
Australia
Hey. Just today I used Spybot: Search and Destroy to scan my computer and it claimed to have found a file containing Zlob.downloader.eot. My AVG 8 (Bought Version) and Spyware Terminator both didn't produce any such results. Below is the list of antispyware I have installed on my computer:
AVG 8.0.169
Spyware Terminator 2.3.0.488
Spybot: Search and Destroy 1.6
Spyware Blaster 4.1
Hijackthis (Just installed today).
I also have antispyware scanners in my internet browsers. But I have noticed that my computer has been running slower than usual, and so when Spybot produced its result I followed the steps listed on: http://icrontic.com/forum/showthread.php?t=43902
I have attached the reports from the Panda Scan (which says I have a few malware probems) and Kaspersky (which says I am clean). I have also attached the Hijackthis report.
The Panda Scan told me that within my Spyware Terminator I had an active and dangerous malware problem, could you please help me solve these malware issues? I can't understand why each antivirus system is giving me different results. Especially when I disabled all the others as I did a scan with one at a time.
I also had Virus Total scan some of my Spyware Terminator Program files. The results are as follows:
Spyware Terminator RealTime Shield:
Prevxl- Suspicious
Webwasher-Gateway- Virus.Win32.FileInfector.gen!90 (suspicious)
Crawler Spyware Terminator:
F-Secure- Suspicious:W32/QDown.v!Gemini
Prevxl- Suspicious
Webwasher-Gateway- Virus.Win32.FileInfector.gen!90 (suspicious)
Spyware terminator RealTime Shield Service:
Panda- Suspicious File
Webwasher-Gateway- Virus.Win32.FileInfector.gen!90 (suspicious)
Your help will be gladly appreciated in determing if I have any malware/viruses and which of my files are actually infected. If you need to know any more information, please don't hesitate to ask.
AVG 8.0.169
Spyware Terminator 2.3.0.488
Spybot: Search and Destroy 1.6
Spyware Blaster 4.1
Hijackthis (Just installed today).
I also have antispyware scanners in my internet browsers. But I have noticed that my computer has been running slower than usual, and so when Spybot produced its result I followed the steps listed on: http://icrontic.com/forum/showthread.php?t=43902
I have attached the reports from the Panda Scan (which says I have a few malware probems) and Kaspersky (which says I am clean). I have also attached the Hijackthis report.
The Panda Scan told me that within my Spyware Terminator I had an active and dangerous malware problem, could you please help me solve these malware issues? I can't understand why each antivirus system is giving me different results. Especially when I disabled all the others as I did a scan with one at a time.
I also had Virus Total scan some of my Spyware Terminator Program files. The results are as follows:
Spyware Terminator RealTime Shield:
Prevxl- Suspicious
Webwasher-Gateway- Virus.Win32.FileInfector.gen!90 (suspicious)
Crawler Spyware Terminator:
F-Secure- Suspicious:W32/QDown.v!Gemini
Prevxl- Suspicious
Webwasher-Gateway- Virus.Win32.FileInfector.gen!90 (suspicious)
Spyware terminator RealTime Shield Service:
Panda- Suspicious File
Webwasher-Gateway- Virus.Win32.FileInfector.gen!90 (suspicious)
Your help will be gladly appreciated in determing if I have any malware/viruses and which of my files are actually infected. If you need to know any more information, please don't hesitate to ask.
0
Comments
Can you post a new HijackThis log, but post it in the thread and not as an attachment.
Thanks.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:32:07, on 15/09/2008
Platform: Windows XP SP3, v.3311 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Acer\LANScope Agent\awServ.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Acer\Empowering Technology\eLock\LockServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PSIService.exe
C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Search Settings\SearchSettings.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe
C:\WINDOWS\system32\AlarmS4.exe
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Crawler\CToolbar.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.live.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://au.rd.yahoo.com/customize/ycomp/defaults/su/*http://au.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll
F2 - REG:system.ini: Shell=explorer.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\ctbr.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\ctbr.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostart
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AlarmS4.lnk = C:\WINDOWS\system32\AlarmS4.exe
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201381364156
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\ctbr.dll
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Acer ODDSpeedControl - TODO: <????> - C:\Acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\LANScope Agent\awServ.exe
O23 - Service: BCL easyPDF SDK 5 Loader (bepldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel(R) Active Management Technology LMS Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: LockServ - Unknown owner - C:\Acer\Empowering Technology\eLock\LockServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
--
End of file - 12026 bytes
Please do the following...
1. Click Start > Run > type in appwiz.cpl and hit enter. From the list uninstall the following, if present:
Crawler <-- remove this if you did not install it itentionally.
Search Settings
2. Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe
...(Unless you set these with a anti-spyware program like SpyBot's Immunize feature, or a System Administrator set them, have HiJackThis fix this.)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis
3. Find and delete the following Folder in RED:
C:\Program Files\Search Settings <-- this folder
4. Please download Malwarebytes' Anti-Malware to your desktop.
5. I need to see another log from HijackThis.
6. Please post the following...
Malwarebytes log
Uninstall list
New HijackThis log
Ok. For step 1, I uninstalled Crawler toolbar. I attempted to unistall Search Settings 1.2 but it told me that the Windows Installer was unable to be accessed, unable to work as well in safe mode or was installed incorrectly. I was in regular mode, so that leaves either the first or last option. Any ideas?
In step 2 I was successful and managed to delete all the entries you listed.
Step 3 I deleted the Search Settings folder.
Step 4 I installed, updated and ran Malwarebytes. It came up with a clean scan (no objects found). But, during the scan, I realised hadn't turned off my Spyware Terminator Real Time shield. And it mentioned twice halfway through the scan, just before I turned it off, about 2 detected threats that opened as Malwarebytes scanned them but didn't pick them up. They were called HackTools.EXE
The MalwareBytes log:
Malwarebytes' Anti-Malware 1.28
Database version: 1159
Windows 5.1.2600 Service Pack 3, v.3311
16/09/2008 5:23:43 PM
mbam-log-2008-09-16 (17-23-43).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 117410
Time elapsed: 41 minute(s), 5 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
The Unistall List:
Acer eAcoustics Management
Acer eLock Management
Acer Empowering Technology
Acer ePerformance Management
Acer eSettings Management
Acer LANScope Agent
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Photoshop 7.0
Adobe Photoshop CS
Adobe Reader 8.1.2
Adobe Shockwave Player 11
Apple Mobile Device Support
Apple Mobile Device Support
Apple Software Update
ATI Display Driver
AVG 8.0
Belarc Advisor 7.2
Bonjour
Bonjour
commercial
Compatibility Pack for the 2007 Office system
Digital Locker Assistant
Google Earth
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB942288-v3)
Intel(R) Active Management Technology LMS Service and SOL Driver
Intel(R) Graphics Media Accelerator Driver
Intel(R) Management Engine Interface
Intel(R) PRO Network Connections Drivers
Intel(R) Processor ID Utility
iTunes
iTunes
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 10
Java(TM) 6 Update 7
Macromedia Fireworks 8
Malwarebytes' Anti-Malware
Messenger Plus! Live
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 1.1 Hotfix (KB947742)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MobileMe Control Panel
Mozilla Firefox (3.0.1)
MSXML 6.0 Parser (KB933579)
Navman NavDesk 2008
Nero Suite
NETGEAR WG311v3 PCI Adapter
Nitro PDF Professional
NTI Backup NOW! 4.5
NTI CD & DVD-Maker
NVIDIA Drivers
OCA Client history tool install
OpenOffice.org Installer 1.0
Panda ActiveScan 2.0
QuickTime
QuickTime
Realtek High Definition Audio Driver
Search Settings 1.2
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
SpywareBlaster 4.1
Sudoku Unlimited
The Battle for Middle-earth (tm) II
TuneUp Utilities 2008
Uniblue RegistryBooster 2
Windows Imaging Component
Windows Internet Explorer 8 Beta 2
Windows Live installer
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Resource Kit Tools
Windows XP Service Pack 3
WinZip
WinZip 11.1
WinZip 11.2
WOT for Internet Explorer
Xiph QuickTime Components
The Hijackthis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:26:00, on 16/09/2008
Platform: Windows XP SP3, v.3311 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Acer\LANScope Agent\awServ.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Acer\Empowering Technology\eLock\LockServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PSIService.exe
C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\AlarmS4.exe
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://au.rd.yahoo.com/customize/ycomp/defaults/su/*http://au.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=explorer.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostart
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AlarmS4.lnk = C:\WINDOWS\system32\AlarmS4.exe
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201381364156
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Acer ODDSpeedControl - TODO: <????> - C:\Acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\LANScope Agent\awServ.exe
O23 - Service: BCL easyPDF SDK 5 Loader (bepldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel(R) Active Management Technology LMS Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: LockServ - Unknown owner - C:\Acer\Empowering Technology\eLock\LockServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
--
End of file - 10641 bytes
Please do the following...
1. Click Start > Run > type in appwiz.cpl and hit enter. From the list uninstall the following, if present:
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 10
2. Open HijackThis
- Click Open the Misc Tools section
- Click Open Uninstall Manager
- Select Search Settings 1.2 and press Delete this entry
Close HiajckThis
3. Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
This program is for XP and Windows 2000 only!
- Double-click ATF Cleaner.exe to open it.
- Under Main select the following:
- Windows Temp
- Current User Temp
- All Users Temp
- Temporary Internet Files
- Java Cache
*The other boxes are optional*Then click the Empty Selected button.
Click Exit on the Main menu to close the program.
4. Please do an online scan with Kaspersky WebScanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
Extended (if available otherwise Standard)
Scan Archives
Scan Mail Bases
[*]Click OK
[*]Now under select a target to scan:
Select
My Computer[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.
- Now click on the Save Report As button:
- Change Save as type: to Text file
- Save this as Kaspersky scan to your Desktop
[*]Post the Kaspersky report in your next reply.I used the ATF Ckleaner to clean out my temp folders and the like, and it cleared 91MB. The uninstall failed to work as it told me that Windows Installer was unavailable. So once again I have been unable to unistall the programs you have requested. I also noticed that Search Settings 1.2 was still installed, even though you had me remove the entry in Hijackthis.
I ran a Kaspersky Scan and it found nothing.
Kaspersky Scan:
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, September 18, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3, v.3311 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, September 17, 2008 21:24:55
Records in database: 1246444
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
Scan statistics:
Files scanned: 64464
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 00:59:27
No malware has been detected. The scan area is clean.
The selected area was scanned.
Thank you so far for your help. What's next?
;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-09-19 15:46:46
PROTECTIONS: 1
MALWARE: 4
SUSPECTS: 2
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
AVG Anti-Virus 8.0 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{50BF3AB8-5489-4087-8C8B-277823628A25}\RP46\A0033357.exe
00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{50BF3AB8-5489-4087-8C8B-277823628A25}\RP45\A0032204.exe
00139535 Application/Processor HackTools No 0 Yes No C:\WINDOWS\system32\Process.exe
00530899 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{50BF3AB8-5489-4087-8C8B-277823628A25}\RP76\A0040384.exe
00530899 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{50BF3AB8-5489-4087-8C8B-277823628A25}\RP76\A0040746.exe
00530899 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{50BF3AB8-5489-4087-8C8B-277823628A25}\RP76\A0043062.EXE
03477235 Application/SmithFraudFix.A HackTools No 0 Yes No C:\System Volume Information\_restore{50BF3AB8-5489-4087-8C8B-277823628A25}\RP46\A0033344.exe
03477235 Application/SmithFraudFix.A HackTools No 0 Yes No C:\System Volume Information\_restore{50BF3AB8-5489-4087-8C8B-277823628A25}\RP45\A0032200.exe
03582346 Generic Malware Virus/Trojan No 0 Yes No C:\WINDOWS\system32\IEDFix.C.exe
03582346 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{50BF3AB8-5489-4087-8C8B-277823628A25}\RP45\A0032201.exe
03582346 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{50BF3AB8-5489-4087-8C8B-277823628A25}\RP46\A0033354.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location 9
;===================================================================================================================================================================================
No C:\Documents and Settings\All Users\Application Data\Apple\Installer Cache\Apple Mobile Device Support 2.1.0.25\AppleMobileDeviceSupport.msi[unk_0051][EventFixer.exe]
No C:\Program Files\Common Files\Apple\Mobile Device Support\bin\EventFixer.exe 9
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description 9
;===================================================================================================================================================================================
;===================================================================================================================================================================================
The files for Search Settings 1.2 maybe corrupt or missing, hence why Windows cannot delete. We will try one more tool, but if this is unsuccessful, you may need to download Search Settings 1.2 and then uninstall it.
Download MyUninstaller to your Desktop and unzip it.
Open the myuninst folder and double-click myuninst.exe. Allow any attempts from your firewall.
Select Search Settings 1.2, and press Ctrl+U (or click File > Uninstall Selected Software). If no luck, Select Search Settings 1.2 again and hold Ctrl+Del.
Let me know how it goes.
The Search Settings 1.2 didn't have an entry in the program you told me to use. So I have been unable to remove it from my computer.
What about the Panda Scan? Are those hacktools easy to remove? I have removed them before with AVG 8, but it appears they are back.
Search Settings appears to have disappeared from my computer, which is good. I have also unistalled both the Java updates as you told me to.
But now I have a growing concern. I mentioned hacktools in my post, they continue to reappear in my system volume information. But now I have more concerns. I ran panda active scan and it told me there was "ied.fix" in my system 32/drivers/etc folder. I had it removed. But then Trend Micro Housecall online scan found "antixpspy" in the same folder as well as 101 spyware infections in my Hosts file. It appears that my system 32 folder is under attack from malware.
Thank you for your help so far.
Please post a reply when you get a chance as to what I should do next.
Thank you. I look forward to your reply.
The "Hacktools" are in System Restore. To remove them, do the following...
- Tick on the checkbox - Turn off System Restore on all drives
- Click Apply
Turn it back 'On' by unticking the same checkbox & click OKAs for Trend Micro, do you have a report? The Hosts files are not likely infected. Hosts files block sites that are harmful and Trend Micro may have detected the sites.
However, update Malwarebytes, run a scan and save the log. Post that back here.
I updated Malwarebytes and it detected no malware. The report:
Malwarebytes' Anti-Malware 1.28
Database version: 1194
Windows 5.1.2600 Service Pack 3, v.3311
23/09/2008 3:42:21 PM
mbam-log-2008-09-23 (15-42-21).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 93092
Time elapsed: 1 hour(s), 9 minute(s), 55 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
I turned off the System Restore as above and then turned it back on. I take it that will have completely wiped the hacktools from my computer now?
There are 101 infections, all in the Hosts File, detected by Trend Micro. The Trend Micro Housecall Online Scanner doesn't provide a report you can download so I took a screenshot for you, found at the follwoing link where I uploaded it:
http://i51.photobucket.com/albums/f356/lclifford/untitled.jpg
I have 2 questions as well:
1/ The reason I first posted here was because of a Zlob Downloader, detected by Spybot. Is that a threat or just a misdetection by Spybot?
2/ I also had antivirus programs tell me that Spyware Terminator is suspicious and contains virsues. Are those claims also threats or fake?
I appreciate your help so far. You have been great.:)
Yes!
Most likely a false positive.
I wouldn't consider Spyware Terminator as a trustworthy program. I would just stick with Malwarebytes.
Could you tell me the exact location shown in the picture as the picture is blurry.
---
I'd like to run a powerful tool.
Please visit this webpage for download links, and instructions for running ComboFixl:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
A couple of things.
1/ I can't install the Windows Recovery Console as I wasn't provided with an XP disk when I purchased this computer. I have older XP disks and they won't install it on my computer. Any other ways?
2/ Yesterday Panda Online Active Scan detected another hacktool, which I removed. It was in the system 32 folder again. Are these going to keep reappearing?
The link provides instructions to Microsoft to download the Recovery Console if you do not have a Windows CD. Please read the instructions again.
I'm not sure why these hacktools are appearing right now. And what you describe here is not the right location for the previous hacktools detection. Can you give me the exact location of the above detection.
The link provides instructions to Microsoft to download the Recovery Console if you do not have a Windows CD. Please read the instructions again.
I'm not sure why these hacktools are appearing right now. And what you describe here is not the right location for the previous hacktools detection. Can you give me the exact location of the above detection.
Ok. The file location for the hacktool was:
C:\WINDOWS\system32\Process.exe
It was removed.
I followed the instructions in the guide for Combo Fix and WINDOWS Recovery Console.
I dragged the windows recovery installation into Combo Fix. This is where I am concerned:
1/ The box that came up was the same as the one in the guide. But no disclaimer appeared. Also, once it had finished and had rebooted, the log appeared (according to the guide a Dialog box was suppose to appear telling me about the log but that didn't happen) and I saved it to the desktop. The problem is, the log told me that the recovery console wasn't been installed.
2/ After the reboot, I received a warning from AVG, telling me about a Virus called: BackDoor.Hupigon, found in the System Volume/Restore Information. I quarantined it.
COMBO FIX LOG:
ComboFix 08-09-25.05 - Liam 2008-09-26 18:35:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1350 [GMT 10:00]
Running from: C:\Documents and Settings\Liam\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Liam\Local Settings\Temporary Internet Files\SuggestedSites.dat
C:\WINDOWS\msvrc20.dll
C:\WINDOWS\system32\rtl60.bpl
C:\WINDOWS\system32\x64
.
((((((((((((((((((((((((( Files Created from 2008-08-26 to 2008-09-26 )))))))))))))))))))))))))))))))
.
2008-09-24 16:50 . 2003-12-11 09:50 70,894 --a
C:\WINDOWS\system32\drivers\LMouFlt2.Sys
2008-09-24 16:50 . 2003-12-11 09:50 25,630 --a
C:\WINDOWS\system32\drivers\LHidFlt2.Sys
2008-09-24 16:50 . 2003-11-26 09:50 19,968 --a
C:\WINDOWS\Logi_MwX.Exe
2008-09-24 16:24 . 2008-09-24 16:24 <DIR> d
C:\Program Files\Innovative Solutions
2008-09-23 22:00 . 2008-09-23 22:22 <DIR> d
C:\Program Files\VS Revo Group
2008-09-23 21:42 . 2008-09-23 21:43 <DIR> d
C:\TEMP
2008-09-23 21:42 . 2008-09-23 21:42 <DIR> d
C:\Documents and Settings\All Users\Application Data\Premium Security Suite
2008-09-23 21:03 . 2008-09-23 21:03 <DIR> d
C:\Documents and Settings\Liam\Application Data\Avira
2008-09-23 20:57 . 2008-09-23 20:57 <DIR> d
C:\Documents and Settings\All Users\Application Data\Avira
2008-09-23 20:57 . 2008-05-07 14:20 71,592 --a
C:\WINDOWS\system32\drivers\avfwot.sys
2008-09-23 20:57 . 2008-05-07 10:51 71,464 --a
C:\WINDOWS\system32\drivers\avfwim.sys
2008-09-21 17:45 . 2008-09-21 17:45 <DIR> d
C:\Program Files\Windows Installer Clean Up
2008-09-21 16:48 . 2004-08-04 15:00 221,184 --a
C:\WINDOWS\system32\wmpns.dll
2008-09-21 16:27 . 2008-09-21 16:27 0 --a
C:\WINDOWS\system32\REN5A.tmp
2008-09-21 16:27 . 2008-09-21 16:27 0 --a
C:\WINDOWS\system32\REN59.tmp
2008-09-21 16:27 . 2008-09-21 16:27 0 --a
C:\WINDOWS\system32\REN58.tmp
2008-09-20 15:47 . 2008-09-26 18:30 <DIR> d
C:\Program Files\Crawler
2008-09-19 07:27 . 2008-09-19 07:32 <DIR> d
C:\Program Files\Driver Sweeper
2008-09-16 16:40 . 2008-09-16 16:41 <DIR> d
C:\Program Files\Malwarebytes' Anti-Malware
2008-09-16 16:40 . 2008-09-16 16:40 <DIR> d
C:\Documents and Settings\Liam\Application Data\Malwarebytes
2008-09-16 16:40 . 2008-09-16 16:40 <DIR> d
C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-16 16:40 . 2008-09-10 00:04 38,528 --a
C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-16 16:40 . 2008-09-10 00:03 17,200 --a
C:\WINDOWS\system32\drivers\mbam.sys
2008-09-14 18:49 . 2008-09-21 15:50 <DIR> d
C:\Documents and Settings\Liam\.housecall6.6
2008-09-13 18:36 . 2008-09-13 18:36 <DIR> d
C:\Documents and Settings\Liam\Application Data\Simply Super Software
2008-09-13 15:00 . 2008-09-13 15:00 <DIR> d
C:\Documents and Settings\Liam\Application Data\TrojanHunter
2008-09-12 16:46 . 2008-09-12 16:46 <DIR> d
C:\Program Files\iPod
2008-09-12 16:45 . 2008-09-12 16:46 <DIR> d
C:\Program Files\iTunes
2008-09-12 16:45 . 2008-09-12 16:45 <DIR> d
C:\Program Files\Bonjour
2008-09-12 16:45 . 2008-09-12 16:46 <DIR> d
C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-11 17:29 . 2008-09-11 17:29 <DIR> d
C:\Program Files\Macromedia
2008-09-11 17:29 . 2008-09-11 17:29 <DIR> d
C:\Program Files\Common Files\Macromedia
2008-09-11 17:12 . 2008-06-25 02:43 74,240
C:\WINDOWS\system32\dllcache\mscms.dll
2008-09-11 17:11 . 2008-06-20 21:51 361,600
C:\WINDOWS\system32\dllcache\tcpip.sys
2008-09-11 17:11 . 2008-06-21 03:46 245,248
C:\WINDOWS\system32\dllcache\mswsock.dll
2008-09-11 17:11 . 2008-06-20 21:08 225,856
C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-09-11 17:11 . 2008-06-21 03:46 147,968
C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-09-11 17:11 . 2008-06-20 21:40 138,496
C:\WINDOWS\system32\dllcache\afd.sys
2008-09-11 17:10 . 2008-06-13 21:05 272,128
C:\WINDOWS\system32\dllcache\bthport.sys
2008-09-11 17:09 . 2008-04-12 05:04 691,712
C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-09-11 17:08 . 2008-07-08 06:26 253,952
C:\WINDOWS\system32\dllcache\es.dll
2008-09-11 17:08 . 2008-05-09 00:02 203,136
C:\WINDOWS\system32\dllcache\rmcast.sys
2008-09-10 20:33 . 2008-09-10 20:33 <DIR> d
C:\fsaua.data
2008-09-10 18:43 . 2008-09-10 18:43 <DIR> d--hs---- C:\Documents and Settings\Liam\PrivacIE
2008-09-10 17:50 . 2008-09-10 17:51 <DIR> d--h-c--- C:\WINDOWS\ie8
2008-09-10 17:45 . 2008-09-10 17:45 <DIR> d
C:\WINDOWS\Logs
2008-09-10 17:31 . 2008-09-10 17:31 <DIR> d
C:\Program Files\Belarc
2008-09-10 17:31 . 2008-02-27 13:49 3,840 --a
C:\WINDOWS\system32\drivers\BANTExt.sys
2008-09-10 10:11 . 2008-09-10 10:11 410,976 --a
C:\WINDOWS\system32\deploytk.dll
2008-09-10 09:07 . 2008-09-10 09:07 <DIR> d
C:\5a45d66c462ee2a14b9a88
2008-09-10 09:06 . 2008-09-10 09:13 <DIR> d
C:\WINDOWS\SxsCaPendDel
2008-09-10 09:00 . 2008-09-10 09:00 <DIR> dr-h
C:\AHCache
2008-09-10 08:50 . 2008-08-11 12:48 2,295,328 --a
C:\WINDOWS\system32\igxpdv32.dll
2008-09-10 08:50 . 2008-08-11 12:48 152,064 --a
C:\WINDOWS\system32\igxpgd32.dll
2008-09-10 08:50 . 2008-08-11 12:24 143,360 --a
C:\WINDOWS\system32\igfxtray.exe
2008-09-10 08:50 . 2008-08-11 12:24 143,360 --a
C:\WINDOWS\system32\igfxpers.exe
2008-09-10 08:50 . 2008-08-11 12:23 106,496 --a
C:\WINDOWS\system32\hccutils.dll
2008-09-10 08:50 . 2008-08-11 12:48 57,344 --a
C:\WINDOWS\system32\igxprd32.dll
2008-09-10 08:50 . 2008-08-11 12:24 52,224 --a
C:\WINDOWS\system32\igfxsrvc.dll
2008-09-09 19:42 . 2008-09-10 09:15 <DIR> d
C:\Program Files\Uniblue
2008-09-09 19:42 . 2008-09-09 19:42 <DIR> d
C:\Documents and Settings\Liam\Application Data\Uniblue
2008-09-09 19:06 . 2008-09-09 19:06 <DIR> d
C:\Program Files\Trend Micro
2008-09-09 13:30 . 2008-09-09 13:30 <DIR> d
C:\Intel
2008-09-09 12:41 . 2008-09-09 12:41 <DIR> d
C:\Program Files\Panda Security
2008-09-09 12:41 . 2008-06-19 17:24 28,544 --a
C:\WINDOWS\system32\drivers\pavboot.sys
2008-09-09 12:17 . 2008-09-09 12:17 2,826 --a
C:\WINDOWS\system32\tmp.reg
2008-09-09 12:16 . 2008-09-02 16:51 86,528 --a
C:\WINDOWS\system32\VACFix.exe
2008-09-09 12:16 . 2008-08-18 12:19 82,432 --a
C:\WINDOWS\system32\404Fix.exe
2008-09-09 10:51 . 2007-09-06 00:22 289,144 --a
C:\WINDOWS\system32\VCCLSID.exe
2008-09-09 10:51 . 2006-04-27 17:49 288,417 --a
C:\WINDOWS\system32\SrchSTS.exe
2008-09-09 10:51 . 2004-07-31 18:50 51,200 --a
C:\WINDOWS\system32\dumphive.exe
2008-09-09 10:51 . 2007-10-04 00:36 25,600 --a
C:\WINDOWS\system32\WS2Fix.exe.vir
2008-09-09 10:36 . 2008-09-21 17:07 <DIR> d
C:\Documents and Settings\All Users\Application Data\WinZip
2008-09-09 09:36 . 2008-09-09 09:36 <DIR> d
C:\ie-spyad_zo
2008-09-08 22:28 . 2008-09-24 09:22 <DIR> d
C:\Program Files\SpywareBlaster
2008-09-06 15:09 . 2008-09-06 15:09 90,112 --a
C:\WINDOWS\system32\QuickTimeVR.qtx
2008-09-06 15:09 . 2008-09-06 15:09 57,344 --a
C:\WINDOWS\system32\QuickTime.qts
2008-09-05 17:38 . 2008-09-05 17:38 <DIR> d
C:\Documents and Settings\Liam\dwhelper
2008-09-04 10:10 . 2008-09-04 10:11 56 --a
C:\WINDOWS\AudioMidRecorder.INI
2008-09-04 10:02 . 2008-09-04 10:02 <DIR> d
C:\Documents and Settings\Liam\Application Data\Search Settings
2008-08-29 10:18 . 2008-08-29 10:18 87,336 --a
C:\WINDOWS\system32\dns-sd.exe
2008-08-29 09:53 . 2008-08-29 09:53 61,440 --a
C:\WINDOWS\system32\dnssd.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-26 06:50
d
w C:\Program Files\WinClamAVShield
2008-09-24 12:04
d
w C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-09-24 11:25
d
w C:\Documents and Settings\Liam\Application Data\U3
2008-09-23 23:23
d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-23 10:26
d
w C:\Program Files\TuneUp Utilities 2008
2008-09-23 10:22
d
w C:\Documents and Settings\Liam\Application Data\uTorrent
2008-09-23 10:19
d
w C:\Documents and Settings\Liam\Application Data\Spyware Terminator
2008-09-23 09:29
d
w C:\Program Files\Spyware Terminator
2008-09-21 07:45
d
w C:\Program Files\MSECache
2008-09-13 03:22
d
w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-13 02:02
d
w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-12 06:44
d
w C:\Program Files\QuickTime
2008-09-12 06:44
d
w C:\Program Files\Common Files\Apple
2008-09-10 00:12
d
w C:\Program Files\Java
2008-09-06 12:12
d
w C:\Documents and Settings\Liam\Application Data\My Battle for Middle-earth(tm) II Files
2008-09-03 11:17
d
w C:\Program Files\Windows Live Safety Center
2008-08-24 12:26
d
w C:\Documents and Settings\Liam\Application Data\Nitro PDF
2008-08-24 12:24
d
w C:\Program Files\Nitro PDF
2008-08-24 12:24
d
w C:\Program Files\Common Files\Nitro PDF
2008-08-24 12:24
d
w C:\Program Files\Common Files\BCL Technologies
2008-08-24 12:24
d
w C:\Documents and Settings\All Users\Application Data\Nitro PDF
2008-08-22 06:19
d
w C:\Program Files\Spybot - Search & Destroy
2008-08-20 09:00
d--h--w C:\Program Files\InstallShield Installation Information
2008-08-20 08:57
d
w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-17 04:10
d
w C:\Documents and Settings\All Users\Application Data\comodo
2008-08-14 21:24
d
w C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-08-14 10:57
d
w C:\Program Files\Messenger Plus! Live
2008-08-12 06:10 4,751,360 ----a-w C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-08-11 12:13
d
w C:\Program Files\Apple Software Update
2008-08-11 02:48 6,044,864 ----a-w C:\WINDOWS\system32\drivers\igxpmp32.sys
2008-08-10 03:11
d
w C:\Program Files\Windows Live Toolbar
2008-08-10 03:10
d
w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-08-10 03:10
d
w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-08-10 03:10
d
w C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-08-09 06:16
d
w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-06 05:51 1,200,128 ----a-w C:\WINDOWS\RtlUpd.exe
2008-08-05 09:53
d
w C:\Program Files\Sun
2008-07-31 05:05 16,806,912 ----a-w C:\WINDOWS\RTHDCPL.EXE
2008-07-27 09:23
d
w C:\Program Files\Microsoft Silverlight
2008-07-26 07:52
d
w C:\Program Files\Acer
2008-03-01 22:49 32,768 -csha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008030220080303\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-02-12 15360]
"TuneUp MemOptimizer"="C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" [2008-06-20 153856]
"DriverMax"="C:\Program Files\Innovative Solutions\DriverMax\devices.exe" [2008-07-25 5057368]
"SetDefaultMIDI"="MIDIDef.exe" [2005-12-08 C:\WINDOWS\MIDIDEF.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe" [2008-09-09 1783808]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-26 1235736]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-08-11 143360]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-08-11 172032]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-08-11 143360]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-31 C:\WINDOWS\RTHDCPL.EXE]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-26 C:\WINDOWS\Logi_MwX.Exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-02-12 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2/16/2008 4:03:11 PM 113664]
AlarmS4.lnk - C:\WINDOWS\system32\AlarmS4.exe [8/20/2003 9:15:36 AM 241664]
NETGEAR WG311v3 Smart Wizard.lnk - C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe [1/26/2006 4:55:04 PM 1486848]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispSettingPage"= 0 (0x0)
"DisableClock"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoUserNameInStartMenu"= 0 (0x0)
"NoLogOff"= 0 (0x0)
"NoMultiIE"= 0 (0x0)
"LWA"= 0 (0x0)
"LWB"= 0 (0x0)
"LWC"= 0 (0x0)
"LWD"= 0 (0x0)
"LWE"= 0 (0x0)
"LWF"= 0 (0x0)
"LWG"= 0 (0x0)
"LWH"= 0 (0x0)
"LWI"= 0 (0x0)
"LWJ"= 0 (0x0)
"LWK"= 0 (0x0)
"LWL"= 0 (0x0)
"LWM"= 0 (0x0)
"LWN"= 0 (0x0)
"LWO"= 0 (0x0)
"LWP"= 0 (0x0)
"LWQ"= 0 (0x0)
"LWR"= 0 (0x0)
"LWS"= 0 (0x0)
"LWT"= 0 (0x0)
"LWU"= 0 (0x0)
"LWV"= 0 (0x0)
"LWW"= 0 (0x0)
"LWX"= 0 (0x0)
"LWY"= 0 (0x0)
"LWZ"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\Documents and Settings\\All Users\\Application Data\\TuneUp Software\\TuneUp Utilities\\WinStyler\\tu_logonui.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a
2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\patchget.dat"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:UDP"= 9999:UDP:LANScope UDP Port
"2804:TCP"= 2804:TCP:LANScope TCP Port
R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-06-20 12936]
R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 28544]
R1 avfwot;avfwot;C:\WINDOWS\system32\DRIVERS\avfwot.sys [2008-05-07 71592]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-26 97928]
R1 OsaFsLoc;OsaFsLoc;C:\WINDOWS\system32\drivers\OsaFsLoc.sys [2006-05-18 26090]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-05-07 141312]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-26 231704]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-20 76040]
R2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;C:\WINDOWS\system32\eLock2BurnerLockDriver.sys [2006-06-06 17536]
R2 eLock2FSCTLDriver;eLock2FSCTLDriver;C:\WINDOWS\system32\eLock2FSCTLDriver.sys [2006-06-07 90112]
R2 LMS;Intel(R) Active Management Technology LMS Service;C:\Program Files\Intel\AMT\LMS.exe [2006-06-29 98304]
R2 LockServ;LockServ;C:\Acer\Empowering Technology\eLock\LockServ.exe [2006-05-30 368640]
R2 netlimiter;netlimiter;C:\WINDOWS\system32\drivers\netlimiter.sys [2006-01-25 11136]
R2 netlock;netlock;C:\WINDOWS\system32\drivers\netlock.sys [2006-01-19 2116096]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-07-01 7296]
R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-04-01 4010]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2008-02-12 14336]
R3 avfwim;AvFw Packet Filter Miniport;C:\WINDOWS\system32\DRIVERS\avfwim.sys [2008-05-07 71464]
R3 PortRW;PortRW;C:\WINDOWS\system32\Drivers\PortRW.sys [2003-08-16 3456]
S2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [ ]
S3 Acer ODDSpeedControl;Acer ODDSpeedControl;C:\Acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe [2005-02-16 81920]
S3 bepldr;BCL easyPDF SDK 5 Loader;C:\Program Files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe [2007-08-22 151552]
S3 MTXPARH;MTXPARH;C:\WINDOWS\system32\DRIVERS\MTXPARHM.sys [2005-04-22 500608]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-07-01 355584]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
Toolbar-SITEguard - (no file)
.
Supplementary Scan
.
FireFox -: Profile - C:\Documents and Settings\Liam\Application Data\Mozilla\Firefox\Profiles\ru356jyp.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - C:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.1.0.30401.0.dll
FF -: plugin - C:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-26 18:39:14
Windows 5.1.2600 Service Pack 3, v.3311 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Other Running Processes
.
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Acer\LANScope Agent\awServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\PSIService.exe
C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-09-26 18:43:49 - machine was rebooted [Liam]
ComboFix-quarantined-files.txt 2008-09-26 08:43:46
Pre-Run: 136,908,001,280 bytes free
Post-Run: 136,828,592,128 bytes free
309 --- E O F --- 2008-09-09 20:52:21
So, why didn't the recovery installation occur? Why are the viruses continuing to infect the System Restores? And did Combo Fix work? Did I do everything properly?
Your help has been fantastic, I look forward to your response.
Did you install the Windows Recovery Console for Windows XP Professional Service Pack 2 (SP2)? This is the correct download needed. Don't do anything else, but let me know which version please.
Not sure why files are being found in the System Restore; however, they are harmless because they are System Restore. Only if you use System Restore to go back in time to a working condition will there be problems.
I'll post a reply soon once I have reviewed the ComboFix log.
I believe I may have used the Service Pack 1 file. I have now downloaded the Service pack 2 file but haven't done anything more.
Thanks so far.
Going back a bit; I would suggest uninstalling Spywarer Terminator if you havn't already.
Find and delete the following Folders in RED, if found:
C:\Program Files\Crawler
C:\Program Files\Spyware Terminator
C:\Program Files\WinClamAVShield
The ComboFix log appears clean, so you do not have to install the Recovery Console. I have look back at the thread and see all the scans come up clean.
Let me know if malware is still being detected in System Restore and if there are other problems.
I have unistalled Crawler, ClamAV and Spyware Terminator. I thought you might also like to know that when I opened this page up today and saw your post, Spyware Terminator and Crawler had a different language which I couldn't understand. So something has changed the settings for some reason. More malware undetected?
I will run AVG, Spybot, Panda and Kaspersky scans and report back to you the results. Also, earlier I mentioned that Trend Micro Housecall detected infections in the HOSTS file. Are those infections real or did it just detect the websites the HOSTS file blocks?
What antivirus and antispyware programs would you recommend I have installed on my computer? At the moment I have AVG 8 Professioanl Edition, Spybot:Search and Destroy 16 and Spyware Blaster. In my internet browers I have WOT, AVG and in IE BitDefender.
Thank you for your help in solving most of these issues. Which brings me to my last question. Will I continue to get infections in my system restore information? And how come I was getting infections in that particular location?
;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-09-28 18:54:18
PROTECTIONS: 2
MALWARE: 5
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
AVG Anti-Virus 8.0 Yes Yes
Avira Premium Security Suite 8.0.1.27 No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{50BF3AB8-5489-4087-8C8B-277823628A25}\RP102\A0047012.exe
00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{50BF3AB8-5489-4087-8C8B-277823628A25}\RP102\A0046972.exe
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{50BF3AB8-5489-4087-8C8B-277823628A25}\RP104\A0047530.EXE
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{50BF3AB8-5489-4087-8C8B-277823628A25}\RP104\A0047503.sys
03582346 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{50BF3AB8-5489-4087-8C8B-277823628A25}\RP102\A0047016.exe
03738686 Generic Malware Virus/Trojan No 0 No No C:\System Volume Information\_restore{50BF3AB8-5489-4087-8C8B-277823628A25}\RP103\A0047458.exe[32788R22FWJFW\catchme.cfexe]
03738686 Generic Malware Virus/Trojan No 0 No No C:\Documents and Settings\Liam\Desktop\ComboFix.exe[32788R22FWJFW\catchme.cfexe]
03738686 Generic Malware Virus/Trojan No 0 Yes No C:\ComboFix\catchme.cfexe
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================
AVG and Spybot are clean. I can't get Kaspersky to run. I haven't run trend Micro yet.
As you can see, the System Restore Inofrmation is infected again. The Hacktools appear to be back. Also, Combo Fix appears to be infected, so I take it that if this is an accurate scan, when I used Combo Fix I have effectively released some of those detected viruses?
I have installed Zone Alarm Pro onto my computer, with the firewall and its protection settings enabled. Is this a powerful and trustworthy antivirus/antispyware program?
I have also noticed another problem. Before I used Combo Fix, the Trend Micro Housecall Online Scanner used to complete its scan. Just yesterday I ran the scan twice and halfway through each scan the computer restarted, with no error messages at all. So I have been unable to run a full Trend Micro Scan.
Current Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08, on 2008-09-29
Platform: Windows XP SP3, v.3311 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Acer\LANScope Agent\awServ.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\hkcmd.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Acer\Empowering Technology\eLock\LockServ.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe
C:\WINDOWS\system32\AlarmS4.exe
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\TuneUp Utilities 2008\Integrator.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://au.rd.yahoo.com/customize/ycomp/defaults/su/*http://au.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - (no file)
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostart
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AlarmS4.lnk = C:\WINDOWS\system32\AlarmS4.exe
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201381364156
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O23 - Service: Acer ODDSpeedControl - TODO: <????> - C:\Acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\LANScope Agent\awServ.exe
O23 - Service: BCL easyPDF SDK 5 Loader (bepldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel(R) Active Management Technology LMS Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: LockServ - Unknown owner - C:\Acer\Empowering Technology\eLock\LockServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 9844 bytes
Adding at 1:25 pm:
The computer restarted and when I logged in, took me to my desktop background, with no icons or menu. I was forced to restart. It did this twice. Malware?
I'm going to answer your questions from the last three posts. Please answer my questions...
I'm not sure what you mean by "Spyware Terminator and Crawler had a different language"?
The picture is a bit blurry. Can you tell me the exact location that is shown? Is it C:\WINDOWS\system32\drivers\etc?
We can deal with this at the end.
No, ComboFix is not infected. ComboFix uses a program to detect malware which anti-spyware programs flag as malware, but it is safe.
Lets try this for the System Restore.
- Click Start | Help and Support | Undo changes to your computer with System Restore.
- Click Create A Restore Point then click Next. Give it a name it and then click Create, then Close.
- Close the Help and Support Center box.
- Click Start | Run and type Cleanmgr
- Select (C: ) then click OK.
- Click the More Options tab.
- Click Clean Up in the System Restore Section.
This will remove all previous restore points except the newly created one.That is fine, but make sure you only have one anti-virus and firewall program. Multiple programs will conflict and cause problems.
We are not going to use the Trend Micro scan as there are better programs.
No malware showing in the HijackThis log. Also the other scans are coming back clean.
The location in the Trend Micro Scan is: C:\WINDOWS\system32\drivers\etc\hosts
I made a new restore point and have wiped the others. I will run a Panda Scan shortly to see if the new one becomes infected.
Understood. I have disabled the Windows Firewall to avoid firewall conflicts.
Sounds good. Sounds like we might almost be finished.:)
ADDING:
I ran a Panda Scan. It only came up with one infection and that was the Combo Fix file. As we have finished with Combo Fix, can I delete it now? Are there any files it has installed that I should remove?
Not sure why that happened, but don't worry about it if you have removed these programs.
That is correct location for Hosts file. My only guess is that Trend Micro is showing what is included in the Hosts file. Hosts files themselves do not get infected.
I suggest keeping Malwarebytes Anti-Malware and scanning with it regulary. You can keep or remove ATF Cleaner (simply delete it) and MyUninstaller (needs uninstalling).
As for ComboFix, do the following...
Click Start > Run > type: combofix /u > Press OK. This will uninstall ComboFix.
Here are some simple steps in order to keep your computer clean and secure. If you have any other questions, let me know.
(Vista users must ensure that any programs are Vista compatible BEFORE installing )
You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
- CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
- DISABLE THE VIEWING OF SYSTEM FILES
- SECURING INTERNET EXPLORER
- Select the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Select Custom Level .
- Change 'Download signed ActiveX controls' to Prompt
- Change 'Download unsigned ActiveX controls' to Disable
- Change 'Initialize and script ActiveX controls not marked as safe' to Disable
- Change 'Installation of desktop items' to Prompt
- Change 'Launching programs and files in an IFRAME' to Prompt
- Change 'Navigate sub-frames across different domains' to Prompt
- When all these changes have been made, click on the OK button.
- If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Select OK to exit the Internet Properties page.
- ANTIVIRUS SOFTWARE
- FIREWALL
- Microsoft Windows Update - http://www.windowsupdate.com
- SPYBOT - SEARCH & DESTROY
- AD-AWARE
- SPYWAREBLASTER
- IE-SPYAD
Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.Go to Start > Run > type control sysdm.cpl,,4 & press Enter
- Tick on the checkbox - Turn off System Restore on all drives
- Click Apply
Turn it back 'On' by unticking the same checkbox & click OKFrom Windows Explorer, go to Tools > Folder Options> View tab.
- Untick - Show hidden files and folder
- Tick - Hide file extensions for known types
- Tick - Hide protected operating system files
Click Yes to confirm & then click OKFrom within Internet Explorer click on the Tools menu and then click on Internet Options.
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources ? http://www.bleepingcomputer.com/forums/topict405.html
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here ? http://www.bleepingcomputer.com/forums/tutorial60.html
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here ? http://www.bleepingcomputer.com/forums/tutorial43.html
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here ? http://www.bleepingcomputer.com/forums/tutorial48.html
SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here ? http://www.bleepingcomputer.com/forums/tutorial49.html
IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here http://www.spywarewarrior.com/uiuc/resource.htm
Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
- http://www.trillian.cc - Trillian or http://www.miranda-im.com - Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
- http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
- http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
- http://toolbar.google.com/ - Google Toolbar - Get the free google toolbar to help stop pop up windows.
- http://cleanup.stevengould.org/ - CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
- http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
- http://www.winpatrol.com/ -Winpatrol - Download and install the free version of Winpatrol.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.htmlERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
A tutorial for this product is located here: http://www.winpatrol.com/features.html
After doing all these, your system will be optimised against future threats.
It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Let me know if everything is OK, so we can mark this thread as resolved.
Hey.
Ok. This morning when I read your post I was happy to say we had finished and to thank you for all your help. BUT. My friend gave me a copy of his "legitimate" AVG 8 Internet Security Suite via mail, as my license is about to run out and he claimed he had bought another. So I opened it up and ran the exe file. And thats when everything went bad. I have spoken to my friend since and he has admitted it was a pirated copy which he hasn't tried yet. I was the "test". But, nevermind that for the moment. Here is what happened:
To begin with, my taskbar and startmenu and all my desktop items vanished. I could use task manager, and that was it. I restarted, but no change. As I had followed your instructions this morning and had wiped all my system restore points, I couldn't use that as an option. So I went into Safe Mode. Unfortunately, the taskbars and everything else disappeared, although Safe Mode continued to bring them back for 30 seconds before they disappeared. Also, my Winpatrol kept on reporting 2 new IE addons, which I denied. These continued to pop up though, no matter how many times I refused installation. Then Winpatrol asked if I would allow my HOSTS file to be changed. I denied that also, but it came back too. I ran Zone Alarm and found a program called "A" was attempting to run on startup. I removed that and then the computer restarted.
The computer then shutdown, and wouldn't boot for 5 minutes. The I got it back up and went into safe mode again. I ran HiJackThis but there were no entries I didn't recognise the name of. I ran AVG 8 and it ran a command prompt scan. 3/4 way, it quit unexpectedly with no error message. I opened up Combo Fix and ran a scan. It deleted many files, including the 2 IE addons, named:
jKKLFvUK.dll and rqRIKeEU.dll
As soon as Combo Fix rebooted and gave a log, my sytem began to respond properly. My netgear was disabled though, and a few files had been removed. I reinstalled and had to find the files again. I ran Combo Fix again, and it deleted some folder that it deleted last time. I will attach the 2 logs in separate posts. All well and good. Except:
-Some of my programs stop responding upon opening
-The system seems slower than usual
-I don't know if the malware is gone
I will run an AVG Scan after this post, as well as Spybot, Esset, an online A Squared Trojan Scanner, Kaspersky and Panda.
HiJackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:18:18, on 2/10/2008
Platform: Windows XP SP3, v.3311 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Acer\Empowering Technology\eLock\LockServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe
C:\WINDOWS\system32\AlarmS4.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.live.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://au.rd.yahoo.com/customize/ycomp/defaults/su/*http://au.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: BigPond Wireless Broadband 2.0 Auto Dial - {DB92EC3F-697D-4C3B-9A3B-3ABBD23D4A85} - C:\Program Files\Telstra\BigPond Wireless Broadband 2.0\bpwbb2ad.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [BigPondWirelessBroadbandCM] "C:\Program Files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe" -tsr
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostart
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AlarmS4.lnk = C:\WINDOWS\system32\AlarmS4.exe
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201381364156
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O23 - Service: Acer ODDSpeedControl - TODO: <????> - C:\Acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\LANScope Agent\awServ.exe
O23 - Service: BCL easyPDF SDK 5 Loader (bepldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel(R) Active Management Technology LMS Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: LockServ - Unknown owner - C:\Acer\Empowering Technology\eLock\LockServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 9809 bytes
Combo Fix Log:
ComboFix 08-10-01.02 - Liam 2008-10-02 12:02:47.1 - NTFSx86
Running from: G:\ComboFix.exe
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - WINDOWS: deleted 33809 bytes in 1 streams.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\jkkLFvUK.dll
C:\WINDOWS\system32\KUvFLkkj.ini
C:\WINDOWS\system32\KUvFLkkj.ini2
C:\WINDOWS\system32\ljJApQkj.dll
C:\WINDOWS\system32\mlJYqRKe.dll
C:\WINDOWS\system32\opnlMgda.dll
C:\WINDOWS\system32\opnmmlMG.dll
C:\WINDOWS\system32\pmnKEXoo.dll
C:\WINDOWS\system32\rqRIxutr.dll
C:\WINDOWS\system32\rqRlKeEU.dll
C:\WINDOWS\system32\ssqPhHwx.dll
C:\WINDOWS\Windows32.exe
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete
BITS: Possible infected sites
hxxp://wzporn.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Legacy_MCHINJDRV
((((((((((((((((((((((((( Files Created from 2008-09-02 to 2008-10-02 )))))))))))))))))))))))))))))))
.
2008-10-02 10:10 . 2006-03-20 17:20 <DIR> d
C:\Documents and Settings\Zoomer\Application Data\Avocent AdminWorks
2008-10-02 10:10 . 2008-10-02 10:50 <DIR> d---s---- C:\Documents and Settings\Zoomer
2008-10-02 07:55 . 1999-12-21 07:58 21,312 --a
C:\WINDOWS\choice.exe
2008-10-02 07:45 . 2008-06-10 02:32 73,728 --a
C:\WINDOWS\system32\javacpl.cpl
2008-10-01 18:57 . 2008-10-02 07:48 <DIR> d
C:\Program Files\EsetOnlineScanner
2008-09-30 09:44 . 2008-09-30 09:44 280 --a
C:\WINDOWS\system32\PDBootState
2008-09-30 09:40 . 2008-09-30 09:40 <DIR> d
C:\Program Files\Raxco
2008-09-30 09:20 . 2008-01-09 22:00 68,624 -ra
C:\WINDOWS\system32\drivers\DefragFS.sys
2008-09-30 09:19 . 2008-09-30 09:19 <DIR> d
C:\Documents and Settings\All Users\Application Data\Raxco
2008-09-30 09:07 . 2008-09-30 09:07 <DIR> d
C:\Program Files\BillP Studios
2008-09-30 09:07 . 2008-09-30 09:07 <DIR> d
C:\Documents and Settings\Liam\Application Data\WinPatrol
2008-09-30 08:46 . 2008-09-30 08:46 <DIR> d
C:\Program Files\Common Files\Adobe AIR
2008-09-30 08:30 . 2008-09-30 08:30 <DIR> d
C:\Program Files\NOS
2008-09-30 08:30 . 2008-09-30 08:47 <DIR> d
C:\Documents and Settings\All Users\Application Data\NOS
2008-09-29 12:32 . 2008-09-29 12:32 <DIR> d
C:\Documents and Settings\All Users\Application Data\U3
2008-09-29 11:03 . 2008-09-29 11:03 <DIR> d
C:\Program Files\Zone Labs
2008-09-29 11:02 . 2008-10-02 11:53 <DIR> d
C:\WINDOWS\Internet Logs
2008-09-28 19:46 . 2008-09-14 18:50 102,664 --a
C:\WINDOWS\system32\drivers\tmcomm.sys
2008-09-24 16:50 . 2003-12-11 09:50 70,894 --a
C:\WINDOWS\system32\drivers\LMouFlt2.Sys
2008-09-24 16:50 . 2003-12-11 09:50 25,630 --a
C:\WINDOWS\system32\drivers\LHidFlt2.Sys
2008-09-24 16:50 . 2003-11-26 09:50 19,968 --a
C:\WINDOWS\Logi_MwX.Exe
2008-09-24 16:24 . 2008-09-28 15:55 <DIR> d
C:\Program Files\Innovative Solutions
2008-09-23 22:00 . 2008-09-23 22:22 <DIR> d
C:\Program Files\VS Revo Group
2008-09-23 21:42 . 2008-09-23 21:43 <DIR> d
C:\TEMP
2008-09-23 21:42 . 2008-09-23 21:42 <DIR> d
C:\Documents and Settings\All Users\Application Data\Premium Security Suite
2008-09-23 21:03 . 2008-09-23 21:03 <DIR> d
C:\Documents and Settings\Liam\Application Data\Avira
2008-09-23 20:57 . 2008-09-23 20:57 <DIR> d
C:\Documents and Settings\All Users\Application Data\Avira
2008-09-23 20:57 . 2008-05-07 14:20 71,592 --a
C:\WINDOWS\system32\drivers\avfwot.sys
2008-09-23 20:57 . 2008-05-07 10:51 71,464 --a
C:\WINDOWS\system32\drivers\avfwim.sys
2008-09-21 17:45 . 2008-09-21 17:45 <DIR> d
C:\Program Files\Windows Installer Clean Up
2008-09-21 16:48 . 2004-08-04 15:00 221,184 --a
C:\WINDOWS\system32\wmpns.dll
2008-09-21 16:27 . 2008-09-21 16:27 0 --a
C:\WINDOWS\system32\REN5A.tmp
2008-09-21 16:27 . 2008-09-21 16:27 0 --a
C:\WINDOWS\system32\REN59.tmp
2008-09-21 16:27 . 2008-09-21 16:27 0 --a
C:\WINDOWS\system32\REN58.tmp
2008-09-19 07:27 . 2008-09-19 07:32 <DIR> d
C:\Program Files\Driver Sweeper
2008-09-16 16:40 . 2008-09-16 16:41 <DIR> d
C:\Program Files\Malwarebytes' Anti-Malware
2008-09-16 16:40 . 2008-09-16 16:40 <DIR> d
C:\Documents and Settings\Liam\Application Data\Malwarebytes
2008-09-16 16:40 . 2008-09-16 16:40 <DIR> d
C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-16 16:40 . 2008-09-10 00:04 38,528 --a
C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-16 16:40 . 2008-09-10 00:03 17,200 --a
C:\WINDOWS\system32\drivers\mbam.sys
2008-09-14 18:49 . 2008-09-21 15:50 <DIR> d
C:\Documents and Settings\Liam\.housecall6.6
2008-09-13 18:36 . 2008-09-13 18:36 <DIR> d
C:\Documents and Settings\Liam\Application Data\Simply Super Software
2008-09-13 15:00 . 2008-09-13 15:00 <DIR> d
C:\Documents and Settings\Liam\Application Data\TrojanHunter
2008-09-12 16:46 . 2008-09-12 16:46 <DIR> d
C:\Program Files\iPod
2008-09-12 16:45 . 2008-09-12 16:46 <DIR> d
C:\Program Files\iTunes
2008-09-12 16:45 . 2008-09-12 16:45 <DIR> d
C:\Program Files\Bonjour
2008-09-12 16:45 . 2008-09-12 16:46 <DIR> d
C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-11 17:29 . 2008-09-28 15:59 <DIR> d
C:\Program Files\Macromedia
2008-09-11 17:29 . 2008-09-28 16:00 <DIR> d
C:\Program Files\Common Files\Macromedia
2008-09-11 17:12 . 2008-06-25 02:43 74,240 --a
C:\WINDOWS\system32\dllcache\mscms.dll
2008-09-11 17:11 . 2008-06-20 21:51 361,600 --a
C:\WINDOWS\system32\dllcache\tcpip.sys
2008-09-11 17:11 . 2008-06-21 03:46 245,248 --a
C:\WINDOWS\system32\dllcache\mswsock.dll
2008-09-11 17:11 . 2008-06-20 21:08 225,856 --a
C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-09-11 17:11 . 2008-06-21 03:46 147,968 --a
C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-09-11 17:11 . 2008-06-20 21:40 138,496 --a
C:\WINDOWS\system32\dllcache\afd.sys
2008-09-11 17:10 . 2008-06-13 21:05 272,128 --a
C:\WINDOWS\system32\dllcache\bthport.sys
2008-09-11 17:09 . 2008-04-12 05:04 691,712 --a
C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-09-11 17:08 . 2008-07-08 06:26 253,952 --a
C:\WINDOWS\system32\dllcache\es.dll
2008-09-11 17:08 . 2008-05-09 00:02 203,136 --a
C:\WINDOWS\system32\dllcache\rmcast.sys
2008-09-10 20:33 . 2008-09-10 20:33 <DIR> d
C:\fsaua.data
2008-09-10 18:43 . 2008-09-10 18:43 <DIR> d--hs---- C:\Documents and Settings\Liam\PrivacIE
2008-09-10 17:50 . 2008-09-10 17:51 <DIR> d--h-c--- C:\WINDOWS\ie8
2008-09-10 17:45 . 2008-09-10 17:45 <DIR> d
C:\WINDOWS\Logs
2008-09-10 17:31 . 2008-09-10 17:31 <DIR> d
C:\Program Files\Belarc
2008-09-10 17:31 . 2008-02-27 13:49 3,840 --a
C:\WINDOWS\system32\drivers\BANTExt.sys
2008-09-10 10:11 . 2008-09-10 10:11 410,976 --a
C:\WINDOWS\system32\deploytk.dll
2008-09-10 09:07 . 2008-09-10 09:07 <DIR> d
C:\5a45d66c462ee2a14b9a88
2008-09-10 09:06 . 2008-09-10 09:13 <DIR> d
C:\WINDOWS\SxsCaPendDel
2008-09-10 09:00 . 2008-09-10 09:00 <DIR> dr-h
C:\AHCache
2008-09-10 08:50 . 2008-08-11 12:48 2,295,328 --a
C:\WINDOWS\system32\igxpdv32.dll
2008-09-10 08:50 . 2008-08-11 12:48 152,064 --a
C:\WINDOWS\system32\igxpgd32.dll
2008-09-10 08:50 . 2008-08-11 12:24 143,360 --a
C:\WINDOWS\system32\igfxtray.exe
2008-09-10 08:50 . 2008-08-11 12:24 143,360 --a
C:\WINDOWS\system32\igfxpers.exe
2008-09-10 08:50 . 2008-08-11 12:23 106,496 --a
C:\WINDOWS\system32\hccutils.dll
2008-09-10 08:50 . 2008-08-11 12:48 57,344 --a
C:\WINDOWS\system32\igxprd32.dll
2008-09-10 08:50 . 2008-08-11 12:24 52,224 --a
C:\WINDOWS\system32\igfxsrvc.dll
2008-09-09 19:42 . 2008-09-10 09:15 <DIR> d
C:\Program Files\Uniblue
2008-09-09 19:42 . 2008-09-09 19:42 <DIR> d
C:\Documents and Settings\Liam\Application Data\Uniblue
2008-09-09 19:06 . 2008-09-09 19:06 <DIR> d
C:\Program Files\Trend Micro
2008-09-09 13:30 . 2008-09-09 13:30 <DIR> d
C:\Intel
2008-09-09 12:41 . 2008-09-09 12:41 <DIR> d
C:\Program Files\Panda Security
2008-09-09 12:41 . 2008-06-19 17:24 28,544 --a
C:\WINDOWS\system32\drivers\pavboot.sys
2008-09-09 12:17 . 2008-09-09 12:17 2,826 --a
C:\WINDOWS\system32\tmp.reg
2008-09-09 12:16 . 2008-09-02 16:51 86,528 --a
C:\WINDOWS\system32\VACFix.exe
2008-09-09 12:16 . 2008-08-18 12:19 82,432 --a
C:\WINDOWS\system32\404Fix.exe
2008-09-09 10:51 . 2007-09-06 00:22 289,144 --a
C:\WINDOWS\system32\VCCLSID.exe
2008-09-09 10:51 . 2006-04-27 17:49 288,417 --a
C:\WINDOWS\system32\SrchSTS.exe
2008-09-09 10:51 . 2004-07-31 18:50 51,200 --a
C:\WINDOWS\system32\dumphive.exe
2008-09-09 10:51 . 2007-10-04 00:36 25,600 --a
C:\WINDOWS\system32\WS2Fix.exe.vir
2008-09-09 10:36 . 2008-09-30 09:05 <DIR> d
C:\Documents and Settings\All Users\Application Data\WinZip
2008-09-09 09:36 . 2008-09-09 09:36 <DIR> d
C:\ie-spyad_zo
2008-09-08 22:28 . 2008-10-02 11:01 <DIR> d
C:\Program Files\SpywareBlaster
2008-09-06 15:09 . 2008-09-06 15:09 90,112 --a
C:\WINDOWS\system32\QuickTimeVR.qtx
2008-09-06 15:09 . 2008-09-06 15:09 57,344 --a
C:\WINDOWS\system32\QuickTime.qts
2008-09-05 17:38 . 2008-09-05 17:38 <DIR> d
C:\Documents and Settings\Liam\dwhelper
2008-09-04 10:10 . 2008-09-04 10:11 56 --a
C:\WINDOWS\AudioMidRecorder.INI
2008-09-04 10:02 . 2008-09-04 10:02 <DIR> d
C:\Documents and Settings\Liam\Application Data\Search Settings
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-02 01:03
d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-02 00:53 308,224 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-10-02 00:53 2,735,616 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-10-02 00:50
d
w C:\Documents and Settings\Liam\Application Data\uTorrent
2008-10-01 23:48
d
w C:\Documents and Settings\All Users\Application Data\avg8
2008-10-01 21:45
d
w C:\Program Files\Java
2008-10-01 11:44 951,808 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-10-01 11:44 2,619,392 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-09-29 23:13
d
w C:\Documents and Settings\Liam\Application Data\U3
2008-09-29 22:45
d
w C:\Program Files\Common Files\Adobe
2008-09-29 12:07 635,904 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-09-29 12:07 2,415,104 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-09-29 02:14
d
w C:\Program Files\TuneUp Utilities 2008
2008-09-28 02:03
d--h--w C:\Program Files\InstallShield Installation Information
2008-09-21 07:45
d
w C:\Program Files\MSECache
2008-09-13 03:22
d
w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-13 02:02
d
w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-12 06:44
d
w C:\Program Files\QuickTime
2008-09-12 06:44
d
w C:\Program Files\Common Files\Apple
2008-09-06 12:12
d
w C:\Documents and Settings\Liam\Application Data\My Battle for Middle-earth(tm) II Files
2008-09-03 11:17
d
w C:\Program Files\Windows Live Safety Center
2008-08-24 12:26
d
w C:\Documents and Settings\Liam\Application Data\Nitro PDF
2008-08-24 12:24
d
w C:\Program Files\Nitro PDF
2008-08-24 12:24
d
w C:\Program Files\Common Files\Nitro PDF
2008-08-24 12:24
d
w C:\Program Files\Common Files\BCL Technologies
2008-08-24 12:24
d
w C:\Documents and Settings\All Users\Application Data\Nitro PDF
2008-08-22 06:19
d
w C:\Program Files\Spybot - Search & Destroy
2008-08-20 08:57
d
w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-17 04:10
d
w C:\Documents and Settings\All Users\Application Data\comodo
2008-08-14 21:24
d
w C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-08-14 10:57
d
w C:\Program Files\Messenger Plus! Live
2008-08-12 06:10 4,751,360 ----a-w C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-08-11 12:13
d
w C:\Program Files\Apple Software Update
2008-08-11 02:48 6,044,864 ----a-w C:\WINDOWS\system32\drivers\igxpmp32.sys
2008-08-10 03:11
d
w C:\Program Files\Windows Live Toolbar
2008-08-10 03:10
d
w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-08-10 03:10
d
w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-08-10 03:10
d
w C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-08-09 06:16
d
w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-06 05:51 1,200,128 ----a-w C:\WINDOWS\RtlUpd.exe
2008-08-05 09:53
d
w C:\Program Files\Sun
2008-07-31 05:05 16,806,912 ----a-w C:\WINDOWS\RTHDCPL.EXE
2006-03-15 03:19 212,992 ----a-w C:\WINDOWS\inf\WG311v3\CopyWHQLDriver.exe
2006-01-26 06:55 280,576 ----a-w C:\WINDOWS\inf\WG311v3\WG311v3.sys
2005-10-06 04:17 280,576 ----a-w C:\WINDOWS\inf\WG311v3\WG311v3XP.sys
2008-03-01 22:49 32,768 -csha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008030220080303\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-02-12 15360]
"TuneUp MemOptimizer"="C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" [2008-06-20 153856]
"SetDefaultMIDI"="MIDIDef.exe" [2005-12-08 C:\WINDOWS\MIDIDEF.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-08-11 143360]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-08-11 172032]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-08-11 143360]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-09-19 333120]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-31 C:\WINDOWS\RTHDCPL.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-02-12 15360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispSettingPage"= 0 (0x0)
"DisableClock"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoUserNameInStartMenu"= 0 (0x0)
"NoLogOff"= 0 (0x0)
"NoMultiIE"= 0 (0x0)
"LWA"= 0 (0x0)
"LWB"= 0 (0x0)
"LWC"= 0 (0x0)
"LWD"= 0 (0x0)
"LWE"= 0 (0x0)
"LWF"= 0 (0x0)
"LWG"= 0 (0x0)
"LWH"= 0 (0x0)
"LWI"= 0 (0x0)
"LWJ"= 0 (0x0)
"LWK"= 0 (0x0)
"LWL"= 0 (0x0)
"LWM"= 0 (0x0)
"LWN"= 0 (0x0)
"LWO"= 0 (0x0)
"LWP"= 0 (0x0)
"LWQ"= 0 (0x0)
"LWR"= 0 (0x0)
"LWS"= 0 (0x0)
"LWT"= 0 (0x0)
"LWU"= 0 (0x0)
"LWV"= 0 (0x0)
"LWW"= 0 (0x0)
"LWX"= 0 (0x0)
"LWY"= 0 (0x0)
"LWZ"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\Documents and Settings\\All Users\\Application Data\\TuneUp Software\\TuneUp Utilities\\WinStyler\\tu_logonui.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a
2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\patchget.dat"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:UDP"= 9999:UDP:LANScope UDP Port
"2804:TCP"= 2804:TCP:LANScope TCP Port
R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe []
R3 Acer ODDSpeedControl;Acer ODDSpeedControl;C:\Acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe [2005-02-16 02:02]
R3 bepldr;BCL easyPDF SDK 5 Loader;C:\Program Files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe [2007-08-22 16:19]
R3 getPlus(R) Helper;getPlus(R) Helper;C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-08-29 10:01]
R3 MTXPARH;MTXPARH;C:\WINDOWS\system32\DRIVERS\MTXPARHM.sys [2005-04-22 10:34]
R3 PD91Engine;PD91Engine;C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe [2008-01-16 10:52]
R3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-07-01 19:08]
S0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\System32\Drivers\avgrkx86.sys [2008-06-20 17:53]
S0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
S1 avfwot;avfwot;C:\WINDOWS\system32\DRIVERS\avfwot.sys [2008-05-07 14:20]
S1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-07-26 07:24]
S1 OsaFsLoc;OsaFsLoc;C:\WINDOWS\system32\drivers\OsaFsLoc.sys [2006-05-18 11:29]
S2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-26 07:24]
S2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\System32\Drivers\avgtdix.sys [2008-06-20 17:53]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;C:\WINDOWS\system32\eLock2BurnerLockDriver.sys [2006-06-06 04:30]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;C:\WINDOWS\system32\eLock2FSCTLDriver.sys [2006-06-07 11:36]
S2 LMS;Intel(R) Active Management Technology LMS Service;C:\Program Files\Intel\AMT\LMS.exe [2006-06-29 11:35]
S2 LockServ;LockServ;C:\Acer\Empowering Technology\eLock\LockServ.exe [2006-05-30 05:25]
S2 netlimiter;netlimiter;C:\WINDOWS\system32\drivers\netlimiter.sys [2006-01-25 08:01]
S2 netlock;netlock;C:\WINDOWS\system32\drivers\netlock.sys [2006-01-19 10:46]
S2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-07-01 09:58]
S2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-04-01 05:32]
S2 PD91Agent;PD91Agent;C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe [2008-01-16 10:52]
S2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2008-02-12 13:59]
S3 avfwim;AvFw Packet Filter Miniport;C:\WINDOWS\system32\DRIVERS\avfwim.sys [2008-05-07 10:51]
S3 PortRW;PortRW;C:\WINDOWS\system32\Drivers\PortRW.sys [2003-08-16 07:57]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{DDE9D8F8-7939-0C02-2F56-385F01DC566F}]
C:\WINDOWS\windows32.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
BHO-{54A8264B-AFFB-4614-95FE-0234817EA282} - C:\WINDOWS\system32\rqRlKeEU.dll
ShellExecuteHooks-{54A8264B-AFFB-4614-95FE-0234817EA282} - C:\WINDOWS\system32\rqRlKeEU.dll
.
Supplementary Scan
.
FireFox -: Profile - C:\Documents and Settings\Liam\Application Data\Mozilla\Firefox\Profiles\ru356jyp.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig
FF -: plugin - C:\Documents and Settings\Liam\Application Data\Mozilla\Firefox\Profiles\ru356jyp.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}\plugins\np_gp.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - C:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.1.0.30401.0.dll
FF -: plugin - C:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\np_gp.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-02 12:15:33
Windows 5.1.2600 Service Pack 3, v.3311 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Other Running Processes
.
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\AVG\AVG8\avgam.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\AlarmS4.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-10-02 12:19:20 - machine was rebooted [Liam]
ComboFix-quarantined-files.txt 2008-10-02 02:19:16
ComboFix2.txt 2008-09-26 08:43:50
Pre-Run: 137,583,788,032 bytes free
Post-Run: 137,879,678,976 bytes free
350 --- E O F --- 2008-09-09 20:52:21
ComboFix Log:
ComboFix 08-10-01.02 - Liam 2008-10-02 12:34:43.2 - NTFSx86
Running from: G:\ComboFix.exe
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete
BITS: Possible infected sites
hxxp://wzporn.com
.
((((((((((((((((((((((((( Files Created from 2008-09-02 to 2008-10-02 )))))))))))))))))))))))))))))))
.
2008-10-02 12:26 . 2008-10-02 12:26 <DIR> d
C:\OEMSettings
2008-10-02 10:10 . 2006-03-20 17:20 <DIR> d
C:\Documents and Settings\Zoomer\Application Data\Avocent AdminWorks
2008-10-02 10:10 . 2008-10-02 10:50 <DIR> d---s---- C:\Documents and Settings\Zoomer
2008-10-02 07:55 . 1999-12-21 07:58 21,312 --a
C:\WINDOWS\choice.exe
2008-10-02 07:45 . 2008-06-10 02:32 73,728 --a
C:\WINDOWS\system32\javacpl.cpl
2008-10-01 18:57 . 2008-10-02 07:48 <DIR> d
C:\Program Files\EsetOnlineScanner
2008-09-30 09:44 . 2008-09-30 09:44 280 --a
C:\WINDOWS\system32\PDBootState
2008-09-30 09:40 . 2008-09-30 09:40 <DIR> d
C:\Program Files\Raxco
2008-09-30 09:20 . 2008-01-09 22:00 68,624 -ra
C:\WINDOWS\system32\drivers\DefragFS.sys
2008-09-30 09:19 . 2008-09-30 09:19 <DIR> d
C:\Documents and Settings\All Users\Application Data\Raxco
2008-09-30 09:07 . 2008-09-30 09:07 <DIR> d
C:\Program Files\BillP Studios
2008-09-30 09:07 . 2008-09-30 09:07 <DIR> d
C:\Documents and Settings\Liam\Application Data\WinPatrol
2008-09-30 08:46 . 2008-09-30 08:46 <DIR> d
C:\Program Files\Common Files\Adobe AIR
2008-09-30 08:30 . 2008-09-30 08:30 <DIR> d
C:\Program Files\NOS
2008-09-30 08:30 . 2008-09-30 08:47 <DIR> d
C:\Documents and Settings\All Users\Application Data\NOS
2008-09-29 12:32 . 2008-09-29 12:32 <DIR> d
C:\Documents and Settings\All Users\Application Data\U3
2008-09-29 11:03 . 2008-09-29 11:03 <DIR> d
C:\Program Files\Zone Labs
2008-09-29 11:02 . 2008-10-02 12:37 <DIR> d
C:\WINDOWS\Internet Logs
2008-09-28 19:46 . 2008-09-14 18:50 102,664 --a
C:\WINDOWS\system32\drivers\tmcomm.sys
2008-09-24 16:50 . 2003-12-11 09:50 70,894 --a
C:\WINDOWS\system32\drivers\LMouFlt2.Sys
2008-09-24 16:50 . 2003-12-11 09:50 25,630 --a
C:\WINDOWS\system32\drivers\LHidFlt2.Sys
2008-09-24 16:50 . 2003-11-26 09:50 19,968 --a
C:\WINDOWS\Logi_MwX.Exe
2008-09-24 16:24 . 2008-09-28 15:55 <DIR> d
C:\Program Files\Innovative Solutions
2008-09-23 22:00 . 2008-09-23 22:22 <DIR> d
C:\Program Files\VS Revo Group
2008-09-23 21:42 . 2008-09-23 21:43 <DIR> d
C:\TEMP
2008-09-23 21:42 . 2008-09-23 21:42 <DIR> d
C:\Documents and Settings\All Users\Application Data\Premium Security Suite
2008-09-23 21:03 . 2008-09-23 21:03 <DIR> d
C:\Documents and Settings\Liam\Application Data\Avira
2008-09-23 20:57 . 2008-09-23 20:57 <DIR> d
C:\Documents and Settings\All Users\Application Data\Avira
2008-09-23 20:57 . 2008-05-07 14:20 71,592 --a
C:\WINDOWS\system32\drivers\avfwot.sys
2008-09-23 20:57 . 2008-05-07 10:51 71,464 --a
C:\WINDOWS\system32\drivers\avfwim.sys
2008-09-21 17:45 . 2008-09-21 17:45 <DIR> d
C:\Program Files\Windows Installer Clean Up
2008-09-21 16:48 . 2004-08-04 15:00 221,184 --a
C:\WINDOWS\system32\wmpns.dll
2008-09-21 16:27 . 2008-09-21 16:27 0 --a
C:\WINDOWS\system32\REN5A.tmp
2008-09-21 16:27 . 2008-09-21 16:27 0 --a
C:\WINDOWS\system32\REN59.tmp
2008-09-21 16:27 . 2008-09-21 16:27 0 --a
C:\WINDOWS\system32\REN58.tmp
2008-09-19 07:27 . 2008-09-19 07:32 <DIR> d
C:\Program Files\Driver Sweeper
2008-09-16 16:40 . 2008-09-16 16:41 <DIR> d
C:\Program Files\Malwarebytes' Anti-Malware
2008-09-16 16:40 . 2008-09-16 16:40 <DIR> d
C:\Documents and Settings\Liam\Application Data\Malwarebytes
2008-09-16 16:40 . 2008-09-16 16:40 <DIR> d
C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-16 16:40 . 2008-09-10 00:04 38,528 --a
C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-16 16:40 . 2008-09-10 00:03 17,200 --a
C:\WINDOWS\system32\drivers\mbam.sys
2008-09-14 18:49 . 2008-09-21 15:50 <DIR> d
C:\Documents and Settings\Liam\.housecall6.6
2008-09-13 18:36 . 2008-09-13 18:36 <DIR> d
C:\Documents and Settings\Liam\Application Data\Simply Super Software
2008-09-13 15:00 . 2008-09-13 15:00 <DIR> d
C:\Documents and Settings\Liam\Application Data\TrojanHunter
2008-09-12 16:46 . 2008-09-12 16:46 <DIR> d
C:\Program Files\iPod
2008-09-12 16:45 . 2008-09-12 16:46 <DIR> d
C:\Program Files\iTunes
2008-09-12 16:45 . 2008-09-12 16:45 <DIR> d
C:\Program Files\Bonjour
2008-09-12 16:45 . 2008-09-12 16:46 <DIR> d
C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-11 17:29 . 2008-09-28 15:59 <DIR> d
C:\Program Files\Macromedia
2008-09-11 17:29 . 2008-09-28 16:00 <DIR> d
C:\Program Files\Common Files\Macromedia
2008-09-11 17:12 . 2008-06-25 02:43 74,240 --a
C:\WINDOWS\system32\dllcache\mscms.dll
2008-09-11 17:11 . 2008-06-20 21:51 361,600 --a
C:\WINDOWS\system32\dllcache\tcpip.sys
2008-09-11 17:11 . 2008-06-21 03:46 245,248 --a
C:\WINDOWS\system32\dllcache\mswsock.dll
2008-09-11 17:11 . 2008-06-20 21:08 225,856 --a
C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-09-11 17:11 . 2008-06-21 03:46 147,968 --a
C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-09-11 17:11 . 2008-06-20 21:40 138,496 --a
C:\WINDOWS\system32\dllcache\afd.sys
2008-09-11 17:10 . 2008-06-13 21:05 272,128 --a
C:\WINDOWS\system32\dllcache\bthport.sys
2008-09-11 17:09 . 2008-04-12 05:04 691,712 --a
C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-09-11 17:08 . 2008-07-08 06:26 253,952 --a
C:\WINDOWS\system32\dllcache\es.dll
2008-09-11 17:08 . 2008-05-09 00:02 203,136 --a
C:\WINDOWS\system32\dllcache\rmcast.sys
2008-09-10 20:33 . 2008-09-10 20:33 <DIR> d
C:\fsaua.data
2008-09-10 18:43 . 2008-09-10 18:43 <DIR> d--hs---- C:\Documents and Settings\Liam\PrivacIE
2008-09-10 17:50 . 2008-09-10 17:51 <DIR> d--h-c--- C:\WINDOWS\ie8
2008-09-10 17:45 . 2008-09-10 17:45 <DIR> d
C:\WINDOWS\Logs
2008-09-10 17:31 . 2008-09-10 17:31 <DIR> d
C:\Program Files\Belarc
2008-09-10 17:31 . 2008-02-27 13:49 3,840 --a
C:\WINDOWS\system32\drivers\BANTExt.sys
2008-09-10 10:11 . 2008-09-10 10:11 410,976 --a
C:\WINDOWS\system32\deploytk.dll
2008-09-10 09:07 . 2008-09-10 09:07 <DIR> d
C:\5a45d66c462ee2a14b9a88
2008-09-10 09:06 . 2008-09-10 09:13 <DIR> d
C:\WINDOWS\SxsCaPendDel
2008-09-10 09:00 . 2008-09-10 09:00 <DIR> dr-h
C:\AHCache
2008-09-10 08:50 . 2008-08-11 12:48 2,295,328 --a
C:\WINDOWS\system32\igxpdv32.dll
2008-09-10 08:50 . 2008-08-11 12:48 152,064 --a
C:\WINDOWS\system32\igxpgd32.dll
2008-09-10 08:50 . 2008-08-11 12:24 143,360 --a
C:\WINDOWS\system32\igfxtray.exe
2008-09-10 08:50 . 2008-08-11 12:24 143,360 --a
C:\WINDOWS\system32\igfxpers.exe
2008-09-10 08:50 . 2008-08-11 12:23 106,496 --a
C:\WINDOWS\system32\hccutils.dll
2008-09-10 08:50 . 2008-08-11 12:48 57,344 --a
C:\WINDOWS\system32\igxprd32.dll
2008-09-10 08:50 . 2008-08-11 12:24 52,224 --a
C:\WINDOWS\system32\igfxsrvc.dll
2008-09-09 19:42 . 2008-09-10 09:15 <DIR> d
C:\Program Files\Uniblue
2008-09-09 19:42 . 2008-09-09 19:42 <DIR> d
C:\Documents and Settings\Liam\Application Data\Uniblue
2008-09-09 19:06 . 2008-09-09 19:06 <DIR> d
C:\Program Files\Trend Micro
2008-09-09 13:30 . 2008-09-09 13:30 <DIR> d
C:\Intel
2008-09-09 12:41 . 2008-09-09 12:41 <DIR> d
C:\Program Files\Panda Security
2008-09-09 12:41 . 2008-06-19 17:24 28,544 --a
C:\WINDOWS\system32\drivers\pavboot.sys
2008-09-09 12:17 . 2008-09-09 12:17 2,826 --a
C:\WINDOWS\system32\tmp.reg
2008-09-09 12:16 . 2008-09-02 16:51 86,528 --a
C:\WINDOWS\system32\VACFix.exe
2008-09-09 12:16 . 2008-08-18 12:19 82,432 --a
C:\WINDOWS\system32\404Fix.exe
2008-09-09 10:51 . 2007-09-06 00:22 289,144 --a
C:\WINDOWS\system32\VCCLSID.exe
2008-09-09 10:51 . 2006-04-27 17:49 288,417 --a
C:\WINDOWS\system32\SrchSTS.exe
2008-09-09 10:51 . 2004-07-31 18:50 51,200 --a
C:\WINDOWS\system32\dumphive.exe
2008-09-09 10:51 . 2007-10-04 00:36 25,600 --a
C:\WINDOWS\system32\WS2Fix.exe.vir
2008-09-09 10:36 . 2008-09-30 09:05 <DIR> d
C:\Documents and Settings\All Users\Application Data\WinZip
2008-09-09 09:36 . 2008-09-09 09:36 <DIR> d
C:\ie-spyad_zo
2008-09-08 22:28 . 2008-10-02 11:01 <DIR> d
C:\Program Files\SpywareBlaster
2008-09-06 15:09 . 2008-09-06 15:09 90,112 --a
C:\WINDOWS\system32\QuickTimeVR.qtx
2008-09-06 15:09 . 2008-09-06 15:09 57,344 --a
C:\WINDOWS\system32\QuickTime.qts
2008-09-05 17:38 . 2008-09-05 17:38 <DIR> d
C:\Documents and Settings\Liam\dwhelper
2008-09-04 10:10 . 2008-09-04 10:11 56 --a
C:\WINDOWS\AudioMidRecorder.INI
2008-09-04 10:02 . 2008-09-04 10:02 <DIR> d
C:\Documents and Settings\Liam\Application Data\Search Settings
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-02 02:30 1,014,000 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-10-02 01:03
d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-02 00:53 308,224 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-10-02 00:53 2,735,616 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-10-02 00:50
d
w C:\Documents and Settings\Liam\Application Data\uTorrent
2008-10-01 23:48
d
w C:\Documents and Settings\All Users\Application Data\avg8
2008-10-01 21:45
d
w C:\Program Files\Java
2008-10-01 11:44 951,808 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-10-01 11:44 2,619,392 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-09-29 23:13
d
w C:\Documents and Settings\Liam\Application Data\U3
2008-09-29 22:45
d
w C:\Program Files\Common Files\Adobe
2008-09-29 12:07 635,904 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-09-29 12:07 2,415,104 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-09-29 02:14
d
w C:\Program Files\TuneUp Utilities 2008
2008-09-28 02:03
d--h--w C:\Program Files\InstallShield Installation Information
2008-09-21 07:45
d
w C:\Program Files\MSECache
2008-09-13 03:22
d
w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-13 02:02
d
w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-12 06:44
d
w C:\Program Files\QuickTime
2008-09-12 06:44
d
w C:\Program Files\Common Files\Apple
2008-09-06 12:12
d
w C:\Documents and Settings\Liam\Application Data\My Battle for Middle-earth(tm) II Files
2008-09-03 11:17
d
w C:\Program Files\Windows Live Safety Center
2008-08-24 12:26
d
w C:\Documents and Settings\Liam\Application Data\Nitro PDF
2008-08-24 12:24
d
w C:\Program Files\Nitro PDF
2008-08-24 12:24
d
w C:\Program Files\Common Files\Nitro PDF
2008-08-24 12:24
d
w C:\Program Files\Common Files\BCL Technologies
2008-08-24 12:24
d
w C:\Documents and Settings\All Users\Application Data\Nitro PDF
2008-08-22 06:19
d
w C:\Program Files\Spybot - Search & Destroy
2008-08-20 08:57
d
w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-17 04:10
d
w C:\Documents and Settings\All Users\Application Data\comodo
2008-08-14 21:24
d
w C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-08-14 10:57
d
w C:\Program Files\Messenger Plus! Live
2008-08-12 06:10 4,751,360 ----a-w C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-08-11 12:13
d
w C:\Program Files\Apple Software Update
2008-08-11 02:48 6,044,864 ----a-w C:\WINDOWS\system32\drivers\igxpmp32.sys
2008-08-10 03:11
d
w C:\Program Files\Windows Live Toolbar
2008-08-10 03:10
d
w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-08-10 03:10
d
w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-08-10 03:10
d
w C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-08-09 06:16
d
w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-06 05:51 1,200,128 ----a-w C:\WINDOWS\RtlUpd.exe
2008-08-05 09:53
d
w C:\Program Files\Sun
2008-07-31 05:05 16,806,912 ----a-w C:\WINDOWS\RTHDCPL.EXE
2006-03-15 04:19 212,992 ----a-w C:\WINDOWS\inf\WG311v3\CopyWHQLDriver.exe
2006-01-26 07:55 280,576 ----a-w C:\WINDOWS\inf\WG311v3\WG311v3.sys
2005-10-06 05:17 280,576 ----a-w C:\WINDOWS\inf\WG311v3\WG311v3XP.sys
2008-03-01 22:49 32,768 -csha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008030220080303\index.dat
.
((((((((((((((((((((((((((((( snapshot@2008-10-02_12.18.45.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-12-29 08:07:50 282,624 ----a-r C:\WINDOWS\system32\drivers\WG311v3XP.sys
+ 2005-10-06 05:17:34 280,576 ----a-w C:\WINDOWS\system32\drivers\WG311v3XP.sys
- 2008-09-29 01:00:24 116,210 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-10-02 02:28:04 117,354 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-09-29 01:00:24 541,078 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-10-02 02:28:04 543,242 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2005-12-29 08:07:50 282,624 ----a-r C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\WG311v3XP.sys
- 2005-10-06 04:17:34 280,576 ----a-w C:\WINDOWS\system32\ReinstallBackups\0028\DriverFiles\WG311v3XP.sys
+ 2005-10-06 05:17:34 280,576 ----a-w C:\WINDOWS\system32\ReinstallBackups\0028\DriverFiles\WG311v3XP.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-02-12 15360]
"TuneUp MemOptimizer"="C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" [2008-06-20 153856]
"SetDefaultMIDI"="MIDIDef.exe" [2005-12-08 C:\WINDOWS\MIDIDEF.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-08-11 143360]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-08-11 172032]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-08-11 143360]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-09-19 333120]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-31 C:\WINDOWS\RTHDCPL.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-02-12 15360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispSettingPage"= 0 (0x0)
"DisableClock"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoUserNameInStartMenu"= 0 (0x0)
"NoLogOff"= 0 (0x0)
"NoMultiIE"= 0 (0x0)
"LWA"= 0 (0x0)
"LWB"= 0 (0x0)
"LWC"= 0 (0x0)
"LWD"= 0 (0x0)
"LWE"= 0 (0x0)
"LWF"= 0 (0x0)
"LWG"= 0 (0x0)
"LWH"= 0 (0x0)
"LWI"= 0 (0x0)
"LWJ"= 0 (0x0)
"LWK"= 0 (0x0)
"LWL"= 0 (0x0)
"LWM"= 0 (0x0)
"LWN"= 0 (0x0)
"LWO"= 0 (0x0)
"LWP"= 0 (0x0)
"LWQ"= 0 (0x0)
"LWR"= 0 (0x0)
"LWS"= 0 (0x0)
"LWT"= 0 (0x0)
"LWU"= 0 (0x0)
"LWV"= 0 (0x0)
"LWW"= 0 (0x0)
"LWX"= 0 (0x0)
"LWY"= 0 (0x0)
"LWZ"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\Documents and Settings\\All Users\\Application Data\\TuneUp Software\\TuneUp Utilities\\WinStyler\\tu_logonui.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a
2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\patchget.dat"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:UDP"= 9999:UDP:LANScope UDP Port
"2804:TCP"= 2804:TCP:LANScope TCP Port
R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe []
R3 Acer ODDSpeedControl;Acer ODDSpeedControl;C:\Acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe [2005-02-16 02:02]
R3 bepldr;BCL easyPDF SDK 5 Loader;C:\Program Files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe [2007-08-22 16:19]
R3 getPlus(R) Helper;getPlus(R) Helper;C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-08-29 10:01]
R3 MTXPARH;MTXPARH;C:\WINDOWS\system32\DRIVERS\MTXPARHM.sys [2005-04-22 10:34]
R3 PD91Engine;PD91Engine;C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe [2008-01-16 10:52]
R3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-07-01 19:08]
S0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\System32\Drivers\avgrkx86.sys [2008-06-20 17:53]
S0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
S1 avfwot;avfwot;C:\WINDOWS\system32\DRIVERS\avfwot.sys [2008-05-07 14:20]
S1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-07-26 07:24]
S1 OsaFsLoc;OsaFsLoc;C:\WINDOWS\system32\drivers\OsaFsLoc.sys [2006-05-18 11:29]
S2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-26 07:24]
S2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\System32\Drivers\avgtdix.sys [2008-06-20 17:53]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;C:\WINDOWS\system32\eLock2BurnerLockDriver.sys [2006-06-06 04:30]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;C:\WINDOWS\system32\eLock2FSCTLDriver.sys [2006-06-07 11:36]
S2 LMS;Intel(R) Active Management Technology LMS Service;C:\Program Files\Intel\AMT\LMS.exe [2006-06-29 11:35]
S2 LockServ;LockServ;C:\Acer\Empowering Technology\eLock\LockServ.exe [2006-05-30 05:25]
S2 netlimiter;netlimiter;C:\WINDOWS\system32\drivers\netlimiter.sys [2006-01-25 08:01]
S2 netlock;netlock;C:\WINDOWS\system32\drivers\netlock.sys [2006-01-19 10:46]
S2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-07-01 09:58]
S2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-04-01 05:32]
S2 PD91Agent;PD91Agent;C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe [2008-01-16 10:52]
S2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2008-02-12 13:59]
S3 avfwim;AvFw Packet Filter Miniport;C:\WINDOWS\system32\DRIVERS\avfwim.sys [2008-05-07 10:51]
S3 PortRW;PortRW;C:\WINDOWS\system32\Drivers\PortRW.sys [2003-08-16 07:57]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{DDE9D8F8-7939-0C02-2F56-385F01DC566F}]
C:\WINDOWS\windows32.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
Supplementary Scan
.
FireFox -: Profile - C:\Documents and Settings\Liam\Application Data\Mozilla\Firefox\Profiles\ru356jyp.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig
FF -: plugin - C:\Documents and Settings\Liam\Application Data\Mozilla\Firefox\Profiles\ru356jyp.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}\plugins\np_gp.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - C:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.1.0.30401.0.dll
FF -: plugin - C:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\np_gp.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-02 12:40:39
Windows 5.1.2600 Service Pack 3, v.3311 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
DLLs Loaded Under Running Processes
PROCESS: C:\WINDOWS\Explorer.exe
-> ?:\WINDOWS\System32\CSCDLL.dll
.
Other Running Processes
.
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG8\avgam.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\AlarmS4.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-10-02 12:44:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-02 02:44:27
ComboFix2.txt 2008-10-02 02:19:21
ComboFix3.txt 2008-09-26 08:43:50
Pre-Run: 137,714,847,744 bytes free
Post-Run: 137,689,391,104 bytes free
348 --- E O F --- 2008-09-09 20:52:21
2002-02-15 04:02:00 676,352 C:\Qoobox\Quarantine\C\WINDOWS\system32\rtl60.bpl.vir
2008-08-22 06:59:34 10,048 C:\Qoobox\Quarantine\C\WINDOWS\msvrc20.dll.vir
2008-09-10 08:44:35 5,242,983 C:\Qoobox\Quarantine\C\Documents and Settings\Liam\Local Settings\Temporary Internet Files\SuggestedSites.dat.vir
2008-09-26 08:43:28 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-09-26 08:43:28 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-09-26 08:43:28 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
2008-09-26 08:43:29 121 C:\Qoobox\Quarantine\Registry_backups\Toolbar-SITEguard.reg.dat
2008-10-01 23:43:35 41,984 C:\Qoobox\Quarantine\C\WINDOWS\system32\rqRlKeEU.dll.vir
2008-10-01 23:43:35 41,984 C:\Qoobox\Quarantine\C\WINDOWS\system32\ssqPhHwx.dll.vir
2008-10-01 23:43:50 41,984 C:\Qoobox\Quarantine\C\WINDOWS\system32\ljJApQkj.dll.vir
2008-10-01 23:43:50 41,984 C:\Qoobox\Quarantine\C\WINDOWS\system32\mlJYqRKe.dll.vir
2008-10-01 23:44:07 33,809 C:\Qoobox\Quarantine\C\WINDOWS\windows32.exe.vir
2008-10-01 23:44:08 41,984 C:\Qoobox\Quarantine\C\WINDOWS\system32\opnlMgda.dll.vir
2008-10-01 23:44:08 41,984 C:\Qoobox\Quarantine\C\WINDOWS\system32\pmnKEXoo.dll.vir
2008-10-01 23:47:57 41,984 C:\Qoobox\Quarantine\C\WINDOWS\system32\opnmmlMG.dll.vir
2008-10-01 23:47:57 41,984 C:\Qoobox\Quarantine\C\WINDOWS\system32\rqRIxutr.dll.vir
2008-10-01 23:48:53 253,952 C:\Qoobox\Quarantine\C\WINDOWS\system32\jkkLFvUK.dll.vir
2008-10-02 02:00:47 21,436 C:\Qoobox\Quarantine\C\WINDOWS\system32\KUvFLkkj.ini2.vir
2008-10-02 02:00:59 21,614 C:\Qoobox\Quarantine\C\WINDOWS\system32\KUvFLkkj.ini.vir
2008-10-02 02:08:52 814 C:\Qoobox\Quarantine\Registry_backups\Legacy_MCHINJDRV.reg.dat
2008-10-02 02:15:22 3,697 C:\Qoobox\Quarantine\catchme2008-10-02_121521.54.zip
2008-10-02 02:18:46 374 C:\Qoobox\Quarantine\Registry_backups\BHO-{54A8264B-AFFB-4614-95FE-0234817EA282}.reg.dat
2008-10-02 02:18:58 363 C:\Qoobox\Quarantine\Registry_backups\ShellExecuteHooks-{54A8264B-AFFB-4614-95FE-0234817EA282}.reg.dat
2008-10-02 02:36:12 9,971 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2008-10-02 02:36:28 1,726 C:\Qoobox\Quarantine\catchme.log
2008-10-02 02:40:25 3,694 C:\Qoobox\Quarantine\catchme2008-10-02_124024.95.zip
The local documents and settings folder contain the two downloaders it couldn't remove are still active, is that correct? how should we remove them??
I am so sorry that all your hard work and effort has been used only for me to ruin it. I am sorry. I have really appreciated your help over the last couple of weeks. Thank you so much for your help. You have been great.
ADDING at 3:18PM:
I have run a Panda Scan. It has detected 7 infections. 6 of these are in the System Volume Information again. Should I run through the normal procedure we have been using? The 7th infection is in a program called Flash Disinfector, which I downloaded yesterday to make sure that my flashdrive wasn't infected from my computer in the last 2 weeks. I have deleted it and placed it in the recycle bin. I thought I was at a safe place when I downloaded it but evidently I was wrong. Can you recommend a safe place to download a Flash drive disinfecting program? Also, in the below report, it says I have Avira Premium installed. I have never even heard of this program, let alone installed it. I can't find it my program files nor in the Add/Remove programs control panel. Any ideas? I will now run a Trojan Scanner run by A Asquared.
Panda Scan Report:
;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-10-02 15:15:57
PROTECTIONS: 2
MALWARE: 3
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
AVG Anti-Virus 8.0 Yes Yes
Avira Premium Security Suite 8.0.1.27 No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00366244 Application/NirCmd.A HackTools No 0 No No D:\AntivirusAntispyware\Flash_Disinfector.exe[D:\AntivirusAntispyware\Flash_Disinfector.exe][nircmd.exe]
00366244 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{50BF3AB8-5489-4087-8C8B-277823628A25}\RP13\A0007347.exe[C:\System Volume Information\_restore{50BF3AB8-5489-4087-8C8B-277823628A25}\RP13\A0007347.exe][nircmd.exe]
00366244 Application/NirCmd.A HackTools No 0 Yes No C:\Documents and Settings\Liam\Local Settings\temp\nircmd.exe
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{50BF3AB8-5489-4087-8C8B-277823628A25}\RP17\A0007533.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{50BF3AB8-5489-4087-8C8B-277823628A25}\RP13\A0007364.EXE
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{50BF3AB8-5489-4087-8C8B-277823628A25}\RP17\A0007520.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{50BF3AB8-5489-4087-8C8B-277823628A25}\RP13\A0007328.sys
;===================================================================================================================================================================================
SUSPECTS
Sent Location _
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description _
;===================================================================================================================================================================================
;===================================================================================================================================================================================
ADDING at 4:02PM:
I have run an A-Squared Trojan Scanner. The results are:
a-squared Free - Version 2
Scan settings:
Objects: Memory, Traces, Cookies, C:\, D:\
Scan archives: On
Heuristics: Off
ADS Scan: On
Scan start: 2/10/2008 3:32:34 PM
Scanned
Files: 71731
Traces: 317957
Cookies: 220
Processes: 44
Found
Files: 0
Traces: 1
Cookies: 9
Processes: 0
Scan end: 2/10/2008 4:00:22 PM
Scan time: 12:27:48 AM
I let A-Squared quarantine the 10 infections and then allowed it to delete them. Any concerns so far with the 2 scans?
Zone Alarm Online Scan detected a Win 32.Askyaya- Trojan in:
RegistryKey - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A2B7A0F0-B697-4A71-8D91-43443F57D7BB}\
It did not offer to remove it and I haven't touched it. Should I remove this entry?
ADDING AT 5:23PM:
AVG scan was clean. Also, the way I log on/log off has been changed. I used the Welcome Screen and Fast Switching options but after the problem I had earlier, those options have been disabled. When I click
control panel > user accounts > change the way users log on or off
I get 2 errors. The first error says:
"The specified module could not be found".
The second error says:
"Object doesn't support this property or method". This error occurs twice. I can then select the 2 options and click apply, but they are not applied and I go back into the user accounts, I receive the same errors. Files have been removed evidently. But which ones? Malwarebytes also had a similar problem. I couldn't open it so I have been forced to unistall it. Should I reinstall it and run a scan with it? I will let you know if any more programs don't work.
Oh, and I realised that if I type "msconfig" into run, it says:
"Windows cannot find 'msconfig'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search".
ADDING at 5:46PM:
I ran DriverMax to see if there were any updates to my drivers. It came up with the error:
EHttpConnectionError: can't resolve hostname to IP address ErrorCode: 404
Adding at 6:15PM:
ADDING at 6:15PM:
Kaspersky won't run because it reports an error when it starts uploading the database. It calls the error an "Application" error.
ADDING at 6:55PM:
Trend Micro online scan won't run as it says it can't transfer the files.
It appears many files have been wiped, rendering many of my services incapable of running. I also have noticed that IE crashes often, and Mozilla loads pages slower than usual, sometimes not running at all even with a full connection to the internet. And none of my AV scans have actually mentioned what this infection is. Any ideas?