Completely Hijacked (?)
Hello -
Well, I should say that I am a total newbie and have nowhere near the knowledge I need to take on my problem alone. I have, however, learned quite a bit today... I believe hijacked is the proper term for what is happening to me, but I am not sure (thus the "?").
I have read through previous threads and some seem very similar to the problem I am having. This started yesterday, and here is what has happened since then:
It all started with the XP Antivirus 2009 thingy. Yes I had AVG, but that's all, and I am not sure how well it was working but I know that it updated every morning at 8:00 AM. After getting the red x and other things from the xp 2009, I searched the web and it sounded like Malawarebytes was the thing to do. Ran it, looks good, so I also downloaded SuperAntispyware, and Spybot, and eventually HJT. So now my computer is running better than it has in a year or more, and the XP 2009 thing is gone.
AND THEN! This morning I got the bright idea to restart the computer. Actually let it turn all the way off for a few minutes. Generally it is always running. You are familiar with the rest of the story - Windows now runs in safe mode only, every time I run Malawarebytes I get the same 5 problems (tdss) even if I delete them each time. I looked at the original log from 10/21 and I see the brastk and some other insidious junk. Also, in area 20 of HJT, you will see the Winlogon Notify, and the Karna.dat thing, both of which sound bad when reading about them online. They also return after each reboot.
Here is what seems a little different - while I know that some people have stated in previous threads that they cannot access antivirus websites, I can't either, and I cannot access anything that will let me download Combofix or the RIS_ something or other, and nothing that has HJT in the title or address AT ALL. Also, the only program that seems to update is Malaware. I tried to update AVG, and had a "serious" error with that. I was able to download Avast! and am running it now, it seems to funtion properly. I will include the most recent HJT log, and Malaware too, in hopes that someone patient enough wants to deal with this. I appreciate any help in advance.
****** HJT LOG ******
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:11 PM, on 10/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174968086125
O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1d/www.nielsennetpanel.com/netmeter4_6/NetMeter_preinstaller_activex_en_4.60.38.0_MEGAPANEL_USA.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: karna.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: PTO - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTO.exe
--
End of file - 6368 bytes
******
****** Malaware Log ******
Malwarebytes' Anti-Malware 1.30
Database version: 1311
Windows 5.1.2600 Service Pack 2
10/23/2008 8:34:09 PM
mbam-log-2008-10-23 (20-34-09).txt
Scan type: Quick Scan
Objects scanned: 48355
Time elapsed: 3 minute(s), 26 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\ (Trojan.Agent) -> Quarantined and deleted successfully.
******
Well, I should say that I am a total newbie and have nowhere near the knowledge I need to take on my problem alone. I have, however, learned quite a bit today... I believe hijacked is the proper term for what is happening to me, but I am not sure (thus the "?").
I have read through previous threads and some seem very similar to the problem I am having. This started yesterday, and here is what has happened since then:
It all started with the XP Antivirus 2009 thingy. Yes I had AVG, but that's all, and I am not sure how well it was working but I know that it updated every morning at 8:00 AM. After getting the red x and other things from the xp 2009, I searched the web and it sounded like Malawarebytes was the thing to do. Ran it, looks good, so I also downloaded SuperAntispyware, and Spybot, and eventually HJT. So now my computer is running better than it has in a year or more, and the XP 2009 thing is gone.
AND THEN! This morning I got the bright idea to restart the computer. Actually let it turn all the way off for a few minutes. Generally it is always running. You are familiar with the rest of the story - Windows now runs in safe mode only, every time I run Malawarebytes I get the same 5 problems (tdss) even if I delete them each time. I looked at the original log from 10/21 and I see the brastk and some other insidious junk. Also, in area 20 of HJT, you will see the Winlogon Notify, and the Karna.dat thing, both of which sound bad when reading about them online. They also return after each reboot.
Here is what seems a little different - while I know that some people have stated in previous threads that they cannot access antivirus websites, I can't either, and I cannot access anything that will let me download Combofix or the RIS_ something or other, and nothing that has HJT in the title or address AT ALL. Also, the only program that seems to update is Malaware. I tried to update AVG, and had a "serious" error with that. I was able to download Avast! and am running it now, it seems to funtion properly. I will include the most recent HJT log, and Malaware too, in hopes that someone patient enough wants to deal with this. I appreciate any help in advance.
****** HJT LOG ******
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:11 PM, on 10/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174968086125
O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1d/www.nielsennetpanel.com/netmeter4_6/NetMeter_preinstaller_activex_en_4.60.38.0_MEGAPANEL_USA.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: karna.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: PTO - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTO.exe
--
End of file - 6368 bytes
******
****** Malaware Log ******
Malwarebytes' Anti-Malware 1.30
Database version: 1311
Windows 5.1.2600 Service Pack 2
10/23/2008 8:34:09 PM
mbam-log-2008-10-23 (20-34-09).txt
Scan type: Quick Scan
Objects scanned: 48355
Time elapsed: 3 minute(s), 26 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\ (Trojan.Agent) -> Quarantined and deleted successfully.
******
0
Comments
My name is Katana and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)
If you can do those three things, everything should go smoothly
Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
Click here and select Open (or Run) to run a tool that will check your computer for a specific rootkit infection.
When the tool completes a log will open.
Please post the contents of that log.
Note - if you do not have the option to open or run, you may save it and run it from your hard drive
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_tdssserv
NextInstance REG_DWORD 1 (0x1)
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_tdssserv\0000
Service REG_SZ TDSSserv
Legacy REG_DWORD 1 (0x1)
ConfigFlags REG_DWORD 0 (0x0)
Class REG_SZ LegacyDriver
ClassGUID REG_SZ {8ECC055D-047F-11D1-A537-0000F8753ED1}
DeviceDesc REG_SZ TDSSserv
Capabilities REG_DWORD 0 (0x0)
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_tdssserv\0000\LogConf
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_tdssserv\0000\Control
ActiveService REG_SZ TDSSserv
Disable Teatimer
First step:
- Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
- If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
- If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :Step 2
Download ComboFix from one of these locations:
Link 1
Link 2
Link 3
* IMPORTANT !!! Save ComboFix.exe to your Desktop
See HERE for help
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Step 3
Download and Run RSIT
Step 4
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Now back to present. That is the only other thing I have done by the way. So, I completed step 1, and rebooted, and my machine started up normally, albeit with some messages about diagnostic mode, and it SEEMS like the system restore has been activated (it would not respond previously). However, step 2 failed - none of the links you gave me are accessible. I can provide email address if that is a good method of receiving the CF file...
Here is the log:
ComboFix 08-10-23.08 - User 2008-10-24 9:29:13.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.176 [GMT -6:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
.
Error: Cfiles.dat
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\Downloaded Program Files\Temp
.
---- Previous Run
.
C:\Documents and Settings\User\Cookies\acexaneq.ban
C:\Documents and Settings\User\Cookies\nuhe.dat
C:\Documents and Settings\User\Cookies\ozawy.pif
C:\Documents and Settings\User\Cookies\ucalag.lib
C:\Documents and Settings\User\Cookies\yhoja._dl
C:\WINDOWS\system32\Drivers\TDSSpaxt.sys
C:\WINDOWS\system32\Drivers\TDSSpqlt.sys
C:\WINDOWS\system32\drivers\TDSSpqxt.sys
C:\WINDOWS\system32\TDSSbivk.log
C:\WINDOWS\system32\TDSSbubv.log
C:\WINDOWS\system32\TDSSbubx.dll
C:\WINDOWS\system32\TDSScfub.dll
C:\WINDOWS\system32\TDSSfpmp.dll
C:\WINDOWS\system32\TDSShrxr.dll
C:\WINDOWS\system32\TDSSkpjp.log
C:\WINDOWS\system32\TDSSlrvd.dat
C:\WINDOWS\system32\TDSSlxwp.dll
C:\WINDOWS\system32\TDSSmaxt.dat
C:\WINDOWS\system32\TDSSnmxh.dll
C:\WINDOWS\system32\TDSSnmxh.log
C:\WINDOWS\system32\TDSSnrsr.dll
C:\WINDOWS\system32\TDSSoeqh.dll
C:\WINDOWS\system32\TDSSoiqh.dll
C:\WINDOWS\system32\TDSSoiqt.dll
C:\WINDOWS\system32\TDSSosvn.dat
C:\WINDOWS\system32\TDSSosvn.dll
C:\WINDOWS\system32\TDSSrhyp.dll
C:\WINDOWS\system32\TDSSriqp.dll
C:\WINDOWS\system32\TDSSrtqp.dll
C:\WINDOWS\system32\TDSSsbhc.dll
C:\WINDOWS\system32\TDSSsbhc.log
C:\WINDOWS\system32\TDSSthym.dll
C:\WINDOWS\system32\TDSStkdv.dll
C:\WINDOWS\system32\TDSStkdv.log
C:\WINDOWS\system32\TDSSvvbi.dll
C:\WINDOWS\system32\TDSSvvbi.log
C:\WINDOWS\system32\TDSSxfum.dll
C:\WINDOWS\system32\windows_update.exe
.
((((((((((((((((((((((((( Files Created from 2008-09-24 to 2008-10-24 )))))))))))))))))))))))))))))))
.
2008-10-23 16:47 . 2008-10-23 16:47 <DIR> d
C:\Program Files\Alwil Software
2008-10-23 15:36 . 2008-10-23 15:36 <DIR> d
C:\Documents and Settings\User\Application Data\AVGTOOLBAR
2008-10-23 14:46 . 2008-10-23 14:58 <DIR> d
C:\Program Files\Free Window Registry Repair
2008-10-23 12:47 . 2008-10-23 12:47 <DIR> d
C:\Documents and Settings\Administrator
2008-10-22 10:13 . 2008-10-22 10:13 <DIR> d
C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-22 08:32 . 2008-10-22 08:32 <DIR> d
C:\Program Files\Trend Micro
2008-10-21 23:31 . 2008-10-23 20:02 <DIR> d
C:\Program Files\Malwarebytes' Anti-Malware
2008-10-21 23:31 . 2008-10-21 23:31 <DIR> d
C:\Documents and Settings\User\Application Data\Malwarebytes
2008-10-21 23:31 . 2008-10-21 23:31 <DIR> d
C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-21 23:31 . 2008-10-22 16:10 38,496 --a
C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-21 23:31 . 2008-10-22 16:10 15,504 --a
C:\WINDOWS\system32\drivers\mbam.sys
2008-10-21 21:46 . 2008-10-23 19:58 <DIR> d
C:\Program Files\Spybot - Search & Destroy
2008-10-21 21:46 . 2008-10-24 08:21 <DIR> d
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-21 21:41 . 2008-10-21 21:41 <DIR> d
C:\Program Files\SUPERAntiSpyware
2008-10-21 21:41 . 2008-10-21 21:41 <DIR> d
C:\Program Files\Common Files\Wise Installation Wizard
2008-10-21 21:41 . 2008-10-21 21:41 <DIR> d
C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
2008-10-21 21:28 . 2008-10-21 21:28 2,002 --a
C:\WINDOWS\Sysvxd.exe
2008-10-21 21:26 . 1999-12-21 07:58 21,312 --a
C:\WINDOWS\choice.exe
2008-10-21 21:09 . 2008-10-21 21:09 <DIR> d
C:\Documents and Settings\User\Application Data\MSNInstaller
2008-10-21 20:21 . 2008-10-21 20:21 19,932 --a
C:\Documents and Settings\All Users\Application Data\vonydaxid.scr
2008-10-21 20:21 . 2008-10-21 20:21 19,831 --a
C:\WINDOWS\system32\cilykanami.dl
2008-10-21 20:21 . 2008-10-21 20:21 19,118 --a
C:\Documents and Settings\All Users\Application Data\ulam.sys
2008-10-21 20:21 . 2008-10-21 20:21 18,830 --a
C:\Program Files\Common Files\detozu.com
2008-10-21 20:21 . 2008-10-21 20:21 17,036 --a
C:\WINDOWS\ogawi.dat
2008-10-21 20:21 . 2008-10-21 20:21 16,754 --a
C:\WINDOWS\system32\baxepi._dl
2008-10-21 20:21 . 2008-10-21 20:21 16,727 --a
C:\WINDOWS\system32\aqohohameq.inf
2008-10-21 20:21 . 2008-10-21 20:21 14,567 --a
C:\Documents and Settings\User\Application Data\iqacuce.dat
2008-10-21 20:21 . 2008-10-21 20:21 14,227 --a
C:\WINDOWS\ivytac.dll
2008-10-21 20:21 . 2008-10-21 20:21 13,418 --a
C:\WINDOWS\isam.reg
2008-10-21 20:21 . 2008-10-21 20:21 13,029 --a
C:\Program Files\Common Files\jucadosos.dll
2008-10-21 20:21 . 2008-10-21 20:21 12,397 --a
C:\WINDOWS\system32\umix.sys
2008-10-21 20:21 . 2008-10-21 20:21 11,986 --a
C:\Documents and Settings\All Users\Application Data\awoq.pif
2008-10-21 20:21 . 2008-10-21 20:21 11,805 --a
C:\WINDOWS\system32\irelul._dl
2008-10-21 20:21 . 2008-10-21 20:21 10,981 --a
C:\Program Files\Common Files\yhuxovuw.vbs
2008-10-21 19:49 . 2008-10-21 19:49 19,474 --a
C:\WINDOWS\qiximaz.bat
2008-10-21 19:49 . 2008-10-21 19:49 19,277 --a
C:\Program Files\Common Files\axeja.bat
2008-10-21 19:49 . 2008-10-21 19:49 18,400 --a
C:\Documents and Settings\All Users\Application Data\byluw.sys
2008-10-21 19:49 . 2008-10-21 19:49 17,654 --a
C:\WINDOWS\system32\likoji.dl
2008-10-21 19:49 . 2008-10-21 19:49 17,512 --a
C:\Documents and Settings\All Users\Application Data\qylo.exe
2008-10-21 19:49 . 2008-10-21 19:49 17,268 --a
C:\Documents and Settings\All Users\Application Data\zulykuw.dat
2008-10-21 19:49 . 2008-10-21 19:49 16,991 --a
C:\WINDOWS\fevezi.inf
2008-10-21 19:49 . 2008-10-21 19:49 15,801 --a
C:\WINDOWS\dipuzud.bin
2008-10-21 19:49 . 2008-10-21 19:49 14,433 --a
C:\WINDOWS\vokavet.bat
2008-10-21 19:49 . 2008-10-21 19:49 13,617 --a
C:\Documents and Settings\All Users\Application Data\ecemidisi.dll
2008-10-21 18:12 . 2008-10-21 18:12 163 --a
C:\Documents and Settings\User\xrt_log.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-24 15:22
d
w C:\Documents and Settings\User\Application Data\AVG7
2008-10-24 14:26
d
w C:\Documents and Settings\User\Application Data\MSN6
2008-10-23 21:37
d
w C:\Documents and Settings\All Users\Application Data\avg7
2008-10-21 23:59
d
w C:\Documents and Settings\User\Application Data\AdobeUM
2008-10-21 23:55 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
2008-10-21 23:55 295,424 ----a-w C:\WINDOWS\system32\termsrv.dll
2008-09-16 19:52
d
w C:\Documents and Settings\User\Application Data\Corel
2008-09-16 16:42
d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-16 16:01
d
w C:\Documents and Settings\All Users\Application Data\Corel
2008-09-16 16:00 1,111,632 ----a-w C:\Documents and Settings\All Users\Application Data\pswi_preloaded.exe
2008-09-16 16:00
d
w C:\Program Files\Corel
2008-09-16 16:00
d
w C:\Program Files\Common Files\Corel
2008-09-15 11:57 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-08 22:11
d
w C:\Program Files\myfantasyleague
2008-08-29 03:41
d
w C:\Documents and Settings\User\Application Data\U3
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-20 05:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 09:58 2,136,064 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:22 2,015,744 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2006-07-11 23:10 61,737,440 ----a-w C:\Program Files\World_Wind_1.3.5_Full.exe
2006-07-11 20:18 24,265,736 ----a-w C:\Program Files\dotnetfx.exe
2006-07-11 18:44 61,737,440 ----a-w C:\Program Files\Nasa World Wind Setup.exe
2005-06-05 20:17 63,488 ----a-w C:\Documents and Settings\All Users\Norton - June 5 2005 Password Manager SETUP.exe
2005-01-06 05:27 2,184 ----a-w C:\Program Files\uninstal.log
.
Sigcheck
2002-08-29 06:00 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2004-05-26 19:38 483328 e7f9d2e4e4a94a6f58014e5ffa16a65e C:\WINDOWS\SoftwareDistribution\Download\0bfb0fd6d1529228f4175fc177388244\sp1qfe\winlogon.exe
2008-04-13 18:12 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
2008-10-21 17:55 502272 9b1bd82bd0761b5ba986af66d2809c30 C:\WINDOWS\system32\winlogon.exe
2002-08-29 06:00 200192 fe84e045a09a4abc4deef7270448b64e C:\WINDOWS\$NtServicePackUninstall$\termsrv.dll
2004-08-04 01:56 295424 b60c877d16d9c880b952fda04adf16e6 C:\WINDOWS\ServicePackFiles\i386\termsrv.dll
2008-04-13 18:12 295424 ff3477c03be7201c294c35f684b3479f C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll
2008-10-21 17:55 295424 40ffc19a8d4875e9e19cecdc76ef9201 C:\WINDOWS\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 282624]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-13 50688]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 7700480]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-10-17 590848]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 86016]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe" [2007-05-09 478800]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 C:\WINDOWS\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2006-10-22 C:\WINDOWS\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-22 219136]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Billminder.lnk - C:\Program Files\QUICKENW\BILLMIND.EXE [2007-01-13 36864]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 53248]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
--a
2007-05-09 13:11 478800 C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 kbfilter;Keyboard Filter Driver;C:\WINDOWS\system32\drivers\kbfilter.sys [2000-09-13 11682]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 IOPort;IOPort;C:\WINDOWS\System32\DRIVERS\IOPORT.SYS [1998-11-27 6144]
S3 NMUSB;NMUSB;C:\WINDOWS\system32\DRIVERS\Nmusb.sys [2003-05-22 40625]
S3 PTO;PTO;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTO.exe [ ]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f878ca4-6d49-11dd-8180-000c76e614fa}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-TDSSpaxt.sys
.
Supplementary Scan
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
O16 -: DirectAnimation Java Classes - [URL]file://C:\WINDOWS\Java\classes\dajava.cab[/URL]
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - [URL]file://C:\WINDOWS\Java\classes\xmldso.cab[/URL]
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-24 09:30:56
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-10-24 9:32:30
ComboFix-quarantined-files.txt 2008-10-24 15:32:25
Pre-Run: 94,294,257,664 bytes free
Post-Run: 94,283,169,792 bytes free
229 --- E O F --- 2008-10-20 09:04:17
LOG:
Logfile of random's system information tool 1.04 (written by random/random)
Run by User at 2008-10-24 09:45:39
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 90 GB (79%) free of 114 GB
Total RAM: 511 MB (22% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:29 AM, on 10/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\User\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\User.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174968086125
O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1d/www.nielsennetpanel.com/netmeter4_6/NetMeter_preinstaller_activex_en_4.60.38.0_MEGAPANEL_USA.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: PTO - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTO.exe (file missing)
--
End of file - 7763 bytes
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - MSN - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll [2004-08-13 282624]
{A057A204-BACC-4D26-9990-79A187E2698E} - AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2003-08-15 57344]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2006-10-25 282624]
"Microsoft Works Update Detection"=C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe [2003-09-13 50688]
"IntelliPoint"=C:\Program Files\Microsoft IntelliPoint\point32.exe [2004-06-03 204800]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2004-09-13 49152]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-10-22 7700480]
"nwiz"=nwiz.exe /install []
"AVG7_CC"=C:\PROGRA~1\Grisoft\AVG7\avgcc.exe [2008-10-17 590848]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2006-10-22 86016]
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe [2004-08-04 158208]
"Corel Photo Downloader"=C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe [2007-05-09 478800]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"=C:\Program Files\MSN Messenger\MsnMsgr.Exe [2007-01-19 5674352]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2008-09-03 1576176]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe [2007-05-09 478800]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Billminder.lnk - C:\Program Files\QUICKENW\BILLMIND.EXE
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-07-23 352256]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
""=
"ForceClassicControlPanel"=1
"NoDrives"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=
"NoDrives"=
"NoDriveAutoRun"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Grisoft\AVG7\avginet.exe"="C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe"
"C:\Program Files\Grisoft\AVG7\avgamsvr.exe"="C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\Program Files\Grisoft\AVG7\avgcc.exe"="C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe"
"C:\Program Files\Grisoft\AVG7\avgemc.exe"="C:\Program Files\Grisoft\AVG7\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe:*:Enabled:Malwarebytes' Anti-Malware"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f878ca4-6d49-11dd-8180-000c76e614fa}]
shell\AutoRun\command - F:\LaunchU3.exe -a
======List of files/folders created in the last 1 months======
2008-10-24 09:45:39 ----D---- C:\rsit
2008-10-24 09:32:31 ----A---- C:\ComboFix.txt
2008-10-24 08:52:12 ----A---- C:\Boot.bak
2008-10-24 08:52:05 ----D---- C:\cmdcons
2008-10-24 08:50:58 ----A---- C:\WINDOWS\zip.exe
2008-10-24 08:50:58 ----A---- C:\WINDOWS\VFIND.exe
2008-10-24 08:50:58 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-10-24 08:50:58 ----A---- C:\WINDOWS\SWSC.exe
2008-10-24 08:50:58 ----A---- C:\WINDOWS\SWREG.exe
2008-10-24 08:50:58 ----A---- C:\WINDOWS\sed.exe
2008-10-24 08:50:58 ----A---- C:\WINDOWS\NIRCMD.exe
2008-10-24 08:50:58 ----A---- C:\WINDOWS\grep.exe
2008-10-24 08:50:58 ----A---- C:\WINDOWS\fdsv.exe
2008-10-24 08:50:49 ----D---- C:\WINDOWS\ERDNT
2008-10-24 08:50:49 ----D---- C:\Qoobox
2008-10-23 16:47:52 ----A---- C:\WINDOWS\system32\aswBoot.exe
2008-10-23 16:47:49 ----D---- C:\Program Files\Alwil Software
2008-10-23 15:36:22 ----D---- C:\Documents and Settings\User\Application Data\AVGTOOLBAR
2008-10-23 14:46:13 ----D---- C:\Program Files\Free Window Registry Repair
2008-10-23 11:58:04 ----D---- C:\WINDOWS\pss
2008-10-23 11:42:00 ----A---- C:\WINDOWS\ntbtlog.txt
2008-10-22 10:13:43 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-22 08:32:52 ----D---- C:\Program Files\Trend Micro
2008-10-21 23:31:13 ----D---- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-10-21 23:31:09 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-21 23:31:08 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-21 21:46:43 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-10-21 21:46:43 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-21 21:41:59 ----D---- C:\Program Files\SUPERAntiSpyware
2008-10-21 21:41:59 ----D---- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
2008-10-21 21:41:31 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-21 21:28:59 ----A---- C:\WINDOWS\Sysvxd.exe
2008-10-21 21:26:33 ----A---- C:\WINDOWS\choice.exe
2008-10-21 21:09:54 ----D---- C:\Documents and Settings\User\Application Data\MSNInstaller
2008-10-21 20:21:53 ----A---- C:\WINDOWS\ivytac.dll
2008-10-21 20:21:53 ----A---- C:\Program Files\Common Files\yhuxovuw.vbs
2008-10-21 20:21:53 ----A---- C:\Program Files\Common Files\jucadosos.dll
2008-10-21 20:21:53 ----A---- C:\Program Files\Common Files\detozu.com
2008-10-21 19:49:55 ----A---- C:\WINDOWS\qiximaz.bat
2008-10-21 19:49:55 ----A---- C:\Documents and Settings\All Users\Application Data\ecemidisi.dll
2008-10-21 19:49:54 ----A---- C:\WINDOWS\vokavet.bat
2008-10-21 19:49:54 ----A---- C:\Program Files\Common Files\axeja.bat
2008-10-21 19:49:54 ----A---- C:\Documents and Settings\All Users\Application Data\qylo.exe
======List of files/folders modified in the last 1 months======
2008-10-24 09:37:42 ----D---- C:\Documents and Settings\User\Application Data\MSN6
2008-10-24 09:32:38 ----D---- C:\WINDOWS\system32
2008-10-24 09:32:37 ----D---- C:\WINDOWS\Temp
2008-10-24 09:32:35 ----D---- C:\WINDOWS
2008-10-24 09:31:21 ----D---- C:\WINDOWS\system32\CatRoot2
2008-10-24 09:30:52 ----A---- C:\WINDOWS\system.ini
2008-10-24 09:30:42 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-10-24 09:30:05 ----D---- C:\WINDOWS\system32\drivers
2008-10-24 09:30:04 ----D---- C:\WINDOWS\AppPatch
2008-10-24 09:30:04 ----D---- C:\Program Files\Common Files
2008-10-24 09:25:58 ----RASH---- C:\boot.ini
2008-10-24 09:25:55 ----A---- C:\WINDOWS\win.ini
2008-10-24 09:22:09 ----D---- C:\Documents and Settings\User\Application Data\AVG7
2008-10-24 09:19:45 ----D---- C:\WINDOWS\system32\config
2008-10-24 08:50:48 ----D---- C:\WINDOWS\Prefetch
2008-10-24 08:20:29 ----SD---- C:\WINDOWS\Tasks
2008-10-23 16:47:49 ----RD---- C:\Program Files
2008-10-23 15:37:46 ----D---- C:\Documents and Settings\All Users\Application Data\avg7
2008-10-23 12:47:05 ----D---- C:\Documents and Settings
2008-10-23 11:34:06 ----D---- C:\WINDOWS\system32\LogFiles
2008-10-23 11:34:05 ----D---- C:\WINDOWS\Minidump
2008-10-23 10:51:32 ----RHD---- C:\$VAULT$.AVG
2008-10-22 08:38:32 ----D---- C:\WINDOWS\Debug
2008-10-21 23:41:47 ----SHD---- C:\WINDOWS\Installer
2008-10-21 23:41:47 ----HD---- C:\Config.Msi
2008-10-21 23:37:41 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-10-21 21:02:44 ----SD---- C:\Documents and Settings\User\Application Data\Microsoft
2008-10-21 20:54:55 ----D---- C:\Program Files\MSN
2008-10-21 20:54:49 ----HD---- C:\WINDOWS\inf
2008-10-21 17:59:05 ----D---- C:\Documents and Settings\User\Application Data\AdobeUM
2008-10-21 17:55:19 ----A---- C:\WINDOWS\system32\termsrv.dll
2008-10-21 17:55:18 ----A---- C:\WINDOWS\system32\winlogon.exe
2008-10-21 17:54:24 ----D---- C:\WINDOWS\Registration
2008-10-20 03:04:12 ----HD---- C:\WINDOWS\$hf_mig$
2008-10-20 03:01:26 ----D---- C:\Program Files\Internet Explorer
2008-10-07 13:19:40 ----A---- C:\WINDOWS\system32\MRT.exe
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2008-07-19 26944]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2008-07-19 42912]
R1 Avg7Core;AVG7 Kernel; C:\WINDOWS\System32\Drivers\avg7core.sys [2007-10-22 821856]
R1 Avg7RsW;AVG7 Wrap Driver; C:\WINDOWS\System32\Drivers\avg7rsw.sys [2007-04-06 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP; C:\WINDOWS\System32\Drivers\avg7rsxp.sys [2007-04-06 27776]
R1 AvgClean;AVG7 Clean Driver; C:\WINDOWS\System32\Drivers\avgclean.sys [2007-12-20 10760]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-03 36096]
R1 kbfilter;Keyboard Filter Driver; C:\WINDOWS\system32\drivers\kbfilter.sys [2000-09-13 11682]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2008-07-19 94416]
R2 AvgTdi;AVG Network Redirector; C:\WINDOWS\System32\Drivers\avgtdi.sys [2007-04-06 4960]
R2 IOPort;IOPort; \??\C:\WINDOWS\System32\DRIVERS\IOPORT.SYS []
R2 PfModNT;PfModNT; \??\C:\WINDOWS\System32\PfModNT.sys []
R3 ALCXSENS;Service for WDM 3D Audio Driver; C:\WINDOWS\system32\drivers\ALCXSENS.SYS [2003-08-14 404736]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2003-08-21 462940]
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2008-07-19 23152]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664]
R3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2004-12-14 51120]
R3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2004-12-14 16496]
R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2004-12-14 21744]
R3 NTIDrvr;Upper Class Filter Driver; C:\WINDOWS\System32\DRIVERS\NTIDrvr.sys [2004-05-21 6912]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2006-10-22 3994624]
R3 Point32;Microsoft IntelliPoint Filter Driver; C:\WINDOWS\system32\DRIVERS\point32.sys [2004-06-03 20352]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2004-08-04 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2004-08-03 15104]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S3 GMSIPCI;GMSIPCI; \??\D:\INSTALL\GMSIPCI.SYS []
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 NMUSB;NMUSB; C:\WINDOWS\System32\DRIVERS\Nmusb.sys [2003-05-22 40625]
S3 SABProcEnum;SABProcEnum; \??\C:\Program Files\MSN\MSNCoreFiles\SABProcEnum.sys []
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2008-07-19 16056]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2008-07-19 147640]
R2 Avg7Alrt;AVG7 Alert Manager Server; C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe [2007-10-22 418816]
R2 Avg7UpdSvc;AVG7 Update Service; C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe [2007-04-06 49664]
R2 AVGEMS;AVG E-mail Scanner; C:\PROGRA~1\Grisoft\AVG7\avgemc.exe [2007-12-20 406528]
R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINDOWS\System32\CTsvcCDA.EXE [1999-12-13 44032]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-10-22 159810]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-09-29 69632]
R2 ProtexisLicensing;ProtexisLicensing; C:\WINDOWS\system32\PSIService.exe [2006-11-02 174656]
R2 WMDM PMSP Service;WMDM PMSP Service; C:\WINDOWS\System32\MsPMSPSv.exe [2000-06-26 53520]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2008-07-19 250040]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2008-07-23 348344]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2006-10-30 492608]
S3 PTO;PTO; C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTO.exe []
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
EOF
INFO:
info.txt logfile of random's system information tool 1.04 2008-10-24 09:46:31
======Uninstall list======
-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\News\CTNews.isu"
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Actiontec Gateway-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9692FD03-6662-4E62-B08C-30DFF51651E1}\setup.exe" -l0x9
Adobe Download Manager 1.2 (Remove Only)-->"C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop Album 2.0 Starter Edition-->MsiExec.exe /I{11B569C2-4BF6-4ED0-9D17-A4273943CB24}
Adobe Reader 6.0.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Adobe Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Apple Software Update-->MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
ASIO4ALL-->C:\Program Files\ASIO4ALL v2\uninstall.exe
avast! Antivirus-->C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
AVG 7.5-->C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Collab-->C:\Program Files\Image-Line\Collab\uninstall.exe
Corel Snapfire-->MsiExec.exe /X{0EE4030A-8FD4-4798-A21D-17E525B1F7CF}
Creative Jukebox Driver-->C:\Program Files\Creative\Jukebox Driver\DrvUnins.exe /s
Creative NOMAD II Driver-->C:\Program Files\Creative\NOMAD2 Driver\DrvUnins.exe /s
Creative PlayCenter 2-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\PlayCenter2\Player2.isu"
Deckadance-->C:\Program Files\VstPlugins\Deckadance\uninstall.exe
EMU7800-->MsiExec.exe /X{A7B9D802-94C0-4AF3-88F6-3D71C935F385}
FFLM version 7.01-->"C:\Program Files\Fantasy Manager\unins000.exe"
FL Studio 7-->C:\Program Files\Image-Line\FL Studio 7\uninstall.exe
Free Window Registry Repair-->C:\PROGRA~1\FREEWI~1\UNWISE.EXE C:\PROGRA~1\FREEWI~1\INSTALL.LOG
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Image Zone 4.7-->C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 4.7-->"C:\Program Files\HP\Digital Imaging\{342C7C88-D335-4bc2-8CF1-281857629CE2}\setup\hpzscr01.exe" -datfile hposcr05.dat
HP Software Update-->MsiExec.exe /X{64FC0C98-B035-4530-B15D-3D30610B6DF1}
IL Download Manager-->C:\Program Files\Image-Line\Downloader\uninstall.exe
Indeo® Software-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Ligos\Indeo\Uninst.isu" -c"C:\Program Files\Ligos\Indeo\Indeo System Files\indounin.dll"
iTunes-->MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
J2SE Runtime Environment 5.0 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150070}
Java(TM) 6 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(TM) 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
LADSPA_plugins-win-0.4.15-->"C:\Program Files\Audacity\Plug-Ins\unins000.exe"
MagicKey-->UpUninst.exe C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MagicKey\Uninst.isu"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MathPlayer-->C:\Program Files\Design Science\MathPlayer\Setup.exe -u
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669-->C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 2000 Professional-->MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Outlook Web Access S/MIME-->MsiExec.exe /X{6CF08AD2-00C5-4A63-B74B-2EFFFAFEBE1A}
Microsoft Picture It! Express 9-->C:\WINDOWS\System32\msiexec.exe /i {DBA8B9E1-C6FF-4624-9598-73D3B41A0900}
Microsoft Picture It! Library 9-->C:\WINDOWS\System32\msiexec.exe /i {9F7FC79B-3059-4264-9450-39EB368E3220}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
MSN Encarta Plus Support Files-->MsiExec.exe /I{00000000-785F-478A-BAA2-87F1A136068C}
MSN Money Investment Toolbox-->C:\Program Files\Microsoft Money 2005\MNYCoreFiles\Setup\uninst.exe /s:5
MSN Music Assistant-->rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MSN Toolbar-->C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\mtbs.exe c
MSN-->C:\Program Files\MSN\MsnInstaller\msniadm.exe /Action:ARP
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
Musicnotes Player V1.22.3-->"C:\Program Files\Musicnotes\Player\unins000.exe"
myfantasyleague.com Game Day 2008-->"C:\Program Files\myfantasyleague\unins000.exe"
NOMAD II Manual-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\NOMAD II MANUAL\Uninst.isu"
NTI CD-Maker 6 Gold-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{C438B7C4-B4F8-49C5-A4DF-FF6F1F242778} /l1033 AnyText
NVIDIA Display Driver-->C:\WINDOWS\System32\nvudisp.exe Uninstall C:\WINDOWS\System32\nvdisp.nvu,NVIDIA Display Driver
NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Puzzle Master 4-->C:\PROGRA~1\eGames\PUZZLE~1\UNWISE.EXE C:\PROGRA~1\eGames\PUZZLE~1\INSTALL.LOG
Quicken 2002 Basic-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\QUICKENW\Uninst.isu" -c"C:\Program Files\QUICKENW\uninst.dll"
QuickTime-->MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Studio Buddy-->C:\WINDOWS\unvise32.exe c:\PROGRA~1\uninstal.log
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
VST Bridge 1.0-->"C:\Program Files\Audacity\Plug-Ins\Plug-ins\VST Bridge\unins000.exe"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Live Messenger-->MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant-->MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 2-->C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe
=====HijackThis Backups=====
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - AppInit_DLLs: karna.dat
======Security center information======
AV: AVG 7.5.549 (disabled)
AV: avast! antivirus 4.8.1229 [VPS 081024-0]
FW: Norton Internet Worm Protection (disabled)
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\QuickTime\QTSystem
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 9, GenuineIntel
"PROCESSOR_REVISION"=0209
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;C:\Program Files\Java\jre1.5.0_07\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.5.0_07\lib\ext\QTJava.zip
EOF
What was it that should have been removed? As you can see below, nothing was found, which is quite unusual. Please let me know what looks bad. Thanks.
Malwarebytes' Anti-Malware 1.30
Database version: 1313
Windows 5.1.2600 Service Pack 2
10/24/2008 10:49:32 AM
mbam-log-2008-10-24 (10-49-32).txt
Scan type: Full Scan (C:\|F:\|G:\|)
Objects scanned: 115181
Time elapsed: 46 minute(s), 26 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Step 1
Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total
Please visit Virustotal
Copy/paste the the following file path into the window
C:\WINDOWS\Sysvxd.exe
Click Submit/Send File
Please post back, to let me know the results.
Please do the same for the following file
C:\WINDOWS\choice.exe
If Virustotal is too busy please try Jotti
Step 2
Custom CFScript
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
Step 3
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please download JavaRa and unzip it to your desktop.
***Please close any instances of Internet Explorer (or other web browser) before continuing!***
Now download and install Java Runtime Environment (JRE) .
Step 4
Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html
Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
**Note**
To optimize scanning time and produce a more sensible report for review:
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
Step 5
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
File Sysvxd.exe received on 10.16.2008 11:00:31 (CET)
Current status: finished
Result: 0/36 (0.00%)
[URL="javascript:window.print()"]Print results[/URL]
AntivirusVersionLast UpdateResultAhnLab-V32008.10.16.02008.10.16-AntiVir7.9.0.42008.10.16-Authentium5.1.0.42008.10.16-Avast4.8.1248.02008.10.15-AVG8.0.0.1612008.10.16-BitDefender7.22008.10.16-CAT-QuickHeal9.502008.10.16-ClamAV0.93.12008.10.16-DrWeb4.44.0.091702008.10.16-eSafe7.0.17.02008.10.15-eTrust-Vet31.6.61502008.10.16-Ewido4.02008.10.15-F-Prot4.4.4.562008.10.15-F-Secure8.0.14332.02008.10.16-Fortinet3.113.0.02008.10.16-GData192008.10.16-IkarusT3.1.1.34.02008.10.16-K7AntiVirus7.10.4962008.10.15-Kaspersky7.0.0.1252008.10.16-McAfee54062008.10.16-Microsoft1.40052008.10.16-NOD3235262008.10.16-Norman5.80.022008.10.15-Panda9.0.0.42008.10.15-PCTools4.4.2.02008.10.15-Prevx1V22008.10.16-Rising20.66.32.002008.10.16-SecureWeb-Gateway6.7.62008.10.16-Sophos4.34.02008.10.16-Sunbelt3.1.1727.12008.10.16-Symantec102008.10.16-TheHacker6.3.1.0.1142008.10.15-TrendMicro8.700.0.10042008.10.16-VBA323.12.8.72008.10.16-ViRobot2008.10.16.14222008.10.16-VirusBuster4.5.11.02008.10.15-Additional informationFile size: 2002 bytesMD5...: fb02957ebc0a93ae729ec416441c2978SHA1..: 98534600c3820593187cc644b42a4220c1051144SHA256: ecf1baa5b5cfbe6712dfa7b54f90d572e0692f6b579db4382bcca2866cbb991fSHA512: 1d2effe4dac20dd71a8b0cdb4786e2f6023d2431fae5e3350749974beabbc436
efde28440c023690210118219c50ed8daa78eb1d6d40475ffc9d3cf565dea0dcPEiD..: -TrID..: File type identification
HyperText Markup Language with DOCTYPE (80.6%)
HyperText Markup Language (19.3%)PEInfo: -
*************
File choice.exe received on 10.09.2008 00:00:06 (CET)
Current status: finished
Result: 1/36 (2.78%)
[URL="javascript:window.print()"]Print results[/URL]
AntivirusVersionLast UpdateResultAhnLab-V32008.10.3.22008.10.08-AntiVir7.8.1.342008.10.08-Authentium5.1.0.42008.10.08-Avast4.8.1248.02008.10.08-AVG8.0.0.1612008.10.08-BitDefender7.22008.10.08-CAT-QuickHeal9.502008.10.08-ClamAV0.93.12008.10.08-DrWeb4.44.0.091702008.10.08-eSafe7.0.17.02008.10.08Suspicious FileeTrust-Vet31.6.61342008.10.07-Ewido4.02008.10.08-F-Prot4.4.4.562008.10.08-F-Secure8.0.14332.02008.10.08-Fortinet3.113.0.02008.10.08-GData192008.10.08-IkarusT3.1.1.34.02008.10.08-K7AntiVirus7.10.4882008.10.08-Kaspersky7.0.0.1252008.10.08-McAfee54002008.10.07-Microsoft1.40052008.10.08-NOD3235042008.10.08-Norman5.80.022008.10.07-Panda9.0.0.42008.10.07-PCTools4.4.2.02008.10.08-Prevx1V22008.10.09-Rising20.65.22.002008.10.08-SecureWeb-Gateway6.7.62008.10.08-Sophos4.34.02008.10.08-Sunbelt3.1.1708.12008.10.08-Symantec102008.10.08-TheHacker6.3.1.0.1032008.10.07-TrendMicro8.700.0.10042008.10.08-VBA323.12.8.62008.10.07-ViRobot2008.10.8.14122008.10.08-VirusBuster4.5.11.02008.10.08-Additional informationFile size: 21312 bytesMD5...: 2e5832d56dcc6dc7ecb1cbe9ea350b9bSHA1..: 0dfad92a2f9305ed8d46e374bf0bf36a554a9900SHA256: 4223fa3cc5e3a0c3646addcc27911aec1c6858ca36b375bf5bf6370215679be4SHA512: 013f3e82565150e56e311aef189f4010bb8262eef99f1a85653ab2013225071c
f798e3502664ed85e55c0c578c11a81f2c1ace1ea95ca8e179f6af2f15849153PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John ReiserTrID..: File type identification
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x100fa50
timedatestamp.....: 0x385fa388 (Tue Dec 21 15:58:00 1999)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0xa000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0xb000 0x5000 0x4c00 7.87 ab0a276a59e31f203f4a918d004916f6
UPX2 0x10000 0x1000 0x200 1.44 fb560fb590e032d609686e011bef8d53
( 2 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess
> USER32.dll: wsprintfA
( 0 exports )
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=2e5832d56dcc6dc7ecb1cbe9ea350b9bpackers (Kaspersky): UPXpackers (F-Prot): UPX
ComboFix 08-10-23.08 - User 2008-10-24 11:59:02.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.121 [GMT -6:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\Documents and Settings\All Users\Application Data\awoq.pif
C:\Documents and Settings\All Users\Application Data\byluw.sys
C:\Documents and Settings\All Users\Application Data\ecemidisi.dll
C:\Documents and Settings\All Users\Application Data\qylo.exe
C:\Documents and Settings\All Users\Application Data\ulam.sys
C:\Documents and Settings\All Users\Application Data\vonydaxid.scr
C:\Documents and Settings\All Users\Application Data\zulykuw.dat
C:\Documents and Settings\User\Application Data\iqacuce.dat
C:\Program Files\Common Files\axeja.bat
C:\Program Files\Common Files\detozu.com
C:\Program Files\Common Files\jucadosos.dll
C:\Program Files\Common Files\yhuxovuw.vbs
C:\WINDOWS\dipuzud.bin
C:\WINDOWS\fevezi.inf
C:\WINDOWS\isam.reg
C:\WINDOWS\ivytac.dll
C:\WINDOWS\ogawi.dat
C:\WINDOWS\qiximaz.bat
C:\WINDOWS\system32\aqohohameq.inf
C:\WINDOWS\system32\baxepi._dl
C:\WINDOWS\system32\cilykanami.dl
C:\WINDOWS\system32\irelul._dl
C:\WINDOWS\system32\likoji.dl
C:\WINDOWS\system32\umix.sys
C:\WINDOWS\Sysvxd.exe
C:\WINDOWS\vokavet.bat
.
Error: Cfiles.dat
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\awoq.pif
C:\Documents and Settings\All Users\Application Data\byluw.sys
C:\Documents and Settings\All Users\Application Data\ecemidisi.dll
C:\Documents and Settings\All Users\Application Data\qylo.exe
C:\Documents and Settings\All Users\Application Data\ulam.sys
C:\Documents and Settings\All Users\Application Data\vonydaxid.scr
C:\Documents and Settings\All Users\Application Data\zulykuw.dat
C:\Documents and Settings\User\Application Data\iqacuce.dat
C:\Program Files\Common Files\axeja.bat
C:\Program Files\Common Files\detozu.com
C:\Program Files\Common Files\jucadosos.dll
C:\Program Files\Common Files\yhuxovuw.vbs
C:\WINDOWS\dipuzud.bin
C:\WINDOWS\fevezi.inf
C:\WINDOWS\isam.reg
C:\WINDOWS\ivytac.dll
C:\WINDOWS\ogawi.dat
C:\WINDOWS\qiximaz.bat
C:\WINDOWS\system32\aqohohameq.inf
C:\WINDOWS\system32\baxepi._dl
C:\WINDOWS\system32\cilykanami.dl
C:\WINDOWS\system32\irelul._dl
C:\WINDOWS\system32\likoji.dl
C:\WINDOWS\system32\umix.sys
C:\WINDOWS\Sysvxd.exe
C:\WINDOWS\vokavet.bat
.
FCopy
C:\WINDOWS\ServicePackFiles\i386\winlogon.exe --> C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll --> C:\WINDOWS\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Legacy_PTO
\Service_PTO
((((((((((((((((((((((((( Files Created from 2008-09-24 to 2008-10-24 )))))))))))))))))))))))))))))))
.
2008-10-24 11:59 . <DIR> C:\WINDOWS\LastGood.Tmp
2008-10-24 09:45 . 2008-10-24 09:50 <DIR> d
C:\rsit
2008-10-23 16:47 . 2008-10-23 16:47 <DIR> d
C:\Program Files\Alwil Software
2008-10-23 15:36 . 2008-10-23 15:36 <DIR> d
C:\Documents and Settings\User\Application Data\AVGTOOLBAR
2008-10-23 14:46 . 2008-10-23 14:58 <DIR> d
C:\Program Files\Free Window Registry Repair
2008-10-23 12:47 . 2008-10-23 12:47 <DIR> d
C:\Documents and Settings\Administrator
2008-10-22 10:13 . 2008-10-22 10:13 <DIR> d
C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-22 08:32 . 2008-10-22 08:32 <DIR> d
C:\Program Files\Trend Micro
2008-10-21 23:31 . 2008-10-23 20:02 <DIR> d
C:\Program Files\Malwarebytes' Anti-Malware
2008-10-21 23:31 . 2008-10-21 23:31 <DIR> d
C:\Documents and Settings\User\Application Data\Malwarebytes
2008-10-21 23:31 . 2008-10-21 23:31 <DIR> d
C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-21 23:31 . 2008-10-22 16:10 38,496 --a
C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-21 23:31 . 2008-10-22 16:10 15,504 --a
C:\WINDOWS\system32\drivers\mbam.sys
2008-10-21 21:46 . 2008-10-23 19:58 <DIR> d
C:\Program Files\Spybot - Search & Destroy
2008-10-21 21:46 . 2008-10-24 08:21 <DIR> d
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-21 21:41 . 2008-10-21 21:41 <DIR> d
C:\Program Files\SUPERAntiSpyware
2008-10-21 21:41 . 2008-10-21 21:41 <DIR> d
C:\Program Files\Common Files\Wise Installation Wizard
2008-10-21 21:41 . 2008-10-21 21:41 <DIR> d
C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
2008-10-21 21:26 . 1999-12-21 07:58 21,312 --a
C:\WINDOWS\choice.exe
2008-10-21 21:09 . 2008-10-21 21:09 <DIR> d
C:\Documents and Settings\User\Application Data\MSNInstaller
2008-10-21 18:12 . 2008-10-21 18:12 163 --a
C:\Documents and Settings\User\xrt_log.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-24 15:37
d
w C:\Documents and Settings\User\Application Data\MSN6
2008-10-24 15:22
d
w C:\Documents and Settings\User\Application Data\AVG7
2008-10-23 21:37
d
w C:\Documents and Settings\All Users\Application Data\avg7
2008-10-21 23:59
d
w C:\Documents and Settings\User\Application Data\AdobeUM
2008-09-16 19:52
d
w C:\Documents and Settings\User\Application Data\Corel
2008-09-16 16:42
d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-16 16:01
d
w C:\Documents and Settings\All Users\Application Data\Corel
2008-09-16 16:00 1,111,632 ----a-w C:\Documents and Settings\All Users\Application Data\pswi_preloaded.exe
2008-09-16 16:00
d
w C:\Program Files\Corel
2008-09-16 16:00
d
w C:\Program Files\Common Files\Corel
2008-09-08 22:11
d
w C:\Program Files\myfantasyleague
2008-08-29 03:41
d
w C:\Documents and Settings\User\Application Data\U3
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2006-07-11 23:10 61,737,440 ----a-w C:\Program Files\World_Wind_1.3.5_Full.exe
2006-07-11 20:18 24,265,736 ----a-w C:\Program Files\dotnetfx.exe
2006-07-11 18:44 61,737,440 ----a-w C:\Program Files\Nasa World Wind Setup.exe
2005-06-05 20:17 63,488 ----a-w C:\Documents and Settings\All Users\Norton - June 5 2005 Password Manager SETUP.exe
2005-01-06 05:27 2,184 ----a-w C:\Program Files\uninstal.log
.
((((((((((((((((((((((((((((( [EMAIL="snapshot@2008-10-24"]snapshot@2008-10-24[/EMAIL]_ 9.31.57.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-14 00:12:07 295,424 ----a-w C:\WINDOWS\LastGood.Tmp\system32\termsrv.dll
+ 2004-08-04 07:56:46 295,424 -c--a-w C:\WINDOWS\system32\dllcache\termsrv.dll
+ 2004-08-04 07:56:57 502,272 -c--a-w C:\WINDOWS\system32\dllcache\winlogon.exe
+ 2008-10-24 18:02:41 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4d8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 282624]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-13 50688]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 7700480]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-10-17 590848]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 86016]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe" [2007-05-09 478800]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 C:\WINDOWS\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2006-10-22 C:\WINDOWS\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-22 219136]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Billminder.lnk - C:\Program Files\QUICKENW\BILLMIND.EXE [2007-01-13 36864]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 53248]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
--a
2007-05-09 13:11 478800 C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 kbfilter;Keyboard Filter Driver;C:\WINDOWS\system32\drivers\kbfilter.sys [2000-09-13 11682]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 IOPort;IOPort;C:\WINDOWS\System32\DRIVERS\IOPORT.SYS [1998-11-27 6144]
S3 MBAMSwissArmy;MBAMSwissArmy;C:\WINDOWS\system32\drivers\mbamswissarmy.sys [2008-10-22 38496]
S3 NMUSB;NMUSB;C:\WINDOWS\system32\DRIVERS\Nmusb.sys [2003-05-22 40625]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f878ca4-6d49-11dd-8180-000c76e614fa}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-24 12:03:06
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Other Running Processes
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-10-24 12:10:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-24 18:10:47
ComboFix2.txt 2008-10-24 15:32:31
Pre-Run: 94,264,594,432 bytes free
Post-Run: 94,317,154,304 bytes free
223 --- E O F --- 2008-10-20 09:04:17
JavaRa 1.11 Removal Log.
Report follows after line.
The JavaRa removal process was started on Fri Oct 24 12:28:22 2008
Found and removed: C:\Program Files\Java\jre1.5.0_07
Found and removed: C:\Program Files\Java\jre1.6.0_02
Found and removed: C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64
Found and removed: Software\JavaSoft\Java2D\1.5.0_07
Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA}
Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D510007
Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D510007
Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D510007
Found and removed: SOFTWARE\Classes\JavaPlugin.150_07
Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.5.0.0
Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.5.0_07
Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.5
Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.5.0_07
Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA}
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D510007
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D510007
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0150070}
Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBB}
Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBB}
Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}
Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}
Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D610002
Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D610003
Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610002
Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610003
Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610002
Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610003
Found and removed: SOFTWARE\Classes\JavaPlugin.160_02
Found and removed: SOFTWARE\Classes\JavaPlugin.160_03
Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_02
Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_03
Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_02
Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_03
Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610002
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610003
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D610002
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D610003
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610002
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610003
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160020}
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160030}
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.5.0_07
Found and removed: Software\Classes\JavaPlugin.160_02
Found and removed: Software\Classes\JavaPlugin.160_03
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_07\
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_02\
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_03\
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_02\bin\
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_03\bin\
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_03.b05\
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core1.zip
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core2.zip
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core3.zip
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_02
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_03
Found and removed: Software\JavaSoft\Java2D\1.6.0_03
Found and removed: Software\JavaSoft\Java Runtime Environment\1.6.0_03
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}
Finished reporting.
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, October 24, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, October 24, 2008 20:52:26
Records in database: 1343168
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
Scan statistics:
Files scanned: 68209
Threat name: 6
Infected objects: 13
Suspicious objects: 2
Duration of the scan: 01:22:30
File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\308430E0.exe Infected: not-a-virus:AdWare.Win32.180Solutions.as 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\42005DFE.79 Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\42005DFE.79 Infected: Email-Worm.Win32.NetSky.q 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4F9830BD.8d Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4F9830BD.8d Infected: Email-Worm.Win32.NetSky.q 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7D547282.58 Infected: Email-Worm.Win32.NetSky.q 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSpaxt.sys.vir Infected: Backdoor.Win32.TDSS.ats 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSpqlt.sys.vir Infected: Backdoor.Win32.TDSS.ats 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSpqxt.sys.vir Infected: Backdoor.Win32.TDSS.ats 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSShrxr.dll.vir Infected: Backdoor.Win32.TDSS.asz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSnmxh.dll.vir Infected: Backdoor.Win32.TDSS.atb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSnrsr.dll.vir Infected: Backdoor.Win32.TDSS.asz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSosvn.dll.vir Infected: Backdoor.Win32.TDSS.asz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSriqp.dll.vir Infected: Backdoor.Win32.TDSS.atb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSrtqp.dll.vir Infected: Backdoor.Win32.TDSS.atb 1
The selected area was scanned.
Actually, that Kaspersky log is fine. All the items it found have already been put in quarantine
Now, I need you to upload some files for me as the auto submit didn't work.
(that is if you don't mind helping us
Your files will find their way into the Antivirus databases, so you will have done your bit towards helping everyone with a computer.
Let's see where that .zip file went to
Create A Batch File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it look.bat Please save it on your desktop.
Double click on look.bat
Please be patient, as this will search the entire disc
Notepad will open, please copy/paste the results here.
Volume in drive C has no label.
Volume Serial Number is F87D-4C7C
Directory of C:\qoobox
[.] ComboFix2.txt
[..] [Quarantine]
Add-Remove Programs.txt [EMAIL="snapshot@2008-10-24"]snapshot@2008-10-24[/EMAIL]_ 9.31.57.14.dat
[BackEnv] [EMAIL="snapshot@2008-10-24"]snapshot@2008-10-24[/EMAIL]_ 9.31.57.14_B.dat
CFScript_used_2008-10-24@11.57.txt
ComboFix-quarantined-files.txt
6 File(s) 2,091,859 bytes
Directory of C:\qoobox\BackEnv
[.] personal.folder.dat
[..] Profiles.Folder.dat
appdata.folder.dat programs.folder.dat
cache.folder.dat SetPath.bat
Cookies.folder.dat startmenu.folder.dat
desktop.folder.dat startup.folder.dat
favorites.folder.dat SysPath.dat
localappdata.folder.dat templates.folder.dat
localsettings.folder.dat
mypictures.folder.dat
16 File(s) 18,115 bytes
Directory of C:\qoobox\Quarantine
[.] [Registry_backups]
[..] [4]-Submit_2008-10-24@11.57.zip
[C]
catchme.log
2 File(s) 692,344 bytes
Directory of C:\qoobox\Quarantine\C
[.] [Documents and Settings] [WINDOWS]
[..] [Program Files]
0 File(s) 0 bytes
Directory of C:\qoobox\Quarantine\C\Documents and Settings
[.] [..] [All Users] [User]
0 File(s) 0 bytes
Directory of C:\qoobox\Quarantine\C\Documents and Settings\All Users
[.] [..] [Application Data]
0 File(s) 0 bytes
Directory of C:\qoobox\Quarantine\C\Documents and Settings\All Users\Application Data
[.] byluw.sys.vir ulam.sys.vir
[..] ecemidisi.dll.vir vonydaxid.scr.vir
awoq.pif.vir qylo.exe.vir zulykuw.dat.vir
7 File(s) 117,833 bytes
Directory of C:\qoobox\Quarantine\C\Documents and Settings\User
[.] [Application Data]
[..] [Cookies]
0 File(s) 0 bytes
Directory of C:\qoobox\Quarantine\C\Documents and Settings\User\Application Data
[.] [..] iqacuce.dat.vir
1 File(s) 14,567 bytes
Directory of C:\qoobox\Quarantine\C\Documents and Settings\User\Cookies
[.] acexaneq.ban.vir ozawy.pif.vir yhoja._dl.vir
[..] nuhe.dat.vir ucalag.lib.vir
5 File(s) 76,983 bytes
Directory of C:\qoobox\Quarantine\C\Program Files
[.] [..] [Common Files]
0 File(s) 0 bytes
Directory of C:\qoobox\Quarantine\C\Program Files\Common Files
[.] axeja.bat.vir jucadosos.dll.vir
[..] detozu.com.vir yhuxovuw.vbs.vir
4 File(s) 62,117 bytes
Directory of C:\qoobox\Quarantine\C\WINDOWS
[.] fevezi.inf.vir ogawi.dat.vir Sysvxd.exe.vir
[..] isam.reg.vir qiximaz.bat.vir vokavet.bat.vir
dipuzud.bin.vir ivytac.dll.vir [system32]
8 File(s) 113,382 bytes
Directory of C:\qoobox\Quarantine\C\WINDOWS\system32
[.] TDSSlxwp.dll.vir TDSSsbhc.log.vir
[..] TDSSmaxt.dat.vir TDSSthym.dll.vir
aqohohameq.inf.vir TDSSnmxh.dll.vir TDSStkdv.dll.vir
baxepi._dl.vir TDSSnmxh.log.vir TDSStkdv.log.vir
cilykanami.dl.vir TDSSnrsr.dll.vir TDSSvvbi.dll.vir
[drivers] TDSSoeqh.dll.vir TDSSvvbi.log.vir
irelul._dl.vir TDSSoiqh.dll.vir TDSSxfum.dll.vir
likoji.dl.vir TDSSoiqt.dll.vir termsrv.dll.vir
TDSSbubv.log.vir TDSSosvn.dat.vir umix.sys.vir
TDSScfub.dll.vir TDSSosvn.dll.vir windows_update.exe.vir
TDSSfpmp.dll.vir TDSSrhyp.dll.vir winlogon.exe.vir
TDSShrxr.dll.vir TDSSriqp.dll.vir
TDSSkpjp.log.vir TDSSrtqp.dll.vir
TDSSlrvd.dat.vir TDSSsbhc.dll.vir
36 File(s) 1,763,999 bytes
Directory of C:\qoobox\Quarantine\C\WINDOWS\system32\drivers
[.] TDSSpaxt.sys.vir TDSSpqxt.sys.vir
[..] TDSSpqlt.sys.vir
3 File(s) 181,248 bytes
Directory of C:\qoobox\Quarantine\Registry_backups
[.] SafeBoot-TDSSpaxt.sys.reg.dat
[..] Service_PTO.reg.dat
HKLM-Run-CFSServ.exe.reg.dat Service_TDSSserv.reg.dat
HKLM-Run-NDSTray.exe.reg.dat Service_TDSSserv.sys).reg.dat
HKLM-Run-TFncKy.reg.dat tcpip.reg
Legacy_PTO.reg.dat
9 File(s) 10,019 bytes
Total Files Listed:
97 File(s) 5,142,466 bytes
47 Dir(s) 94,230,999,040 bytes free
In the box marked Link to topic where this file was requested: please copy/paste this text
Now click Browse and navigate to C:\qoobox\Quarantine\[4]-Submit_2008-10-24@11.57.zip
In the Largest box please put Finally click SendFile
Let me know when you have done that.
Last steps now ....
OTMoveIt
Please download OTMoveIt3 by OldTimer and save it to your desktop
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Congratulations your logs look clean
Let's see if I can help you keep it that way
First lets tidy up
Open OTMoveIt Click Cleanup,
it will now connect to the internet and get a list of files to delete.
When a box pops up click YES.
You can also delete any logs we have produced, and empty your Recycle bin.
Enable Teatimer
The following is some info to help you stay safe and clean.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )
You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.
http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html
!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details
AntiSpyware
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Prevention
Each does a different job, so you can have more than one
Internet Browsers
Using a different web browser can help stop malware getting on your machine.
If you are still using IE6 then either update, or get one of the following.
Cleaning Temporary Internet Files and Tracking Cookies
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.
Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords
Both of these can be cleaned manually, but a quicker option is to use a program
Also PLEASE read this article.....So How Did I Get Infected In The First Place
The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.
If you follow this advice then (with a bit of luck) you will never have to hear from me again
If you could post back one more time to let me know everything is OK, then I can have this thread archived.
Happy surfing K'
Here is the message when running MoveIt:
The application or DLL C:\Documents and Settings\All USers\Application Data\Symantec\Norton AntiVirus\Quarantine\241F2FB2.dll is not a valid Windows image. Please check this against your installation diskette.
Use this with OTMoveIT
My entire household, and especially myself, thanks you immensely. I have done everything except read the how did I get infected in the first place article (by the way, I subscribe to Netflix and downloaded a movie viewer they have so that you can watch things online, and that pretty much coincides with my problems' beginning - no sketchy sites including porn)
I have a couple of questions and then I shall leave you alone - for now! Ha ha...
- Windows asks me on startup about running System Restore - what should I do with that?
- Windows also asks about security - firewall is disabled. I do not have any other firewall software. What should I do about that?
Otherwise, everything is ok; you can archive the thread. Again I thank you very much and I would make you a cheesecake (MY specialty) to reciprocate; alas I fear that is impossible! Have a great day, life, etc. - A.
It should ask about Recovery Console for about 2-3 seconds at start up, not System Restore.
I recommend that you leave that in place, as it could save your machine one day.
When it prompts about the firewall, if you click the balloon it should give you an option to disable notification.
So, will I not need a firewall then on top of everything else I have, and I should disable the Windows firewall?
Sometimes you have to trade safety with performance.
If you can live with less speed, then definitely use a firewall
Firewall
A third party firewall is much safer than the Windows basic firewall , as it stops malware that does get on your PC from contacting "home" Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check
this webpage out.It is recommended to have only one Firewall active.
[*]Comodo Firewall
[*]Outpost Firewall
And thank you again very much.