You will receive a message saying "Look2Me-Destroyer will close and re-open in approximately 1 minute". Click "OK"
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the "Remove L2M" button.
You will receive a "Done Scanning" message, click "OK".
When completed, you will receive this message: "Done removing infected files! Look2Me-Destroyer will now shutdown your computer", click "OK".
Your computer will then shutdown.
Turn your computer back on.
Please remember to post the contents of C:\Look2Me-Destroyer.txt on your next reply. The log can be found wherever the fix is located - if Look2Me-Destroyer is on the desktop that's where the log will be.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.
If you receive a message from your firewall about this program accessing the Internet please allow it.
If you receive a
runtime error '339' please download MSWINSCK.OCX from the link below and place it in your
C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX Then you click the Remove L2M button and wait for it to give you a message. When you click OK it should shut itself down.
Save it to your desktop and run it. Click Next, then Install... make sure "Run fixit" is checked and click Finish. Please follow the prompts when the fix begins.
Reboot when prompted.
Your system may take longer than usual to load...this is normal and expected.
Once the desktop loads, a report will be presented (report.txt). Please post that report, the Look2Me-Destroyer.txt, and a fresh Hijackthis log in your next reply. Thanks!
First, thank you very much for helping me diagnose and fix my problems.
Since my problems became serious, I've been trying to stay off the internet for fear of making matters worse or incurring more serious security breaches. But I connected briefly last night to download the software you recommended using Firefox. While trying to access the DELL Support Forum page, Firefox stopped responding. I recalled that when this happened previously, running an AdAware smart scan and a McAfee on-demand scan fixed enough problems to get Firefox to run again for a short while, so I did this again last night. AdAware found a few problems that I removed and McAfee found 52 suspicious files that it called either Malware of Trojans that it deleted. Sure enough, I was able to access the DELL Support Forum page after that and download the software. I know this is a long explanation, but I just wanted to let you know in the interest of providing you complete information and in case this explains any changes you may see in the new HijackThis log.
I then followed your instructions. Three reboots were required before Look2Me-Destroyer finally reopened after I selected Scan for L2M, but it finally worked and I didn't need to use MSWINSCK.OCX.
The text you requested from the log files is appended below.
Look2Me-Destroyer.txt:
Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 9/6/2007 10:40:03 PM
Attempting to delete infected files...
Making registry repairs.
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded
____________________________________
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Camra Updates"="serviceswu.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Sfl"="\"C:\\Documents and Settings\\Annie Fowler\\My Documents\\?racle\\userinit.exe\""
"autoload"="C:\\WINDOWS\\System32\\drivers\\svchost.exe"
"autorun"="C:\\Documents and Settings\\Annie Fowler\\svchost.exe"
"Aida"="\"C:\\PROGRA~1\\CROSOF~1\\ati2evxx.exe\" -vt ndrv"
"Brave-Sentry"="C:\\Program Files\\BraveSentry\\BraveSentry.exe"
"WinAVX"="C:\\WINDOWS\\System32\\WinAvXX.exe"
"Apeo"="\"C:\\WINDOWS\\SCURIT~1\\winlogon.exe\" -vt ndrv"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
____________________________________________________
HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:02 PM, on 9/6/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Your computer is seriously infected due largely to the absence of the protection from the
SP2 patches. There is a sequence of cleaning steps that we must follow because of the types of
malware you have present of the system. Some of these are very adept at hiding other malware and
interfering with our efforts to remove them.
The WareOut and Look2Me were the first priority...next we need to remove Vundo.
Please do not run any more scans unless directed. Please download
VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix
will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button."
when VundoFix appears at reboot.
I ran VundoFix (v6.5.8) and found two files. VundoFix was able to delete one; the other one
(C:\windows\system32\pmkjifc.dll) was unable to be deleted even after 4 reboots and reattempts at removal. The contents of VundoFix.txt and a new HijackThis log are appended.
VundoFix.txt:
VundoFix V6.5.8
Checking Java version...
Sun Java not detected
Scan started at 8:36:20 AM 9/8/2007
Attempting to delete C:\windows\system32\pmkjifc.dll
C:\windows\system32\pmkjifc.dll Could not be deleted.
Attempting to delete C:\WINDOWS\System32\tmp9.tmp.dll
C:\WINDOWS\System32\tmp9.tmp.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.8
Checking Java version...
Sun Java not detected
Scan started at 8:45:38 AM 9/8/2007
Listing files found while scanning....
C:\windows\system32\pmkjifc.dll
Beginning removal...
Attempting to delete C:\windows\system32\pmkjifc.dll
C:\windows\system32\pmkjifc.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\pmkjifc.dll
C:\windows\system32\pmkjifc.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.5.8
Checking Java version...
Sun Java not detected
Scan started at 8:54:49 AM 9/8/2007
Listing files found while scanning....
C:\windows\system32\pmkjifc.dll
Beginning removal...
Attempting to delete C:\windows\system32\pmkjifc.dll
C:\windows\system32\pmkjifc.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\pmkjifc.dll
C:\windows\system32\pmkjifc.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.5.8
Checking Java version...
Sun Java not detected
Scan started at 9:03:40 AM 9/8/2007
Listing files found while scanning....
C:\windows\system32\pmkjifc.dll
Beginning removal...
Attempting to delete C:\windows\system32\pmkjifc.dll
C:\windows\system32\pmkjifc.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.5.8
Checking Java version...
Sun Java not detected
Scan started at 9:11:21 AM 9/8/2007
Listing files found while scanning....
C:\windows\system32\pmkjifc.dll
Beginning removal...
Attempting to delete C:\windows\system32\pmkjifc.dll
C:\windows\system32\pmkjifc.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\pmkjifc.dll
C:\windows\system32\pmkjifc.dll Could not be deleted.
Performing Repairs to the registry.
Done!
_______________________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:21:45 AM, on 9/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
When finished, it will produce a logfile located at C:\ComboFix.txt.
Post the contents of that log in your next reply with a new hijackthis log.
***Note*** Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. Do not proceed with the rest of the fix if you fail to run combofix
I ran ComboFix successfully. Control Panels has reappeared in the Start menu. The contents of ComboFix.txt and a new HijackThis log are appended below.
ComboFix.txt:
ComboFix 07-09-08.7 - "alf82" 2007-09-08 14:28:55.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.56 [GMT -4:00]
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:53:04 PM, on 9/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Honestly, I've not seen a system as badly infected with trojans and rootkits. We'll use the combofix scanner again at some point but we need to do a whole lot more cleaning first...
Download AVG Anti-Spyware v7.5 (
This is Ewido 4.0 renamed. If you already have Ewido installed, please update to this version which has a special "clean driver" for removing persistent malware)
After download, double click on the file to launch the install process.
Choose a language, click "OK" and then click "Next".
After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'.
Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
Go to Start > Run and type:
services.msc
Press "OK".
Click the "Extended tab" and scroll down the list to find AVG Anti-Spyware guard.
When you find the guard service, double-click on it.
In the Properties Window > General Tab that opens, click the "Stop" button.
From the drop-down menu next to "Startup Type", click on "Manual".
Now click "Apply", then "OK" and close the Services window.
Select the "Update" button and click "Start update". Wait until you see the "Update successful message. If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here.
Once the updates are installed do the following:
Click on the "
Scanner" button and choose the "
Settings" tab.
Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
Under "How to Scan?" check all (default).
Under "Possibly unwanted software" check all (default).
Under "What to Scan?" make sure "Scan every file" is selected (default).
Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".
Close the application and reboot the computer into
Safe mode. Once in safe mode continue with the instructions below:
Open the AVG Anti-Spyware application and click the "
Scan" tab.
Click "
Complete System Scan" to start.
Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. If Explorer or other programs are open during the scan that means certain files will also be in use. Some malware will insert itself and hide in areas that are "protected" by Windows when the files are being used. This can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.
Note: If AVG Anti-Spyware "crashes" or "hangs" during the scan, try scanning again by doing this:
Scan one sector of the system at a time by using the "Custom Scan" feature. To do this select Scanner > Custom Scan and click on Add drive/directory/file. Browse to C:\Windows > System, add this folder to the list and click on "Start Scan". When the scan is complete, repeat the Custom Scan but this time, browse to and add the System32 folder. Then keep repeating this procedure until all your folders have been scanned. Make sure you include the Documents & Settings folder.
If this still does not help, then turn the ADS scanner off while making a Custom Scan. To do this select Scanner > Scan Settings and untick "Scan in NTFS Alternate Data Streams". Then repeat the steps above for performing a Custom Scan.
When the scan has finished you will be presented with a list of infected objects found. Click "
Apply all actions" to place the files in Quarantine.
IMPORTANT! Do not save the report before you have clicked the
Apply all actions button. If you do, the log that is created will indicate "
No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button?
Click on "
Save Report" to view all completed scans. Click on the most recent scan you just performed and select "
Save report as" - the default file name will be in date/time format as follows:
Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
Exit AVG Anti-Spyware when done. Reboot and post a fresh HijackThis log along with the AVG Anti-Spyware log.
I had some problems with this step. I downloaded AVG Anti-Spyware and installed it without incident. When I launched it, the computer "crashed"---blue screen, white text, memory addresses, saying something about a physical dump, accompanied by a crackling/static sound. This screen disappeared quickly and the computer restarted. Upon restart, one of the annoying "...tell Microsoft about the problem." messages appeared saying "Windows Explorer has encountered a serious problem and needs to close." (Note that this is the first time the computer had been restarted after running ComboFix.) Upon pressing Don't Send, the desktop disappeared and reappeared along with the same message. The computer then "crashed" again and restarted, same as before. This happened 3 times. On the third restart, the message about the problem with Windows Explorer was accompanied by one saying "The system has recovered from a serious error."
Since trying to press Don't Send to get rid of these messages had proved futile, I decided to move them aside and try to continue. I inactivated 'Resident Shield' and 'Automatic Updates' and unchecked "Start with Windows". I stopped the guard service in Services and changed the "Startup Type" to "Manual". I had trouble with the updater so I downloaded the AVG Anti-Spyware Full database installer and tried to install. A message appeared saying it couldn't find ewido ani-malware followed by a window allowing me to browse to the folder. I selected C:\Program Files\Grisoft\AVG Anti-Spyware 7.5 and pressed install. The installation appeared to complete successfully. I then returned to the AVG Anti-Spyware window and set the scanner settings as instructed. But when I rebooted in safe mode and launched AVG Anti-Spyware, I got a message saying "Connection to service failed. Please reinstall AVG Anti-Spyware 7.5." (Note that the annoying Microsoft message about Windows Explorer encountering serious problems also appeared in safe mode.) Did I do something wrong? How should I proceed?
In case in might be helpful, appended is a new HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:41:52 PM, on 9/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Do you know what program this setup file is for?:
C:\Program Files\setup.exe
Are you familiar with this program...did you download it and do you use it?:
C:\WINDOWS\JAVA\
GoToAssist_phone__268_en.exe
Please open a blank Notepad by clicking start-->run
Then, in the run box type
Notepad.exe and click "OK".
Copy the below text in
Bold and paste it into the blank Notepad. Save it as
CFScript.txt...Change the
Save as type to
All Files and save it to your desktop. Now drag the text document over to your Combofix.exe
Combofix will run again automatically. Please post back the new log that will be generated. Thanks!
C:\Program Files\setup.exe: I don't know to what program this corresponds. I don't remember (intentionally) downloading or installing anything on the day it was created. In addition, the icon doesn't look like the usual setup icon. Seems suspicious. Should I delete?
C:\Windows\Java\GoToAssist_phone__268_en.exe: This might be a program used by Verizon DSL technical support to enable them to view and control my computer. This would be consistent with the name of the program and the date on which it was created. In any case, I don't need it. Should I delete?
I ran ComboFix again. The contents of ComboFix.txt are appended followed by a new HijackThis log.
ComboFix.txt:
ComboFix 07-09-08.7 - "Annie Fowler" 2007-09-09 13:29:03.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.74 [GMT -4:00]
* Created a new restore point
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:57:53 PM, on 9/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
You can delete this file:
C:\WINDOWS\JAVA\
GoToAssist_phone__268_en.exe
...but let's leave this file alone for the time being:
C:\Program Files\
setup.exe ...It's possible that it could be legitimate. We'll do a couple of scans later to see if anything else finds it suspicious.
I'm still concerned about this driver file:
C:\WINDOWS\SYSTEM32\DRIVERS\
Wavv52.sys ...we tried to remove it with the combofix script but it still shows in the log.
We also tried removing these Keys with the combofix script but they also still show in the log:
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\0 ¸ À ] 0 ¸ À [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\asc355]
When the installation completes successfully, reboot the computer.
Since you had trouble installing AVG Anti-Spyware, let's try the online scan instead:
Perform an online scan
Here. Scroll down and click the
Scan now. Install the active X control needed for the scan. If a dialog box appears asking you if you would like to download and install the ewido anti-spyware online scanner please click "Yes" to allow the download.
Once installed, click the
Start Scan button. Click the
Save Report button, then click to
Remove Infections if found. Please post that log along with a fresh HijackThis log on your next reply. Thanks!
I deleted C:\Windows\Java\GoToAssist_phone__268_en.exe.
I downloaded and installed ZoneAlarm and reviewed the Getting Started tutorial upon restart. The "...tell Microsoft about the problem." messages no longer appeared upon restarting after installing ZoneAlarm---this was the first time the computer was restarted after completing the last ComboFix run. ZoneAlarm prompted me when I tried to open Firefox and I selected Allow. (I assumed that Firefox is trusted.)
I also ran the online scan. The log from this scan and a new HijackThis log are appended below. (Note that the letters 'b' and 's' together in ewido-report.txt was disallowed, so I replaced it with ' '.)
Name: TrackingCookie.2o7
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@2o7[1].txt
Risk: Medium
Name: TrackingCookie.2o7
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@2o7[3].txt
Risk: Medium
Name: TrackingCookie.Aavalue
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@aavalue[1].txt
Risk: Medium
Name: TrackingCookie.Doubleclick
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@ad.doubleclick[2].txt
Risk: Medium
Name: TrackingCookie.Yieldmanager
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@ad.yieldmanager[1].txt
Risk: Medium
Name: TrackingCookie.Yieldmanager
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@ad.yieldmanager[2].txt
Risk: Medium
Name: TrackingCookie.Yieldmanager
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@ad.yieldmanager[4].txt
Risk: Medium
Name: TrackingCookie.Adbrite
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@adbrite[1].txt
Risk: Medium
Name: TrackingCookie.Specificclick
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@adopt.specificclick[1].txt
Risk: Medium
Name: TrackingCookie.Specificclick
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@adopt.specificclick[3].txt
Risk: Medium
Name: TrackingCookie.Adrevolver
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@adrevolver[3].txt
Risk: Medium
Name: TrackingCookie.Adbrite
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@ads.adbrite[2].txt
Risk: Medium
Name: TrackingCookie.Cnn
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@ads.cnn[1].txt
Risk: Medium
Name: TrackingCookie.Advertising
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@advertising[1].txt
Risk: Medium
Name: TrackingCookie.Advertising
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@advertising[2].txt
Risk: Medium
Name: TrackingCookie.Tacoda
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@anat.tacoda[1].txt
Risk: Medium
Name: TrackingCookie.Tacoda
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@anat.tacoda[2].txt
Risk: Medium
Name: TrackingCookie.2o7
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@brightcove.112.2o7[1].txt
Risk: Medium
Name: TrackingCookie.Burstnet
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@burstnet[2].txt
Risk: Medium
Name: TrackingCookie.2o7
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@buycom.122.2o7[1].txt
Risk: Medium
Name: TrackingCookie.Casalemedia
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@casalemedia[1].txt
Risk: Medium
Name: TrackingCookie.Cpvfeed
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@cpvfeed[2].txt
Risk: Medium
Name: TrackingCookie.Cpvfeed
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@cpvfeed[3].txt
Risk: Medium
Name: TrackingCookie.Cpvfeed
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@cpvfeed[4].txt
Risk: Medium
Name: TrackingCookie.Enhance
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@enhance[2].txt
Risk: Medium
Name: TrackingCookie.Fastclick
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@fastclick[1].txt
Risk: Medium
Name: TrackingCookie.Findwhat
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@findwhat[1].txt
Risk: Medium
Name: TrackingCookie.Findwhat
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@findwhat[2].txt
Risk: Medium
Name: TrackingCookie.Aavalue
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@getmusicfree.aavalue[1].txt
Risk: Medium
Name: TrackingCookie.Goclick
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@goclick[1].txt
Risk: Medium
Name: TrackingCookie.Goclick
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@goclick[2].txt
Risk: Medium
Name: TrackingCookie.Tracking101
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@login.tracking101[2].txt
Risk: Medium
Name: TrackingCookie.Mediaplex
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@mediaplex[1].txt
Risk: Medium
Name: TrackingCookie.Mediaplex
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@mediaplex[2].txt
Risk: Medium
Name: TrackingCookie.2o7
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@msnportal.112.2o7[1].txt
Risk: Medium
Name: TrackingCookie.Overture
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@perf.overture[1].txt
Risk: Medium
Name: TrackingCookie.Pro-market
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@pro-market[2].txt
Risk: Medium
Name: TrackingCookie.Realmedia
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@realmedia[2].txt
Risk: Medium
Name: TrackingCookie.2o7
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@reunioncom.112.2o7[2].txt
Risk: Medium
Name: TrackingCookie.Specificclick
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@specificclick[1].txt
Risk: Medium
Name: TrackingCookie.Netflame
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@ssl-hints.netflame[2].txt
Risk: Medium
Name: TrackingCookie.Reliablestats
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@stats1.reliablestats[1].txt
Risk: Medium
Name: TrackingCookie.Tacoda
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@tacoda[1].txt
Risk: Medium
Name: TrackingCookie.Tacoda
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@tacoda[2].txt
Risk: Medium
Name: TrackingCookie.Tribalfusion
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@tribalfusion[1].txt
Risk: Medium
Name: TrackingCookie.Burstbeacon
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@www.burstbeacon[1].txt
Risk: Medium
Name: TrackingCookie.Burstnet
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@www.burstnet[2].txt
Risk: Medium
Name: Adware.WebSearch
Path: HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res
Risk: Medium
Name: TrackingCookie.Netflame
Path: :mozilla.7:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Advertising
Path: :mozilla.26:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Advertising
Path: :mozilla.27:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Casalemedia
Path: :mozilla.28:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Casalemedia
Path: :mozilla.29:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Casalemedia
Path: :mozilla.30:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Casalemedia
Path: :mozilla.31:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Advertising
Path: :mozilla.32:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Advertising
Path: :mozilla.33:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Advertising
Path: :mozilla.34:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Doubleclick
Path: :mozilla.43:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Atdmt
Path: :mozilla.44:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Adtech
Path: :mozilla.61:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Adtech
Path: :mozilla.62:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Serving-sys
Path: :mozilla.63:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Serving-sys
Path: :mozilla.64:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Serving-sys
Path: :mozilla.65:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Serving-sys
Path: :mozilla.66:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Serving-sys
Path: :mozilla.67:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Serving-sys
Path: :mozilla.68:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Questionmarket
Path: :mozilla.74:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Questionmarket
Path: :mozilla.75:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.2o7
Path: :mozilla.80:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Mediaplex
Path: :mozilla.89:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Tribalfusion
Path: :mozilla.90:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Webtrends
Path: :mozilla.97:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Yieldmanager
Path: :mozilla.99:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Yieldmanager
Path: :mozilla.100:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Yieldmanager
Path: :mozilla.101:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Imrworldwide
Path: :mozilla.138:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Imrworldwide
Path: :mozilla.139:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Falkag
Path: C:\Documents and Settings\Annie Fowler\Cookies\annie fowler@a.as-us.falkag[1].txt
Risk: Medium
Name: TrackingCookie.Specificpop
Path: C:\Documents and Settings\Annie Fowler\Cookies\annie fowler@ads.specificpop[1].txt
Risk: Medium
Name: TrackingCookie.X10
Path: C:\Documents and Settings\Annie Fowler\Cookies\annie fowler@ads.x10[1].txt
Risk: Medium
Name: TrackingCookie.Advertising
Path: C:\Documents and Settings\Annie Fowler\Cookies\annie fowler@advertising[1].txt
Risk: Medium
Name: TrackingCookie.Falkag
Path: C:\Documents and Settings\Annie Fowler\Cookies\annie fowler@as-us.falkag[1].txt
Risk: Medium
Name: TrackingCookie.Atdmt
Path: C:\Documents and Settings\Annie Fowler\Cookies\annie fowler@atdmt[1].txt
Risk: Medium
Name: TrackingCookie.Serving-sys
Path: C:\Documents and Settings\Annie Fowler\Cookies\annie fowler@ .serving-sys[1].txt
Risk: Medium
Name: TrackingCookie.Ru4
Path: C:\Documents and Settings\Annie Fowler\Cookies\annie fowler@edge.ru4[2].txt
Risk: Medium
Name: TrackingCookie.Hitbox
Path: C:\Documents and Settings\Annie Fowler\Cookies\annie fowler@ehg-lexnex.hitbox[1].txt
Risk: Medium
Name: TrackingCookie.Bridgetrack
Path: C:\Documents and Settings\Annie Fowler\Cookies\annie fowler@rccl.bridgetrack[2].txt
Risk: Medium
Name: TrackingCookie.Msn
Path: C:\Documents and Settings\Annie Fowler\Cookies\annie fowler@search.msn[1].txt
Risk: Medium
Name: TrackingCookie.Specificpop
Path: C:\Documents and Settings\Annie Fowler\Cookies\annie fowler@specificpop[1].txt
Risk: Medium
1972vet
3.3K Posts
0
September 6th, 2007 02:00
Please download Look2Me-Destroyer.exe to your desktop.
- Close all windows before continuing.
- Double-click "Look2Me-Destroyer.exe" to run it.
- Put a check next to "Run this program as a task."
- You will receive a message saying "Look2Me-Destroyer will close and re-open in approximately 1 minute". Click "OK"
- When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
- Once it's done scanning, click the "Remove L2M" button.
- You will receive a "Done Scanning" message, click "OK".
- When completed, you will receive this message: "Done removing infected files! Look2Me-Destroyer will now shutdown your computer", click "OK".
- Your computer will then shutdown.
- Turn your computer back on.
- Please remember to post the contents of C:\Look2Me-Destroyer.txt on your next reply. The log can be found wherever the fix is located - if Look2Me-Destroyer is on the desktop that's where the log will be.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.If you receive a message from your firewall about this program accessing the Internet please allow it.
If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
Then you click the Remove L2M button and wait for it to give you a message. When you click OK it should shut itself down.
Please download FixWareout from one of these sites:
Subratam
Bleepingcomputer
Save it to your desktop and run it. Click Next, then Install... make sure "Run fixit" is checked and click Finish. Please follow the prompts when the fix begins.
Reboot when prompted.
Your system may take longer than usual to load...this is normal and expected.
Once the desktop loads, a report will be presented (report.txt). Please post that report, the Look2Me-Destroyer.txt, and a fresh Hijackthis log in your next reply. Thanks!
alf82
59 Posts
0
September 7th, 2007 12:00
First, thank you very much for helping me diagnose and fix my problems.
Since my problems became serious, I've been trying to stay off the internet for fear of making matters worse or incurring more serious security breaches. But I connected briefly last night to download the software you recommended using Firefox. While trying to access the DELL Support Forum page, Firefox stopped responding. I recalled that when this happened previously, running an AdAware smart scan and a McAfee on-demand scan fixed enough problems to get Firefox to run again for a short while, so I did this again last night. AdAware found a few problems that I removed and McAfee found 52 suspicious files that it called either Malware of Trojans that it deleted. Sure enough, I was able to access the DELL Support Forum page after that and download the software. I know this is a long explanation, but I just wanted to let you know in the interest of providing you complete information and in case this explains any changes you may see in the new HijackThis log.
I then followed your instructions. Three reboots were required before Look2Me-Destroyer finally reopened after I selected Scan for L2M, but it finally worked and I didn't need to use MSWINSCK.OCX.
The text you requested from the log files is appended below.
Look2Me-Destroyer.txt:
Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 9/6/2007 10:40:03 PM
Attempting to delete infected files...
Making registry repairs.
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded
____________________________________
report.txt (from FixWareout.exe):
Username "alf82" - 09/06/2007 22:48:57 [Fixwareout edited 9/01/2007]
~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="cshzw.exe"
Service: "Windows Management Service" = C:\WINDOWS\System32\dmpkg.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.116.146 85.255.112.196"
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{29BE81B5-D22F-410B-9B8D-8F8AEF6CC5FA}
"nameserver"="85.255.116.146,85.255.112.196"
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{3F50266D-7178-4E23-9E55-E4F2BBE8B86A}
"nameserver"="85.255.116.146,85.255.112.196"
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{B68AACF7-76E8-41B1-A977-7A28EAC38788}
"nameserver"="85.255.116.146,85.255.112.196"
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{B68AACF7-76E8-41B1-A977-7A28EAC38788}
"DhcpNameServer"="85.255.116.146,85.255.112.196"
System was rebooted successfully.
~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "0mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}4F55C413F4C4-1E09-6BB4-93E4-9BF9B795{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}9CDAECB99AE9-CDD9-6424-DDC1-1E863874{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "tzymd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "gkpmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}71B4855368E8-D34A-FCB4-0420-6B85BB3C{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion "wzhsc" Value deleted
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion "dmyzt.exe" Value deleted
HKCR\CLSID\{1C046868-C7D0-4F41-A5CA-A84844734156}\_h\4 Deleted.
HKCR\CLSID\{3284BCB4-52AE-4948-8D0A-FAB26C6F999B}\_h\4 Deleted.
HKCR\CLSID\{7F0D7AEC-8CAB-46AF-8B21-205B14ECFEC5}\_h\4 Deleted.
HKCR\CLSID\{C88635F1-DB31-4EFF-B902-2D3BF64D250C}\_h\4 Deleted.
HKCR\CLSID\{F249F719-8BF9-43F4-900C-89199322CD3B}\_h\4 Deleted.
....
~~~~~ Misc files.
C:\Documents and Settings\Annie Fowler\Application Data\Install.dat Deleted
C:\WINDOWS\System32\kernel32.exe Deleted
....
~~~~~ Checking for older varients.
....
~~~~~ Other
C:\WINDOWS\Temp\cshzw.ren 52776 09/01/2007
C:\WINDOWS\Temp\dmpkg.ren 62979 08/29/2002
C:\Program Files\Ultimate Cleaner Found
Additional tools are recommended.
~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Win32 NT Adv Services"="taskmngr.exe"
"Camra Updates"="serviceswu.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"ShStatEXE"="\"C:\\Program Files\\McAfee\\VirusScan Enterprise\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\McAfee\\Common Framework\\UdaterUI.exe\" /StartedFromRunKey"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"AAWTray"="C:\\Program Files\\Lavasoft\\Ad-Aware 2007\\AAWTray.exe"
"spoolsvv"="C:\\WINDOWS\\System32\\spoolsvv.exe"
"WinAVX"="C:\\WINDOWS\\System32\\WinAvXX.exe"
"PCTVOICE"="pctspk.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"ATIModeChange"="Ati2mdxx.exe"
"avp"="C:\\WINDOWS\\avp.exe"
"smgr"="mgrs.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Camra Updates"="serviceswu.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Sfl"="\"C:\\Documents and Settings\\Annie Fowler\\My Documents\\?racle\\userinit.exe\""
"autoload"="C:\\WINDOWS\\System32\\drivers\\svchost.exe"
"autorun"="C:\\Documents and Settings\\Annie Fowler\\svchost.exe"
"Aida"="\"C:\\PROGRA~1\\CROSOF~1\\ati2evxx.exe\" -vt ndrv"
"Brave-Sentry"="C:\\Program Files\\BraveSentry\\BraveSentry.exe"
"WinAVX"="C:\\WINDOWS\\System32\\WinAvXX.exe"
"Apeo"="\"C:\\WINDOWS\\SCURIT~1\\winlogon.exe\" -vt ndrv"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
____________________________________________________
HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:02 PM, on 9/6/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\avp.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\mgrs.exe
C:\Documents and Settings\Annie Fowler\My Documents\?racle\userinit.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\printer.exe
O2 - BHO: IEHlprObj Class - {ABCDECF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\System32\vtr.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Win32 NT Adv Services] taskmngr.exe
O4 - HKLM\..\Run: [Camra Updates] serviceswu.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\RunServices: [Camra Updates] serviceswu.exe
O4 - HKLM\..\RunServices: [Win32 NT Adv Services] taskmngr.exe
O4 - HKCU\..\Run: [Camra Updates] serviceswu.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Sfl] "C:\Documents and Settings\Annie Fowler\My Documents\?racle\userinit.exe"
O4 - HKCU\..\Run: [autoload] C:\WINDOWS\System32\drivers\svchost.exe
O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\Annie Fowler\svchost.exe
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\CROSOF~1\ati2evxx.exe" -vt ndrv
O4 - HKCU\..\Run: [Brave-Sentry] C:\Program Files\BraveSentry\BraveSentry.exe
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
O4 - HKCU\..\Run: [Apeo] "C:\WINDOWS\SCURIT~1\winlogon.exe" -vt ndrv
O4 - HKUS\S-1-5-18\..\Run: [USB Driver4] UpdateXP2.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Camra Updates] serviceswu.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [USBDrives] msfirewalI.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Windows Update XP64] xefamgzs.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [LSASS32] ISASS32.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunServices: [Microsoft Windows Update XP64] xefamgzs.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [USB Driver4] UpdateXP2.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [LSASS32] ISASS32.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [Microsoft Windows Update XP64] xefamgzs.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188195863193
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188195832018
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://www.winantispyware.com/download/2007/download.php?file=2&aid=rrdef1_11_asr&lid=1034&affid=3
O20 - AppInit_DLLs: c:\windows\system32\pmkjifc.dll
O20 - Winlogon Notify: 0 ¸ À - 0 ¸ À (file missing)
O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll
O20 - Winlogon Notify: DPCDFR - C:\WINDOWS\SYSTEM32\DPCDFR.dll
O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll
O21 - SSODL: CDVfQUB - {E4DC5B2C-4E76-F186-6D41-2218BC043068} - C:\WINDOWS\System32\nzmal.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: DomainService - Unknown owner - C:\Documents and Settings\Annie Fowler\Application Data\tmp19.tmp.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe (file missing)
--
End of file - 7856 bytes
1972vet
3.3K Posts
0
September 7th, 2007 15:00
SP2 patches. There is a sequence of cleaning steps that we must follow because of the types of
malware you have present of the system. Some of these are very adept at hiding other malware and
interfering with our efforts to remove them.
The WareOut and Look2Me were the first priority...next we need to remove Vundo.
Please do not run any more scans unless directed.
Please download VundoFix.exe to your desktop.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix
will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button."
when VundoFix appears at reboot.
alf82
59 Posts
0
September 8th, 2007 12:00
(C:\windows\system32\pmkjifc.dll) was unable to be deleted even after 4 reboots and reattempts at removal. The contents of VundoFix.txt and a new HijackThis log are appended.
VundoFix.txt:
VundoFix V6.5.8
Checking Java version...
Sun Java not detected
Scan started at 8:36:20 AM 9/8/2007
Listing files found while scanning....
C:\windows\system32\pmkjifc.dll
C:\WINDOWS\System32\tmp9.tmp.dll
Beginning removal...
Attempting to delete C:\windows\system32\pmkjifc.dll
C:\windows\system32\pmkjifc.dll Could not be deleted.
Attempting to delete C:\WINDOWS\System32\tmp9.tmp.dll
C:\WINDOWS\System32\tmp9.tmp.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.8
Checking Java version...
Sun Java not detected
Scan started at 8:45:38 AM 9/8/2007
Listing files found while scanning....
C:\windows\system32\pmkjifc.dll
Beginning removal...
Attempting to delete C:\windows\system32\pmkjifc.dll
C:\windows\system32\pmkjifc.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\pmkjifc.dll
C:\windows\system32\pmkjifc.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.5.8
Checking Java version...
Sun Java not detected
Scan started at 8:54:49 AM 9/8/2007
Listing files found while scanning....
C:\windows\system32\pmkjifc.dll
Beginning removal...
Attempting to delete C:\windows\system32\pmkjifc.dll
C:\windows\system32\pmkjifc.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\pmkjifc.dll
C:\windows\system32\pmkjifc.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.5.8
Checking Java version...
Sun Java not detected
Scan started at 9:03:40 AM 9/8/2007
Listing files found while scanning....
C:\windows\system32\pmkjifc.dll
Beginning removal...
Attempting to delete C:\windows\system32\pmkjifc.dll
C:\windows\system32\pmkjifc.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.5.8
Checking Java version...
Sun Java not detected
Scan started at 9:11:21 AM 9/8/2007
Listing files found while scanning....
C:\windows\system32\pmkjifc.dll
Beginning removal...
Attempting to delete C:\windows\system32\pmkjifc.dll
C:\windows\system32\pmkjifc.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\pmkjifc.dll
C:\windows\system32\pmkjifc.dll Could not be deleted.
Performing Repairs to the registry.
Done!
_______________________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:21:45 AM, on 9/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\mgrs.exe
C:\Documents and Settings\Annie Fowler\My Documents\?racle\userinit.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\printer.exe
O2 - BHO: IEHlprObj Class - {ABCDECF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\System32\vtr.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Win32 NT Adv Services] taskmngr.exe
O4 - HKLM\..\Run: [Camra Updates] serviceswu.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\RunServices: [Camra Updates] serviceswu.exe
O4 - HKLM\..\RunServices: [Win32 NT Adv Services] taskmngr.exe
O4 - HKCU\..\Run: [Camra Updates] serviceswu.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Sfl] "C:\Documents and Settings\Annie Fowler\My Documents\?racle\userinit.exe"
O4 - HKCU\..\Run: [autoload] C:\WINDOWS\System32\drivers\svchost.exe
O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\Annie Fowler\svchost.exe
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\CROSOF~1\ati2evxx.exe" -vt ndrv
O4 - HKCU\..\Run: [Brave-Sentry] C:\Program Files\BraveSentry\BraveSentry.exe
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
O4 - HKCU\..\Run: [Apeo] "C:\WINDOWS\SCURIT~1\winlogon.exe" -vt ndrv
O4 - HKUS\S-1-5-18\..\Run: [USB Driver4] UpdateXP2.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Camra Updates] serviceswu.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [USBDrives] msfirewalI.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Windows Update XP64] xefamgzs.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [LSASS32] ISASS32.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunServices: [Microsoft Windows Update XP64] xefamgzs.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [USB Driver4] UpdateXP2.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [LSASS32] ISASS32.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [Microsoft Windows Update XP64] xefamgzs.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188195863193
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188195832018
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://www.winantispyware.com/download/2007/download.php?file=2&aid=rrdef1_11_asr&lid=1034&affid=3
O20 - AppInit_DLLs: c:\windows\system32\pmkjifc.dll
O20 - Winlogon Notify: 0 ¸ À - 0 ¸ À (file missing)
O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll
O20 - Winlogon Notify: DPCDFR - C:\WINDOWS\SYSTEM32\DPCDFR.dll
O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll
O21 - SSODL: CDVfQUB - {E4DC5B2C-4E76-F186-6D41-2218BC043068} - C:\WINDOWS\System32\nzmal.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: DomainService - Unknown owner - C:\Documents and Settings\Annie Fowler\Application Data\tmp19.tmp.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe (file missing)
--
End of file - 7855 bytes
1972vet
3.3K Posts
0
September 8th, 2007 16:00
Save ComboFix to the desktop.
***Note***
Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. Do not proceed with the rest of the fix if you fail to run combofix
alf82
59 Posts
0
September 8th, 2007 18:00
ComboFix.txt:
ComboFix 07-09-08.7 - "alf82" 2007-09-08 14:28:55.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.56 [GMT -4:00]
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup.\autorun.exe
C:\DOCUME~1\ANNIEF~1\APPLIC~1\tmp1.tmp.exe
C:\DOCUME~1\ANNIEF~1\APPLIC~1\tmp18.tmp.exe
C:\DOCUME~1\ANNIEF~1\APPLIC~1\tmp1A.tmp.exe
C:\DOCUME~1\ANNIEF~1\APPLIC~1\tmp4.tmp.exe
C:\DOCUME~1\ANNIEF~1\APPLIC~1\tmp6.tmp.exe
C:\DOCUME~1\ANNIEF~1\APPLIC~1\tmp7.tmp.exe
C:\DOCUME~1\ANNIEF~1\APPLIC~1\tmp78.tmp.exe
C:\DOCUME~1\ANNIEF~1\APPLIC~1\tmp8.tmp.exe
C:\DOCUME~1\ANNIEF~1\APPLIC~1\tmp9.tmp.exe
C:\DOCUME~1\ANNIEF~1\APPLIC~1\tmpA.tmp.exe
C:\DOCUME~1\ANNIEF~1\APPLIC~1\tmpAD.tmp.exe
C:\DOCUME~1\ANNIEF~1\APPLIC~1\tmpAF.tmp.exe
C:\DOCUME~1\ANNIEF~1\APPLIC~1\tmpB0.tmp.exe
C:\DOCUME~1\ANNIEF~1\APPLIC~1\tmpD.tmp.exe
C:\DOCUME~1\ANNIEF~1\MYDOCU~1\CROSOF~1.NET
C:\DOCUME~1\ANNIEF~1\MYDOCU~1\RACLE~1
C:\DOCUME~1\ANNIEF~1\MYDOCU~1\RACLE~1\userinit.exe
C:\DOCUME~1\ANNIEF~1\STARTM~1\Programs\Startup\system.exe
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\bot.dll
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Program Files\crosof~1
C:\Program Files\crosof~1\??crosoft\
C:\Program Files\s2f.exe
C:\Program Files\stem32~1
C:\Program Files\ucleaner_setup.exe
C:\Program Files\Ultimate Cleaner
C:\w.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\Casino.ico
C:\WINDOWS\cookies.ini
C:\WINDOWS\Free Online Dating.ico
C:\WINDOWS\jkkhee.dll
C:\WINDOWS\mgrs.exe
C:\WINDOWS\scurit~1
C:\WINDOWS\scurit~1\s?curity\
C:\WINDOWS\Spyware Remover.ico
C:\WINDOWS\ssqrss.dll
C:\WINDOWS\ssrqss.ini
C:\WINDOWS\system32\2_exception.nls
C:\WINDOWS\system32\dlh9jkd1q5.exe
C:\WINDOWS\system32\dlh9jkd1q6.exe
C:\WINDOWS\system32\dlh9jkd1q7.exe
C:\WINDOWS\system32\dlh9jkd1q8.exe
C:\WINDOWS\system32\drivers\alert_icon.gif
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\close_icon.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_bg.gif
C:\WINDOWS\system32\drivers\icon_warning.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\remove_spyware_button.gif
C:\WINDOWS\system32\drivers\runtime2.sys
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\secuity_center_logo.gif
C:\WINDOWS\system32\drivers\smtpdrv.sys
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\hlpsrv.exe
C:\WINDOWS\system32\instcat.dll
C:\WINDOWS\system32\l3acdb.dll
C:\WINDOWS\system32\MailSpectre.exe
C:\WINDOWS\system32\max1d1164v.exe
C:\WINDOWS\system32\nblakyda.dll
C:\WINDOWS\system32\pmkjifc.dll
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\tmp1A.tmp.dll
C:\WINDOWS\system32\tmpA.tmp.dll
C:\WINDOWS\system32\tmpB0.tmp.dll
C:\WINDOWS\system32\tmpD.tmp.dll
C:\WINDOWS\system32\vedxg4am1et2.exe
C:\WINDOWS\system32\vedxga3me2.exe
C:\WINDOWS\system32\vedxga4m1et4.exe
C:\WINDOWS\system32\vedxga4me1.exe
C:\WINDOWS\system32\WinAvXX.exe
C:\WINDOWS\system32\wtssvit32.exe
C:\WINDOWS\system32\ymbols~1
C:\WINDOWS\Temp\163705090.exe
C:\WINDOWS\tuvwuv.dll
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\vuwvut.ini
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_HAXDRV
-------\LEGACY_ICF
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_RDRIV
-------\LEGACY_SMTPDRV
-------\LEGACY_WAVV52
-------\DomainService
-------\nm
-------\rdriv
-------\smtpdrv
((((((((((((((((((((((((( Files Created from 2007-08-08 to 2007-09-08 )))))))))))))))))))))))))))))))
.
2007-09-08 14:27 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-08 09:51 13,312 --a------ C:\WINDOWS\SYSTEM32\s2f5028.exe
2007-09-08 08:36 d-------- C:\VundoFix Backups
2007-09-02 22:19 d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Real
2007-09-02 22:04 86,016 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pctspk.exe
2007-09-02 22:04 86,016 --a------ C:\WINDOWS\SYSTEM32\pctspk.exe
2007-09-02 21:54 d-------- C:\DOCUME~1\Annie\APPLIC~1\Real
2007-09-02 21:35 41,600 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\weitekp9.dll
2007-09-02 21:35 31,232 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\weitekp9.sys
2007-09-02 21:22 489,984 --a------ C:\WINDOWS\SYSTEM32\hypertrm.dll
2007-09-02 21:22 200,704 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\wordpad.exe
2007-09-02 21:22 189,440 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2007-09-02 21:22 189,440 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-09-02 21:22 139,776 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2007-09-02 21:22 139,776 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-09-02 21:11 24,661 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\spxcoins.dll
2007-09-02 21:11 24,661 --a------ C:\WINDOWS\SYSTEM32\spxcoins.dll
2007-09-02 21:11 13,312 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\irclass.dll
2007-09-02 21:11 13,312 --a------ C:\WINDOWS\SYSTEM32\irclass.dll
2007-09-02 19:19 593,408 --a------ C:\WINDOWS\SYSTEM32\xpsp2res.dll
2007-09-02 19:16 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-09-02 19:15 113 --a------ C:\WINDOWS\SYSTEM32\zonedon.reg
2007-09-02 19:15 113 --a------ C:\WINDOWS\SYSTEM32\zonedoff.reg
2007-09-02 17:11 d-------- C:\DOCUME~1\ANNIEF~1\APPLIC~1\Roxio
2007-09-01 13:16 39,424 --a------ C:\WINDOWS\SYSTEM32\vtr.dll
2007-09-01 13:09 76,016 --a------ C:\Program Files\setup.exe
2007-09-01 11:09 d--hs---- C:\WINDOWS\QW5uaWUgRm93bGVy
2007-09-01 11:09 d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
2007-09-01 10:59 177,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Wavv52.sys
2007-09-01 10:58 177,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symavc32.sys
2007-09-01 10:11 d-------- C:\Program Files\Trend Micro
2007-08-31 22:31 d-------- C:\Program Files\Spybot
2007-08-31 22:31 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-31 21:50 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-31 21:41 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-28 21:01 1,207,269 --a------ C:\WINDOWS\SYSTEM32\dne4dc5b2b.dat
2007-08-26 14:28 94,713 --a------ C:\WINDOWS\SYSTEM32\DPCDFR.dll
2007-08-16 22:38 d-------- C:\Program Files\iTunes
2007-08-16 22:31 d-------- C:\Program Files\QuickTime
2007-08-16 22:24 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-08-12 16:38 d-------- C:\QUARANTINE
2007-08-12 16:17 1,495,552 --a------ C:\WINDOWS\SYSTEM32\epoPGPsdk.dll
2007-08-12 16:17 d-------- C:\Program Files\Common Files\Cisco Systems
2007-08-12 16:17 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-08-12 16:16 72,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2007-08-12 16:16 64,360 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeapfk.sys
2007-08-12 16:16 52,136 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfetdik.sys
2007-08-12 16:16 34,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2007-08-12 16:16 168,776 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2007-08-12 16:15 d-------- C:\Program Files\McAfee
2007-08-12 16:15 d-------- C:\Program Files\Common Files\McAfee
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-03 09:57 389120 --a------ C:\WINDOWS\JAVA\GoToAssist_phone__268_en.exe
2007-08-31 21:50 --------- d-------- C:\Program Files\Lavasoft
2007-08-31 21:45 --------- d-------- C:\DOCUME~1\ANNIEF~1\APPLIC~1\Lavasoft
2007-08-22 08:10 --------- d-------- C:\Program Files\Opera
2007-08-16 22:38 --------- d-------- C:\Program Files\iPod
2007-08-16 22:24 --------- d-------- C:\Program Files\Apple Software Update
2007-08-12 16:28 --------- d-------- C:\Program Files\Microsoft AntiSpyware
2007-08-12 16:23 --------- d-------- C:\Program Files\AVPersonal
2007-08-12 16:07 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee.com
2007-08-12 15:56 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-11 14:37 6272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2005-07-29 20:24:26 472 --sha-r C:\WINDOWS\QW5uaWUgRm93bGVy\kqcRuqo0lA6av3pV.vbs
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Win32 NT Adv Services"="taskmngr.exe" []
"Camra Updates"="serviceswu.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-09-25 19:53]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2006-11-30 08:50]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 13:39]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 18:44]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]
"PCTVOICE"="pctspk.exe" [2001-08-17 22:36 C:\WINDOWS\SYSTEM32\pctspk.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-02 18:21]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-02 18:15]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-28 18:17 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Camra Updates"="serviceswu.exe" []
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"Sfl"="C:\Documents and Settings\Annie Fowler\My Documents\?racle\userinit.exe" []
"Apeo"="C:\WINDOWS\SCURIT~1\winlogon.exe" []
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Camra Updates"=serviceswu.exe
"Win32 NT Adv Services"=taskmngr.exe
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"LSASS32"=ISASS32.EXE
"tscuninstall"=%systemroot%\system32\tscupgrd.exe
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"Microsoft Windows Update XP64"=xefamgzs.exe
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"USB Driver4"=UpdateXP2.exe
"Camra Updates"=serviceswu.exe
"USBDrives"=msfirewalI.exe
"Microsoft Windows Update XP64"=xefamgzs.exe
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2007-09-02 21:28:16]
C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2007-09-02 21:28:16]
C:\DOCUME~1\ANNIEF~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]
C:\DOCUME~1\Annie\STARTM~1\Programs\Startup\
DESKTOP.INI [2007-09-02 21:28:16]
C:\DOCUME~1\DEFAUL~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2007-09-02 21:28:16]
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"CDVfQUB"= {E4DC5B2C-4E76-F186-6D41-2218BC043068} - C:\WINDOWS\System32\nzmal.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\0 ¸ À ]
0 ¸ À
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DPCDFR]
DPCDFR.dll 2007-08-26 14:28 94713 C:\WINDOWS\SYSTEM32\DPCDFR.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 8.0 Tray Icon.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=C:\WINDOWS\pss\AOL Companion.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
Ati2mdxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cryptographic Service]
C:\WINDOWS\System32\roctu.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
C:\Program Files\Dell\QuickSet\quickset.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
C:\WINDOWS\System32\DSentry.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
C:\Program Files\McAfee.com\Agent\mcagent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"C:\Program Files\Microsoft Money\System\mnyexpr.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
pctspk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLTRYSVC"=2 (0x2)
"WANMiniportService"=2 (0x2)
"MCVSRte"=2 (0x2)
"McShield"=3 (0x3)
"iPodService"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\System32\drivers\cdudf_xp.sys
R1 mfetdik;McAfee Inc.;C:\WINDOWS\System32\drivers\mfetdik.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\System32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\System32\drivers\UdfReadr_xp.sys
R3 mfeapfk;McAfee Inc.;C:\WINDOWS\System32\drivers\mfeapfk.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\System32\drivers\mmc_2K.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\System32\drivers\dvd_2K.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-08-17 02:25:13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-08 14:40:02
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\Temp
scan completed successfully
hidden files: 1
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\asc355]
.
Completion time: 2007-09-08 14:42:12 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-08 14:41
.
--- E O F ---
alf82
59 Posts
0
September 8th, 2007 18:00
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:53:04 PM, on 9/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\TEMP\hd3.tmp
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Win32 NT Adv Services] taskmngr.exe
O4 - HKLM\..\Run: [Camra Updates] serviceswu.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
O4 - HKLM\..\RunServices: [Camra Updates] serviceswu.exe
O4 - HKLM\..\RunServices: [Win32 NT Adv Services] taskmngr.exe
O4 - HKCU\..\Run: [Camra Updates] serviceswu.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Sfl] "C:\Documents and Settings\Annie Fowler\My Documents\?racle\userinit.exe"
O4 - HKCU\..\Run: [Apeo] "C:\WINDOWS\SCURIT~1\winlogon.exe" -vt ndrv
O4 - HKUS\S-1-5-18\..\Run: [USB Driver4] UpdateXP2.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Camra Updates] serviceswu.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [USBDrives] msfirewalI.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Windows Update XP64] xefamgzs.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [LSASS32] ISASS32.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunServices: [Microsoft Windows Update XP64] xefamgzs.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [USB Driver4] UpdateXP2.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [LSASS32] ISASS32.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [Microsoft Windows Update XP64] xefamgzs.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188195863193
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188195832018
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://www.winantispyware.com/download/2007/download.php?file=2&aid=rrdef1_11_asr&lid=1034&affid=3
O20 - Winlogon Notify: 0 ¸ À - 0 ¸ À (file missing)
O20 - Winlogon Notify: DPCDFR - C:\WINDOWS\SYSTEM32\DPCDFR.dll
O21 - SSODL: CDVfQUB - {E4DC5B2C-4E76-F186-6D41-2218BC043068} - C:\WINDOWS\System32\nzmal.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe (file missing)
--
End of file - 6532 bytes
1972vet
3.3K Posts
0
September 8th, 2007 18:00
Download AVG Anti-Spyware v7.5
( This is Ewido 4.0 renamed. If you already have Ewido installed, please update to this version which has a special "clean driver" for removing persistent malware)
- After download, double click on the file to launch the install process.
- Choose a language, click "OK" and then click "Next".
- Read the "License Agreement" and click "I Agree".
- Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
- After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
- The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'.
- Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
Go to Start > Run and type: services.mscOnce the updates are installed do the following:
Click on the " Scanner" button and choose the " Settings" tab.
Close the application and reboot the computer into Safe mode. Once in safe mode continue with the instructions below:
Open the AVG Anti-Spyware application and click the " Scan" tab.
Click " Complete System Scan" to start.
Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. If Explorer or other programs are open during the scan that means certain files will also be in use. Some malware will insert itself and hide in areas that are "protected" by Windows when the files are being used. This can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.
Note: If AVG Anti-Spyware "crashes" or "hangs" during the scan, try scanning again by doing this:
- Scan one sector of the system at a time by using the "Custom Scan" feature. To do this select Scanner > Custom Scan and click on Add drive/directory/file. Browse to C:\Windows > System, add this folder to the list and click on "Start Scan". When the scan is complete, repeat the Custom Scan but this time, browse to and add the System32 folder. Then keep repeating this procedure until all your folders have been scanned. Make sure you include the Documents & Settings folder.
- If this still does not help, then turn the ADS scanner off while making a Custom Scan. To do this select Scanner > Scan Settings and untick "Scan in NTFS Alternate Data Streams". Then repeat the steps above for performing a Custom Scan.
When the scan has finished you will be presented with a list of infected objects found. Click " Apply all actions" to place the files in Quarantine.IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate " No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button?
Click on " Save Report" to view all completed scans. Click on the most recent scan you just performed and select " Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
Exit AVG Anti-Spyware when done. Reboot and post a fresh HijackThis log along with the AVG Anti-Spyware log.
alf82
59 Posts
0
September 8th, 2007 20:00
Since trying to press Don't Send to get rid of these messages had proved futile, I decided to move them aside and try to continue. I inactivated 'Resident Shield' and 'Automatic Updates' and unchecked "Start with Windows". I stopped the guard service in Services and changed the "Startup Type" to "Manual". I had trouble with the updater so I downloaded the AVG Anti-Spyware Full database installer and tried to install. A message appeared saying it couldn't find ewido ani-malware followed by a window allowing me to browse to the folder. I selected C:\Program Files\Grisoft\AVG Anti-Spyware 7.5 and pressed install. The installation appeared to complete successfully. I then returned to the AVG Anti-Spyware window and set the scanner settings as instructed. But when I rebooted in safe mode and launched AVG Anti-Spyware, I got a message saying "Connection to service failed. Please reinstall AVG Anti-Spyware 7.5." (Note that the annoying Microsoft message about Windows Explorer encountering serious problems also appeared in safe mode.) Did I do something wrong? How should I proceed?
In case in might be helpful, appended is a new HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:41:52 PM, on 9/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\dwwin.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\spoolsvv.exe
C:\WINDOWS\System32\dwwin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Win32 NT Adv Services] taskmngr.exe
O4 - HKLM\..\Run: [Camra Updates] serviceswu.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Camra Updates] serviceswu.exe
O4 - HKLM\..\RunServices: [Win32 NT Adv Services] taskmngr.exe
O4 - HKCU\..\Run: [Camra Updates] serviceswu.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Sfl] "C:\Documents and Settings\Annie Fowler\My Documents\?racle\userinit.exe"
O4 - HKCU\..\Run: [Apeo] "C:\WINDOWS\SCURIT~1\winlogon.exe" -vt ndrv
O4 - HKUS\S-1-5-18\..\Run: [USB Driver4] UpdateXP2.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Camra Updates] serviceswu.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [USBDrives] msfirewalI.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Windows Update XP64] xefamgzs.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [LSASS32] ISASS32.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunServices: [Microsoft Windows Update XP64] xefamgzs.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [USB Driver4] UpdateXP2.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [LSASS32] ISASS32.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [Microsoft Windows Update XP64] xefamgzs.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188195863193
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188195832018
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://www.winantispyware.com/download/2007/download.php?file=2&aid=rrdef1_11_asr&lid=1034&affid=3
O20 - Winlogon Notify: 0 ¸ À - 0 ¸ À (file missing)
O20 - Winlogon Notify: DPCDFR - C:\WINDOWS\SYSTEM32\DPCDFR.dll
O21 - SSODL: CDVfQUB - {E4DC5B2C-4E76-F186-6D41-2218BC043068} - C:\WINDOWS\System32\nzmal.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe (file missing)
--
End of file - 6790 bytes
1972vet
3.3K Posts
0
September 9th, 2007 04:00
C:\Program Files\setup.exe
Are you familiar with this program...did you download it and do you use it?:
C:\WINDOWS\JAVA\ GoToAssist_phone__268_en.exe
Please open a blank Notepad by clicking start-->run
Then, in the run box type Notepad.exe and click "OK".
Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the Save as type to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe
Combofix will run again automatically. Please post back the new log that will be generated. Thanks!
File::
C:\WINDOWS\SYSTEM32\s2f5028.exe
C:\WINDOWS\SYSTEM32\vtr.dll
C:\WINDOWS\SYSTEM32\dne4dc5b2b.dat
C:\WINDOWS\SYSTEM32\DPCDFR.dll
C:\WINDOWS\QW5uaWUgRm93bGVy\kqcRuqo0lA6av3pV.vbs
Folder::
C:\WINDOWS\QW5uaWUgRm93bGVy
C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
Driver::
Wavv52
symavc32
DomainService
nm
rdriv
smtpdrv
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Win32 NT Adv Services"=-
"Camra Updates"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Camra Updates"=-
"Sfl"=-
"Apeo"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Camra Updates"=-
"Win32 NT Adv Services"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"LSASS32"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"Microsoft Windows Update XP64"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"USB Driver4"=-
"Camra Updates"=-
"USBDrives"=-
"Microsoft Windows Update XP64"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"CDVfQUB"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\0 ¸ À ]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DPCDFR]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cryptographic Service]
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\asc355]
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cmdservice]
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_DOMAINSERVICE]
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_HAXDRV]
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ICF]
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_NETWORK_MONITOR]
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_RDRIV]
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_SMTPDRV]
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_WAVV52]
alf82
59 Posts
0
September 9th, 2007 16:00
C:\Windows\Java\GoToAssist_phone__268_en.exe: This might be a program used by Verizon DSL technical support to enable them to view and control my computer. This would be consistent with the name of the program and the date on which it was created. In any case, I don't need it. Should I delete?
I ran ComboFix again. The contents of ComboFix.txt are appended followed by a new HijackThis log.
ComboFix.txt:
ComboFix 07-09-08.7 - "Annie Fowler" 2007-09-09 13:29:03.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.74 [GMT -4:00]
* Created a new restore point
FILE::
C:\WINDOWS\SYSTEM32\s2f5028.exe
C:\WINDOWS\SYSTEM32\vtr.dll
C:\WINDOWS\SYSTEM32\dne4dc5b2b.dat
C:\WINDOWS\SYSTEM32\DPCDFR.dll
C:\WINDOWS\QW5uaWUgRm93bGVy\kqcRuqo0lA6av3pV.vbs
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon\domains.txt
C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon\log.txt
C:\WINDOWS\QW5uaWUgRm93bGVy
C:\WINDOWS\QW5uaWUgRm93bGVy\kqcRuqo0lA6av3pV.vbs
C:\WINDOWS\SYSTEM32\dne4dc5b2b.dat
C:\WINDOWS\SYSTEM32\DPCDFR.dll
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\SYSTEM32\s2f5028.exe
C:\WINDOWS\system32\spoolsvv.exe
C:\WINDOWS\SYSTEM32\vtr.dll
((((((((((((((((((((((((( Files Created from 2007-08-09 to 2007-09-09 )))))))))))))))))))))))))))))))
.
2007-09-08 16:44 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-09-08 14:27 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-08 08:36 d-------- C:\VundoFix Backups
2007-09-02 22:19 d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Real
2007-09-02 22:04 86,016 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pctspk.exe
2007-09-02 22:04 86,016 --a------ C:\WINDOWS\SYSTEM32\pctspk.exe
2007-09-02 21:54 d-------- C:\DOCUME~1\Annie\APPLIC~1\Real
2007-09-02 21:35 41,600 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\weitekp9.dll
2007-09-02 21:35 31,232 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\weitekp9.sys
2007-09-02 21:22 489,984 --a------ C:\WINDOWS\SYSTEM32\hypertrm.dll
2007-09-02 21:22 200,704 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\wordpad.exe
2007-09-02 21:22 189,440 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2007-09-02 21:22 189,440 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-09-02 21:22 139,776 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2007-09-02 21:22 139,776 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-09-02 21:11 24,661 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\spxcoins.dll
2007-09-02 21:11 24,661 --a------ C:\WINDOWS\SYSTEM32\spxcoins.dll
2007-09-02 21:11 13,312 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\irclass.dll
2007-09-02 21:11 13,312 --a------ C:\WINDOWS\SYSTEM32\irclass.dll
2007-09-02 19:19 593,408 --a------ C:\WINDOWS\SYSTEM32\xpsp2res.dll
2007-09-02 19:16 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-09-02 19:15 113 --a------ C:\WINDOWS\SYSTEM32\zonedon.reg
2007-09-02 19:15 113 --a------ C:\WINDOWS\SYSTEM32\zonedoff.reg
2007-09-02 17:11 d-------- C:\DOCUME~1\ANNIEF~1\APPLIC~1\Roxio
2007-09-01 13:09 76,016 --a------ C:\Program Files\setup.exe
2007-09-01 10:59 177,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Wavv52.sys
2007-09-01 10:11 d-------- C:\Program Files\Trend Micro
2007-08-31 22:31 d-------- C:\Program Files\Spybot
2007-08-31 22:31 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-31 21:50 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-31 21:41 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-16 22:38 d-------- C:\Program Files\iTunes
2007-08-16 22:31 d-------- C:\Program Files\QuickTime
2007-08-16 22:24 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-08-12 16:38 d-------- C:\QUARANTINE
2007-08-12 16:17 1,495,552 --a------ C:\WINDOWS\SYSTEM32\epoPGPsdk.dll
2007-08-12 16:17 d-------- C:\Program Files\Common Files\Cisco Systems
2007-08-12 16:17 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-08-12 16:16 72,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2007-08-12 16:16 64,360 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeapfk.sys
2007-08-12 16:16 52,136 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfetdik.sys
2007-08-12 16:16 34,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2007-08-12 16:16 168,776 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2007-08-12 16:15 d-------- C:\Program Files\McAfee
2007-08-12 16:15 d-------- C:\Program Files\Common Files\McAfee
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-03 09:57 389120 --a------ C:\WINDOWS\JAVA\GoToAssist_phone__268_en.exe
2007-08-31 21:50 --------- d-------- C:\Program Files\Lavasoft
2007-08-31 21:45 --------- d-------- C:\DOCUME~1\ANNIEF~1\APPLIC~1\Lavasoft
2007-08-22 08:10 --------- d-------- C:\Program Files\Opera
2007-08-16 22:38 --------- d-------- C:\Program Files\iPod
2007-08-16 22:24 --------- d-------- C:\Program Files\Apple Software Update
2007-08-12 16:28 --------- d-------- C:\Program Files\Microsoft AntiSpyware
2007-08-12 16:23 --------- d-------- C:\Program Files\AVPersonal
2007-08-12 16:07 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee.com
2007-08-12 15:56 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-11 14:37 6272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
.
((((((((((((((((((((((((((((( snapshot_2007-09-08_144128.67 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 262,144 2007-09-09 17:27:11 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\ntuser.dat
----a-w 32,768 2007-09-09 17:18:57 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
----a-w 32,768 2007-09-09 17:18:57 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
----a-w 32,768 2007-09-09 17:18:57 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
----a-w 262,144 2007-09-08 18:27:52 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\ntuser.dat
----a-w 32,768 2007-09-08 12:36:22 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
----a-w 32,768 2007-09-08 12:36:22 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
----a-w 32,768 2007-09-08 12:36:25 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-09-25 19:53]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2006-11-30 08:50]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 13:39]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 18:44]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]
"PCTVOICE"="pctspk.exe" [2001-08-17 22:36 C:\WINDOWS\SYSTEM32\pctspk.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-02 18:21]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-02 18:15]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-28 18:17 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"tscuninstall"=%systemroot%\system32\tscupgrd.exe
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2007-09-02 21:28:16]
C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2007-09-02 21:28:16]
C:\DOCUME~1\ANNIEF~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]
C:\DOCUME~1\Annie\STARTM~1\Programs\Startup\
DESKTOP.INI [2007-09-02 21:28:16]
C:\DOCUME~1\DEFAUL~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2007-09-02 21:28:16]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\0 ¸ À ]
0 ¸ À
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 8.0 Tray Icon.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=C:\WINDOWS\pss\AOL Companion.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
Ati2mdxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
C:\Program Files\Dell\QuickSet\quickset.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
C:\WINDOWS\System32\DSentry.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
C:\Program Files\McAfee.com\Agent\mcagent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"C:\Program Files\Microsoft Money\System\mnyexpr.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
pctspk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLTRYSVC"=2 (0x2)
"WANMiniportService"=2 (0x2)
"MCVSRte"=2 (0x2)
"McShield"=3 (0x3)
"iPodService"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\System32\drivers\cdudf_xp.sys
R1 mfetdik;McAfee Inc.;C:\WINDOWS\System32\drivers\mfetdik.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\System32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\System32\drivers\UdfReadr_xp.sys
R3 mfeapfk;McAfee Inc.;C:\WINDOWS\System32\drivers\mfeapfk.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\System32\drivers\mmc_2K.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\System32\drivers\dvd_2K.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-08-17 02:25:13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-09 13:39:29
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\asc355]
.
Completion time: 2007-09-09 13:41:19 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-09 13:41
.
--- E O F ---
alf82
59 Posts
0
September 9th, 2007 17:00
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:57:53 PM, on 9/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188195863193
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188195832018
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://www.winantispyware.com/download/2007/download.php?file=2&aid=rrdef1_11_asr&lid=1034&affid=3
O20 - Winlogon Notify: 0 ¸ À - 0 ¸ À (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe (file missing)
--
End of file - 5408 bytes
1972vet
3.3K Posts
0
September 9th, 2007 18:00
C:\WINDOWS\JAVA\ GoToAssist_phone__268_en.exe
...but let's leave this file alone for the time being:
C:\Program Files\ setup.exe
...It's possible that it could be legitimate. We'll do a couple of scans later to see if anything else finds it suspicious.
I'm still concerned about this driver file:
C:\WINDOWS\SYSTEM32\DRIVERS\ Wavv52.sys
...we tried to remove it with the combofix script but it still shows in the log.
We also tried removing these Keys with the combofix script but they also still show in the log:
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\0 ¸ À ]
0 ¸ À
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\asc355]
Please select and install one of these free Firewall applications:
ZoneAlarm Free Version
Outpost Free
Kerio
When the installation completes successfully, reboot the computer.
Since you had trouble installing AVG Anti-Spyware, let's try the online scan instead:
Perform an online scan Here. Scroll down and click the Scan now. Install the active X control needed for the scan. If a dialog box appears asking you if you would like to download and install the ewido anti-spyware online scanner please click "Yes" to allow the download.
Once installed, click the Start Scan button. Click the Save Report button, then click to Remove Infections if found. Please post that log along with a fresh HijackThis log on your next reply. Thanks!
alf82
59 Posts
0
September 9th, 2007 20:00
I downloaded and installed ZoneAlarm and reviewed the Getting Started tutorial upon restart. The "...tell Microsoft about the problem." messages no longer appeared upon restarting after installing ZoneAlarm---this was the first time the computer was restarted after completing the last ComboFix run. ZoneAlarm prompted me when I tried to open Firefox and I selected Allow. (I assumed that Firefox is trusted.)
I also ran the online scan. The log from this scan and a new HijackThis log are appended below. (Note that the letters 'b' and 's' together in ewido-report.txt was disallowed, so I replaced it with ' '.)
ewido-report.txt (1):
__________________________________________________
ewido anti-spyware online scanner
http://www.ewido.net
__________________________________________________
Name: TrackingCookie.2o7
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@2o7[1].txt
Risk: Medium
Name: TrackingCookie.2o7
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@2o7[3].txt
Risk: Medium
Name: TrackingCookie.Aavalue
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@aavalue[1].txt
Risk: Medium
Name: TrackingCookie.Doubleclick
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@ad.doubleclick[2].txt
Risk: Medium
Name: TrackingCookie.Yieldmanager
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@ad.yieldmanager[1].txt
Risk: Medium
Name: TrackingCookie.Yieldmanager
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@ad.yieldmanager[2].txt
Risk: Medium
Name: TrackingCookie.Yieldmanager
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@ad.yieldmanager[4].txt
Risk: Medium
Name: TrackingCookie.Adbrite
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@adbrite[1].txt
Risk: Medium
Name: TrackingCookie.Specificclick
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@adopt.specificclick[1].txt
Risk: Medium
Name: TrackingCookie.Specificclick
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@adopt.specificclick[3].txt
Risk: Medium
Name: TrackingCookie.Adrevolver
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@adrevolver[3].txt
Risk: Medium
Name: TrackingCookie.Adbrite
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@ads.adbrite[2].txt
Risk: Medium
Name: TrackingCookie.Cnn
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@ads.cnn[1].txt
Risk: Medium
Name: TrackingCookie.Advertising
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@advertising[1].txt
Risk: Medium
Name: TrackingCookie.Advertising
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@advertising[2].txt
Risk: Medium
Name: TrackingCookie.Tacoda
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@anat.tacoda[1].txt
Risk: Medium
Name: TrackingCookie.Tacoda
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@anat.tacoda[2].txt
Risk: Medium
Name: TrackingCookie.2o7
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@brightcove.112.2o7[1].txt
Risk: Medium
Name: TrackingCookie.Burstnet
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@burstnet[2].txt
Risk: Medium
Name: TrackingCookie.2o7
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@buycom.122.2o7[1].txt
Risk: Medium
Name: TrackingCookie.Casalemedia
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@casalemedia[1].txt
Risk: Medium
Name: TrackingCookie.Cpvfeed
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@cpvfeed[2].txt
Risk: Medium
Name: TrackingCookie.Cpvfeed
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@cpvfeed[3].txt
Risk: Medium
Name: TrackingCookie.Cpvfeed
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@cpvfeed[4].txt
Risk: Medium
Name: TrackingCookie.Enhance
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@enhance[2].txt
Risk: Medium
Name: TrackingCookie.Fastclick
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@fastclick[1].txt
Risk: Medium
Name: TrackingCookie.Findwhat
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@findwhat[1].txt
Risk: Medium
Name: TrackingCookie.Findwhat
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@findwhat[2].txt
Risk: Medium
Name: TrackingCookie.Aavalue
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@getmusicfree.aavalue[1].txt
Risk: Medium
Name: TrackingCookie.Goclick
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@goclick[1].txt
Risk: Medium
Name: TrackingCookie.Goclick
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@goclick[2].txt
Risk: Medium
Name: TrackingCookie.Tracking101
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@login.tracking101[2].txt
Risk: Medium
Name: TrackingCookie.Mediaplex
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@mediaplex[1].txt
Risk: Medium
Name: TrackingCookie.Mediaplex
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@mediaplex[2].txt
Risk: Medium
Name: TrackingCookie.2o7
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@msnportal.112.2o7[1].txt
Risk: Medium
Name: TrackingCookie.Overture
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@perf.overture[1].txt
Risk: Medium
Name: TrackingCookie.Pro-market
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@pro-market[2].txt
Risk: Medium
Name: TrackingCookie.Realmedia
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@realmedia[2].txt
Risk: Medium
Name: TrackingCookie.2o7
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@reunioncom.112.2o7[2].txt
Risk: Medium
Name: TrackingCookie.Specificclick
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@specificclick[1].txt
Risk: Medium
Name: TrackingCookie.Netflame
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@ssl-hints.netflame[2].txt
Risk: Medium
Name: TrackingCookie.Reliablestats
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@stats1.reliablestats[1].txt
Risk: Medium
Name: TrackingCookie.Tacoda
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@tacoda[1].txt
Risk: Medium
Name: TrackingCookie.Tacoda
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@tacoda[2].txt
Risk: Medium
Name: TrackingCookie.Tribalfusion
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@tribalfusion[1].txt
Risk: Medium
Name: TrackingCookie.Burstbeacon
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@www.burstbeacon[1].txt
Risk: Medium
Name: TrackingCookie.Burstnet
Path: C:\Documents and Settings\Annie Fowler\Application Data\Earthlink\6.0\alf122@earthlink.net\Cookies\annie fowler@www.burstnet[2].txt
Risk: Medium
Name: Adware.WebSearch
Path: HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res
Risk: Medium
Name: TrackingCookie.Netflame
Path: :mozilla.7:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Advertising
Path: :mozilla.26:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Advertising
Path: :mozilla.27:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Casalemedia
Path: :mozilla.28:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Casalemedia
Path: :mozilla.29:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Casalemedia
Path: :mozilla.30:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Casalemedia
Path: :mozilla.31:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Advertising
Path: :mozilla.32:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Advertising
Path: :mozilla.33:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Advertising
Path: :mozilla.34:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Doubleclick
Path: :mozilla.43:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Atdmt
Path: :mozilla.44:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Adtech
Path: :mozilla.61:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Adtech
Path: :mozilla.62:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Serving-sys
Path: :mozilla.63:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Serving-sys
Path: :mozilla.64:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Serving-sys
Path: :mozilla.65:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Serving-sys
Path: :mozilla.66:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Serving-sys
Path: :mozilla.67:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Serving-sys
Path: :mozilla.68:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Questionmarket
Path: :mozilla.74:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Questionmarket
Path: :mozilla.75:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.2o7
Path: :mozilla.80:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Mediaplex
Path: :mozilla.89:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Tribalfusion
Path: :mozilla.90:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Webtrends
Path: :mozilla.97:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Yieldmanager
Path: :mozilla.99:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Yieldmanager
Path: :mozilla.100:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Yieldmanager
Path: :mozilla.101:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Imrworldwide
Path: :mozilla.138:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Imrworldwide
Path: :mozilla.139:C:\Documents and Settings\Annie Fowler\Application Data\Mozilla\Firefox\Profiles\4t2q979o.default\cookies.txt
Risk: Medium
Name: TrackingCookie.Falkag
Path: C:\Documents and Settings\Annie Fowler\Cookies\annie fowler@a.as-us.falkag[1].txt
Risk: Medium
Name: TrackingCookie.Specificpop
Path: C:\Documents and Settings\Annie Fowler\Cookies\annie fowler@ads.specificpop[1].txt
Risk: Medium
Name: TrackingCookie.X10
Path: C:\Documents and Settings\Annie Fowler\Cookies\annie fowler@ads.x10[1].txt
Risk: Medium
Name: TrackingCookie.Advertising
Path: C:\Documents and Settings\Annie Fowler\Cookies\annie fowler@advertising[1].txt
Risk: Medium
Name: TrackingCookie.Falkag
Path: C:\Documents and Settings\Annie Fowler\Cookies\annie fowler@as-us.falkag[1].txt
Risk: Medium
Name: TrackingCookie.Atdmt
Path: C:\Documents and Settings\Annie Fowler\Cookies\annie fowler@atdmt[1].txt
Risk: Medium
Name: TrackingCookie.Serving-sys
Path: C:\Documents and Settings\Annie Fowler\Cookies\annie fowler@ .serving-sys[1].txt
Risk: Medium
Name: TrackingCookie.Ru4
Path: C:\Documents and Settings\Annie Fowler\Cookies\annie fowler@edge.ru4[2].txt
Risk: Medium
Name: TrackingCookie.Hitbox
Path: C:\Documents and Settings\Annie Fowler\Cookies\annie fowler@ehg-lexnex.hitbox[1].txt
Risk: Medium
Name: TrackingCookie.Bridgetrack
Path: C:\Documents and Settings\Annie Fowler\Cookies\annie fowler@rccl.bridgetrack[2].txt
Risk: Medium
Name: TrackingCookie.Msn
Path: C:\Documents and Settings\Annie Fowler\Cookies\annie fowler@search.msn[1].txt
Risk: Medium
Name: TrackingCookie.Specificpop
Path: C:\Documents and Settings\Annie Fowler\Cookies\annie fowler@specificpop[1].txt
Risk: Medium
alf82
59 Posts
0
September 9th, 2007 20:00
Name: Adware.Aws
Path: C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll
Risk: Medium
Name: Adware.BargainBuddy
Path: C:\Program Files\Microsoft AntiSpyware\Quarantine\A78FE012-C734-4C5D-A4FC-11474B\990BB56C-86EE-4759-86B9-1854F5/C:/WINDOWS/System32/msbe.dll
Risk: Medium
Name: Adware.BargainBuddy
Path: C:\Program Files\Microsoft AntiSpyware\Quarantine\A78FE012-C734-4C5D-A4FC-11474B\990BB56C-86EE-4759-86B9-1854F5/C:/Program Files/BullsEye Network/bin/bargains.exe
Risk: Medium
Name: Adware.BargainBuddy
Path: C:\Program Files\Microsoft AntiSpyware\Quarantine\A78FE012-C734-4C5D-A4FC-11474B\990BB56C-86EE-4759-86B9-1854F5/C:/Program Files/BullsEye Network/bin/adv.exe
Risk: Medium
Name: Adware.BargainBuddy
Path: C:\Program Files\Microsoft AntiSpyware\Quarantine\A78FE012-C734-4C5D-A4FC-11474B\990BB56C-86EE-4759-86B9-1854F5/C:/Program Files/BullsEye Network/bin/adx.exe
Risk: Medium
Name: Not-A-Virus.Hoax.Win32.Renos.jg
Path: C:\qoobox\Quarantine\C\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\autorun.exe.vir
Risk: Low
Name: Not-A-Virus.Hoax.Win32.Renos.jg
Path: C:\qoobox\Quarantine\C\DOCUME~1\ANNIEF~1\STARTM~1\Programs\Startup\system.exe.vir
Risk: Low
Name: Adware.UltimateDefender
Path: C:\qoobox\Quarantine\C\Program Files\ucleaner_setup.exe.vir
Risk: Medium
Name: Trojan.Small
Path: C:\qoobox\Quarantine\C\WINDOWS\QW5uaWUgRm93bGVy\kqcRuqo0lA6av3pV.vbs.vir
Risk: High
Name: Rootkit.Agent.ey
Path: C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\runtime2.sys.vir
Risk: High
Name: Worm.Agent.l
Path: C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\smtpdrv.sys.vir
Risk: High
Name: Trojan.Small
Path: C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\hlpsrv.exe.vir
Risk: High
Name: Worm.Agent.q
Path: C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\MailSpectre.exe.vir
Risk: High
Name: Dialer.GBDialer.i
Path: C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\max1d1164v.exe.vir
Risk: High
Name: Not-A-Virus.Hoax.Win32.Renos.jg
Path: C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\printer.exe.vir
Risk: Low
Name: Not-A-Virus.Hoax.Win32.Renos.jg
Path: C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\WinAvXX.exe.vir
Risk: Low
Name: Trojan.Small
Path: C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\wtssvit32.exe.vir
Risk: High
Name: Trojan.Small
Path: C:\qoobox\Quarantine\C\WINDOWS\uninstall_nmon.vbs.vir
Risk: High
Name: Adware.UltimateDefender
Path: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000047.exe
Risk: Medium
Name: Adware.UltimateDefender
Path: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0001129.exe
Risk: Medium
Name: Downloader.Agent.uj
Path: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0002153.exe
Risk: High
Name: Downloader.Agent.uj
Path: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0002161.exe
Risk: High
Name: Downloader.Agent.uj
Path: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0002169.exe
Risk: High
Name: Downloader.Agent.uj
Path: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0002180.exe
Risk: High
Name: Downloader.Agent.uj
Path: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0002194.exe
Risk: High
Name: Not-A-Virus.Hoax.Win32.Renos.jg
Path: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0002266.exe
Risk: Low
Name: Not-A-Virus.Hoax.Win32.Renos.jg
Path: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0002272.exe
Risk: Low
Name: Not-A-Virus.Hoax.Win32.Renos.jg
Path: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0002273.exe
Risk: Low
Name: Not-A-Virus.Hoax.Win32.Renos.jg
Path: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0002274.exe
Risk: Low
Name: Not-A-Virus.Hoax.Win32.Renos.jg
Path: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0002284.exe
Risk: Low
Name: Not-A-Virus.Hoax.Win32.Renos.jg
Path: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0002285.exe
Risk: Low
Name: Not-A-Virus.Hoax.Win32.Renos.jg
Path: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0002286.exe
Risk: Low
Name: Not-A-Virus.Hoax.Win32.Renos.jg
Path: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0002293.exe
Risk: Low
Name: Not-A-Virus.Hoax.Win32.Renos.jg
Path: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0002294.exe
Risk: Low
Name: Not-A-Virus.Hoax.Win32.Renos.jg
Path: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0002295.exe
Risk: Low
Name: Not-A-Virus.Hoax.Win32.Renos.jg
Path: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0002298.exe
Risk: Low
Name: Not-A-Virus.Hoax.Win32.Renos.jg
Path: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0002333.exe
Risk: Low
Name: Trojan.Small
Path: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0002343.vbs
Risk: High
Name: Trojan.Small
Path: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0002352.exe
Risk: High
Name: Dialer.GBDialer.i
Path: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0002353.exe
Risk: High
Name: Rootkit.Agent.ey
Path: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0002362.sys
Risk: High
Name: Trojan.Small
Path: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0002366.exe
Risk: High
Name: Not-A-Virus.Hoax.Win32.Renos.jg
Path: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0002370.exe
Risk: Low
Name: Not-A-Virus.Hoax.Win32.Renos.jg
Path: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0002371.exe
Risk: Low
Name: Not-A-Virus.Hoax.Win32.Renos.jg
Path: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0002372.exe
Risk: Low
Name: Adware.UltimateDefender
Path: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0002374.exe
Risk: Medium
Name: Worm.Agent.q
Path: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0002377.exe
Risk: High
Name: Worm.Agent.l
Path: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0002378.sys
Risk: High
Name: Trojan.Small
Path: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0009531.vbs
Risk: High
Name: Adware.EliteBar
Path: C:\WINDOWS\40291831.exe
Risk: Medium