Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved]Cool Web Search - I Think - Please Help

Started by coldsmoke , Aug 20 2007 09:39 AM

  • This topic is locked This topic is locked
15 replies to this topic

#1 coldsmoke

coldsmoke

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 20 August 2007 - 09:39 AM

Hi All,

I am new to this board and found you when trying to resolve the issue that I have. Hello all, and thanks in advance. You seemed to be very helpful for cjdragon on a thread started 8/15. Hopefully you guys can help me resolve my issue as well.

I get two messages. Both look like Windows system message boxes but they aren't. One says something to the effect of: "Warning: An program is making unauthorized copies of system and internet files. Click here to fix." Clicking takes you to a site to purchase antivirus software. Another message is something like: "Warning your computer is infected with a virus..." I can't remember the exact wording and for some reason it doesn't seem to be doing it so far today. I had a license for Windows OneCare and installed that but it wasn't able to remove the problem. I also installed AVG and again it wasn't able to fix the problem. Both find the problem and specify it as a Trojan in ...\windows32\hrum455.txt. A SmitFraud scan finds a problem here as well. I have attached my hijack this log as I have seen other people do. Please let me know how to precede. Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:20:11 AM, on 8/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.customdining.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1181517816319
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1181564070625
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BigSkyBeverage.local
O17 - HKLM\Software\..\Telephony: DomainName = BigSkyBeverage.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BigSkyBeverage.local
O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum455.txt
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7458 bytes

    Advertisements

Register to Remove

#2 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 20 August 2007 - 08:16 PM

Welcome to the forum.

Download combofix.exe from the link below:
http://download.blee...Bs/ComboFix.exe

Double click combofix.exe & follow the prompts.
A window will open with a warning.
Type "Y" (and Enter) to start the fix.
When the scan completes it will open a text window.
Please attach that log back here together with a fresh HJT log.
Caution - do not touch your mouse/keyboard until the scan has completed.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Combofix will automatically save the log file to C:\combofix.txt

-------------------------

Please download SUPERAntiSpyware Home Edition (free)

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes, Let it through your firewall!
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Terminate memory threats before quarantining.
  • Ignore System Restore/Volume Information on ME and XP
  • Please leave the others unchecked.
  • Click the Close button to leave the control center screen.
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click
Yes.

To retrieve the removal information - please do the following:
  • After reboot, double-click the SUPERAntispyware icon on your desktop.
  • Click Preferences . Click the Statistics/Logs tab .
  • Under Scanner Logs , double-click SUPERAntiSpyware Scan Log .
  • It will open in your default text editor (such as Notepad/Wordpad).
  • Please highlight everything , then right-click and choose copy.
  • Click close and close again to exit the program.
Now please paste the removal information along with a fresh HijackThis log and the log from ComboFix in your reply. If it's a large log, you may need several replies to post it.

MrC

#3 coldsmoke

coldsmoke

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 21 August 2007 - 08:30 AM

ComboFix 07-08-14.4 - "HLacey" 2007-08-21 8:19:05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1571 [GMT -6:00]


((((((((((((((((((((((((( Files Created from 2007-07-21 to 2007-08-21 )))))))))))))))))))))))))))))))


2007-08-21 08:10 25,600 --a------ C:\WINDOWS\bdaecsc.exe
2007-08-19 18:16 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-08-19 17:04 2,796 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-19 17:03 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-08-19 17:03 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-08-19 17:03 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-08-19 14:40 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-18 21:28 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-08-18 19:23 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-18 19:19 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-18 12:59 81,024 --a------ C:\WINDOWS\system32\drivers\msfwdrv.sys
2007-08-18 12:59 105,856 --a------ C:\WINDOWS\system32\drivers\msfwhlpr.sys
2007-08-18 12:58 67,784 --a------ C:\WINDOWS\system32\drivers\MpFilter.sys
2007-08-18 12:58 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-08-18 12:57 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-08-18 12:55 591,632 --------- C:\WINDOWS\system32\WinSSWebAgent.dll
2007-08-18 12:55 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-08-18 12:32 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-18 12:31 <DIR> d-------- C:\DOCUME~1\HLacey\.housecall6.6
2007-08-12 19:43 <DIR> d-------- C:\Program Files\QuickTime
2007-08-12 19:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-25 10:15 <DIR> d-------- C:\WINDOWS\ASTULogTemp


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-12 19:43 --------- d-------- C:\Program Files\Apple Software Update
2007-08-02 16:24 --------- d-------- C:\DOCUME~1\HLacey\APPLIC~1\U3
2007-07-25 09:01 --------- d-------- C:\Program Files\Microsoft ActiveSync
2007-07-19 00:59 3583488 -----c--- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-12 17:31 765952 --a--c--- C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-27 08:34 823808 -----c--- C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 08:34 671232 -----c--- C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 08:34 6058496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 08:34 52224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 08:34 477696 -----c--- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 08:34 459264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 08:34 44544 -----c--- C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 08:34 384512 -----c--- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 08:34 383488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 08:34 27648 -----c--- C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 08:34 267776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 08:34 232960 -----c--- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 08:34 230400 -----c--- C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 08:34 193024 -----c--- C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 08:34 153088 -----c--- C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 08:34 132608 -----c--- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 08:34 124928 -----c--- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 08:34 1152000 -----c--- C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 08:34 105984 -----c--- C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 08:34 102400 -----c--- C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 02:27 63488 -----c--- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 02:27 625152 -----c--- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 02:27 13824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 01:00 161792 --a--c--- C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-26 02:27 363520 --a--c--- C:\WINDOWS\system32\dllcache\w3svc.dll
2007-06-26 00:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 00:08 1104896 -----c--- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 07:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 07:31 282112 -----c--- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-13 04:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 04:23 1033216 -----c--- C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-10 16:31 3316 --a------ C:\WINDOWS\pchealth\HelpCtr\PackageStore\SkuStore.bin
2007-06-10 16:29 8972 --a------ C:\WINDOWS\pchealth\HelpCtr\Config\Cntstore.bin
2007-06-10 16:10 0 -rahs---- C:\MSDOS.SYS
2007-06-10 16:10 0 -rahs---- C:\IO.SYS
2007-06-10 16:10 0 --a------ C:\CONFIG.SYS
2007-06-10 16:10 0 --a------ C:\AUTOEXEC.BAT


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 C:\WINDOWS\stsystra.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 12:48]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-11-01 20:48]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-08-03 18:51]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2007-08-02 10:47]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-11 05:32]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"WinAVX"=C:\WINDOWS\system32\WinAvXX.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-06-20 11:37:12]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 18:28:28]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-06-11 05:32:01]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)
"NoWindowsUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\hrum455.txt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

R1 MSFWHLPR;MSFWHLPR;C:\WINDOWS\system32\DRIVERS\msfwhlpr.sys
R2 MSFWDrv;MSFWDrv;C:\WINDOWS\system32\DRIVERS\msfwdrv.sys
R2 msfwsvc;OneCare Firewall;"C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe"
R2 OneCareMP;OneCare AntiSpyware and AntiVirus;"C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe"
S3 MpFilter;Microsoft Malware Protection Driver;C:\WINDOWS\system32\DRIVERS\MpFilter.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe


Contents of the 'Scheduled Tasks' folder
2007-08-13 01:43:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-21 08:21:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-21 8:23:13
C:\ComboFix-quarantined-files.txt ... 2007-08-21 08:23
C:\ComboFix2.txt ... 2007-08-19 15:22

--- E O F ---

#4 coldsmoke

coldsmoke

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 21 August 2007 - 08:31 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:08 AM, on 8/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\bdaecsc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.divematrix.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.customdining.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1181517816319
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1181564070625
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BigSkyBeverage.local
O17 - HKLM\Software\..\Telephony: DomainName = BigSkyBeverage.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BigSkyBeverage.local
O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum455.txt
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7398 bytes

#5 coldsmoke

coldsmoke

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 21 August 2007 - 10:51 AM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/21/2007 at 09:51 AM

Application Version : 3.9.1008

Core Rules Database Version : 3290
Trace Rules Database Version: 1301

Scan type : Complete Scan
Total Scan Time : 00:36:26

Memory items scanned : 535
Memory threats detected : 0
Registry items scanned : 5308
Registry threats detected : 0
File items scanned : 41305
File threats detected : 154

Adware.Tracking Cookie
C:\Documents and Settings\HLacey\Cookies\hlacey@casalemedia[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@adopt.euroclick[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@e-2dj6whlokkajshp.stats.esomniture[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@stats.sitesuite[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@e-2dj6whmiohazabp.stats.esomniture[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@sales.liveperson[4].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@realmedia[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@ehg-vzw.hitbox[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@nextag[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@adopt.specificclick[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@ad.yieldmanager[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@ads.expedia[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@www.googleadservices[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@uk.sitestat[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@e-2dj6wbk4sldjglo.stats.esomniture[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@questionmarket[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@e-2dj6wjnysidjegp.stats.esomniture[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@msnportalbeetoffice2007.112.2o7[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@apmebf[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@atdmt[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@tacoda[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@ad.interclick[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@ads.addynamix[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@fastclick[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@leeenterprises.112.2o7[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@zedo[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@overture[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@valueclick[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@qnsr[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@tribalfusion[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@specificclick[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@bs.serving-sys[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@e-2dj6wgkiagdjedp.stats.esomniture[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@stat.onestat[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@www.googleadservices[7].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@ehg-trilegiant.hitbox[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@bluestreak[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@trafficmp[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@hitbox[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@marthastewart.122.2o7[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@ehg-triseptsoultions.hitbox[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@server.iad.liveperson[3].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@saletrack.co[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@edge.ru4[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@server.iad.liveperson[4].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@ehg-techtarget.hitbox[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@e-2dj6wbkisidzmlo.stats.esomniture[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@e-2dj6wflyckcjwhp.stats.esomniture[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@indextools[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@e-2dj6wakowhdjeep.stats.esomniture[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@adbrite[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@doubleclick[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@paypal.112.2o7[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@sales.liveperson[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@statse.webtrendslive[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@ads.adbrite[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@www.burstnet[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@data2.perf.overture[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@CAW86WYW.txt
C:\Documents and Settings\HLacey\Cookies\hlacey@247realmedia[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@advertising[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@imrworldwide[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@www.burstbeacon[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@sales.liveperson[3].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@mediaplex[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@anad.tacoda[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@www.3dstats[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@go.winantivirus[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@ads.pointroll[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@adrevenue[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@msnportal.112.2o7[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@www.directnetadvertising[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@e-2dj6wjnyenc5efo.stats.esomniture[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@revsci[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@ehg-applevac.hitbox[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@phg.hitbox[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@ehg-legacy.hitbox[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@urfreeporn[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@www.dealtime[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@burstnet[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@www.googleadservices[5].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@citi.bridgetrack[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@hc2.humanclick[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@atwola[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@e-2dj6wjkyqid5weo.stats.esomniture[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@statcounter[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@adrevolver[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@microsoftwga.112.2o7[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@e-2dj6wjlosiajegp.stats.esomniture[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@hc2.humanclick[3].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@eyewonder[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@adlegend[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@serving-sys[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@pandasoftware.112.2o7[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@e-2dj6whkyekdpsdp.stats.esomniture[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@indigio.122.2o7[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@perf.overture[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@stat.dealtime[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@e-2dj6wjny-1lajee.stats.esomniture[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@media.hotels[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@2o7[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@anat.tacoda[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@media.adrevolver[3].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@ehg-kodak.hitbox[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@e-2dj6wgk4wpdzkbo.stats.esomniture[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@www.googleadservices[6].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@e-2dj6wjkyshcpkgp.stats.esomniture[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@server.iad.liveperson[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@ehg-camcorderinfo.hitbox[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@itxt.vibrantmedia[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@www.ezytrack[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@www.googleadservices[9].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@e-2dj6whmykkcjeao.stats.esomniture[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@go.winantispyware[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@web4.realtracker[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@e-2dj6whkykjdjcfo.stats.esomniture[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@counter.hitslink[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@revenue[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@winantispyware[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@www.googleadservices[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@imc2.122.2o7[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@www.googleadservices[3].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@partner2profit[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@snapfish.112.2o7[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@server.iad.liveperson[5].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@stats1.reliablestats[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@e-2dj6wjl4gkazeaq.stats.esomniture[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@roiservice[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@precisionclick[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@CA3QTUXO.txt
C:\Documents and Settings\HLacey\Cookies\hlacey@www.googleadservices[11].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@www.googleadservices[8].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@dealtime[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@e-2dj6wakycpc5eco.stats.esomniture[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@adserving.cpxinteractive[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@winantivirus[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@www.googleadservices[10].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@cf-db01.clickfacts[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@network.realmedia[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@media.adrevolver[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@e-2dj6wflouldpckp.stats.esomniture[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@e-2dj6wfkiwkc5aep.stats.esomniture[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@interclick[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@go.winantispyware[3].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@ad.uk.tangozebra[1].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@server.iad.liveperson[6].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@go.winantivirus[3].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@vhost.oddcast[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@e-2dj6whkieldpeeo.stats.esomniture[2].txt
C:\Documents and Settings\HLacey\Cookies\hlacey@viewers.multicastmedia[1].txt

Trojan.Net-AVP/AVT
C:\QOOBOX\QUARANTINE\C\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\AUTORUN.EXE.VIR
C:\QOOBOX\QUARANTINE\C\DOCUME~1\HLACEY\STARTM~1\PROGRAMS\STARTUP\SYSTEM.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\PRINTER.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WINAVXX.EXE.VIR

#6 coldsmoke

coldsmoke

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 21 August 2007 - 10:52 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:51 AM, on 8/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.divematrix.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.customdining.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1181517816319
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1181564070625
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BigSkyBeverage.local
O17 - HKLM\Software\..\Telephony: DomainName = BigSkyBeverage.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BigSkyBeverage.local
O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum455.txt
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7018 bytes

#7 coldsmoke

coldsmoke

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 21 August 2007 - 10:58 AM

ComboFix 07-08-14.4 - "HLacey" 2007-08-21 10:52:17.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1476 [GMT -6:00]


((((((((((((((((((((((((( Files Created from 2007-07-21 to 2007-08-21 )))))))))))))))))))))))))))))))


2007-08-21 09:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-21 09:09 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-21 09:09 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-21 09:09 <DIR> d-------- C:\DOCUME~1\HLacey\APPLIC~1\SUPERAntiSpyware.com
2007-08-21 08:10 25,600 --a------ C:\WINDOWS\bdaecsc.exe
2007-08-19 18:16 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-08-19 17:04 2,796 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-19 17:03 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-08-19 17:03 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-08-19 17:03 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-08-19 14:40 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-18 21:28 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-08-18 19:19 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-18 12:58 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-08-18 12:57 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-08-18 12:55 591,632 --------- C:\WINDOWS\system32\WinSSWebAgent.dll
2007-08-18 12:32 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-18 12:31 <DIR> d-------- C:\DOCUME~1\HLacey\.housecall6.6
2007-08-12 19:43 <DIR> d-------- C:\Program Files\QuickTime
2007-08-12 19:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-25 10:15 <DIR> d-------- C:\WINDOWS\ASTULogTemp


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-12 19:43 --------- d-------- C:\Program Files\Apple Software Update
2007-08-02 16:24 --------- d-------- C:\DOCUME~1\HLacey\APPLIC~1\U3
2007-07-25 09:01 --------- d-------- C:\Program Files\Microsoft ActiveSync
2007-07-19 00:59 3583488 -----c--- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-12 17:31 765952 --a--c--- C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-27 08:34 823808 -----c--- C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 08:34 671232 -----c--- C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 08:34 6058496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 08:34 52224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 08:34 477696 -----c--- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 08:34 459264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 08:34 44544 -----c--- C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 08:34 384512 -----c--- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 08:34 383488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 08:34 27648 -----c--- C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 08:34 267776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 08:34 232960 -----c--- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 08:34 230400 -----c--- C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 08:34 193024 -----c--- C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 08:34 153088 -----c--- C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 08:34 132608 -----c--- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 08:34 124928 -----c--- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 08:34 1152000 -----c--- C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 08:34 105984 -----c--- C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 08:34 102400 -----c--- C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 02:27 63488 -----c--- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 02:27 625152 -----c--- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 02:27 13824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 01:00 161792 --a--c--- C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-26 02:27 363520 --a--c--- C:\WINDOWS\system32\dllcache\w3svc.dll
2007-06-26 00:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 00:08 1104896 -----c--- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 07:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 07:31 282112 -----c--- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-13 04:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 04:23 1033216 -----c--- C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-10 16:31 3316 --a------ C:\WINDOWS\pchealth\HelpCtr\PackageStore\SkuStore.bin
2007-06-10 16:29 8972 --a------ C:\WINDOWS\pchealth\HelpCtr\Config\Cntstore.bin
2007-06-10 16:10 0 -rahs---- C:\MSDOS.SYS
2007-06-10 16:10 0 -rahs---- C:\IO.SYS
2007-06-10 16:10 0 --a------ C:\CONFIG.SYS
2007-06-10 16:10 0 --a------ C:\AUTOEXEC.BAT


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 C:\WINDOWS\stsystra.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 12:48]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-11-01 20:48]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-08-03 18:51]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-11 05:32]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"WinAVX"=C:\WINDOWS\system32\WinAvXX.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-06-20 11:37:12]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 18:28:28]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-06-11 05:32:01]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)
"NoWindowsUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\hrum455.txt



[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe


Contents of the 'Scheduled Tasks' folder
2007-08-13 01:43:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-21 10:53:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-21 10:54:59
C:\ComboFix-quarantined-files.txt ... 2007-08-21 10:54
C:\ComboFix2.txt ... 2007-08-21 08:23
C:\ComboFix3.txt ... 2007-08-19 15:22

--- E O F ---

#8 coldsmoke

coldsmoke

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 21 August 2007 - 10:59 AM

MrCharlie, Think I did everything you wanted. Let me know what else I need to do. So far everything seems good, but I might just be without symptoms. I have been afraid to reconnect to my work network for fear of spreading something. Thanks.

#9 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 21 August 2007 - 05:24 PM

OK, Looks better.

1. Please download The Avenger by Swandog46 to your Desktop.

* Click on Avenger.zip to open the file
* Extract avenger.exe to your desktop
* Don't run it yet

------------

Close ALL programs down, leaving ONLY HijackThis running - Click Scan and.....
Place a check against the following items if found:

O4 - HKUS\S-1-5-18\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe (User 'Default user')
---->Fix the one below only if you didn't put it in your Internet Explorers Trusted Zones<----
O15 - Trusted Zone: http://www.customdining.com

Click on Fix Checked and exit HijackThis.

----------------

Back to the Avenger.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it, then right click on it and choose Copy [or by pressing (Ctrl+C)]:


Files to delete:
 C:\WINDOWS\system32\WinAvXX.exe 
C:\WINDOWS\system32\hrum455.txt
C:\WINDOWS\SYSTEM32\VTR455.DLL

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

3. Now, start The Avenger program by clicking on its icon on your desktop.

* Under "Script file to execute" choose "Input Script Manually".
* Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
* Right click in the new window and choose Paste or use (Ctrl+V). This will paste the text from the clipboard into the new window.
* Click Done
* Now click on the Green Light to begin execution of the script
* Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

* It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
* On reboot, it will briefly open a black command window on your desktop, this is normal.
* After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
* The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Post a fresh HJT log and the avenger.txt.

---------------

Let me know if you can access "Windows Update" and your "Control Panel".

Did you set your computer to have no "Welcome Screen"
It shows by this registry entry found by ComboFix.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

Let me know, MrC

#10 coldsmoke

coldsmoke

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 22 August 2007 - 08:47 AM

MrC

I forgot to mention that I couldn't access control panel. I figured it was some windows update that moved it or something. I hadn't checked windows update but I can access it now. I don't know if I couldn't before. Also, control panel link in back.

Yes, I don't have a welcome screen - on purpose.

Do you know what I have/had? Was it cool web search or many things? On a different note I have a problem with the sound card loading on my home pc (not the same pc that you have been helping me with). I just figured it was hardware/software compatibility issues. I can get it to play itunes only if I start itunes immediatly after logging in. It happend when I contracted a bad virus and when I couldn't fix it I just bought an new hd and started over. Ever since then I have had trouble with the sound.

Thanks.

Below are the logs:



Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\snvvcbij

*******************

Script file located at: \??\C:\Program Files\fmrpmxkp.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\WinAvXX.exe not found!
Deletion of file C:\WINDOWS\system32\WinAvXX.exe failed!

Could not process line:
C:\WINDOWS\system32\WinAvXX.exe
Status: 0xc0000034

File C:\WINDOWS\system32\hrum455.txt deleted successfully.


File C:\WINDOWS\SYSTEM32\VTR455.DLL not found!
Deletion of file C:\WINDOWS\SYSTEM32\VTR455.DLL failed!

Could not process line:
C:\WINDOWS\SYSTEM32\VTR455.DLL
Status: 0xc0000034

Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.

Completed script processing.

*******************

Finished! Terminate.








Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:36:13 AM, on 8/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.divematrix.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.customdining.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1181517816319
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1181564070625
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BigSkyBeverage.local
O17 - HKLM\Software\..\Telephony: DomainName = BigSkyBeverage.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BigSkyBeverage.local
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6861 bytes

    Advertisements

Register to Remove

#11 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 22 August 2007 - 07:05 PM

The log looks OK.

You said in your first post that a SmitFraud scan found something.
Did you run SmitFraud and clean it?
-------------------
You had several infection....it's not CWS though.
SmitFraud ----->C:\WINDOWS\system32\WinAvXX.exe

I'm not sure what this one is...it's new--->C:\WINDOWS\system32\hrum455.txt
This is also found with it---->C:\WINDOWS\SYSTEM32\VTR455.DLL
-----------------
For you other computer...check the "Device Manager" for any anomalies....they'll be visible.

MrC

#12 coldsmoke

coldsmoke

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 23 August 2007 - 08:51 AM

Here is my smitfraud log. I think that I must have mis-read it. Does it look good to you? As far as my other pc the device manager is not reporting any problems and I have installed/re-installed the sound card drivers countless times to no avail. It's not a real big deal, I just thought you might know of other instances where people were having these problems. Thanks for all of your help. SmitFraudFix v2.213b Scan done at 8:45:51.35, Thu 08/23/2007 Run from C:\Documents and Settings\HLacey\Desktop\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Process C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\WINDOWS\stsystra.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\WLTRAY.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft ActiveSync\Wcescomm.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\PROGRA~1\MICROS~3\rapimgr.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Google\Google Updater\GoogleUpdater.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\system32\cmd.exe »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\HLacey »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\HLacey\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\HLacey\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Rustock »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: Dell Wireless 1390 WLAN Mini-Card - Packet Scheduler Miniport DNS Server Search Order: 69.145.248.50 DNS Server Search Order: 69.145.232.4 DNS Server Search Order: 69.145.248.4 HKLM\SYSTEM\CCS\Services\Tcpip\..\{E1882566-CC5B-428C-BD20-E073FCC87F4D}: DhcpNameServer=69.145.248.50 69.145.232.4 69.145.248.4 HKLM\SYSTEM\CS1\Services\Tcpip\..\{E1882566-CC5B-428C-BD20-E073FCC87F4D}: DhcpNameServer=69.145.248.50 69.145.232.4 69.145.248.4 HKLM\SYSTEM\CS3\Services\Tcpip\..\{E1882566-CC5B-428C-BD20-E073FCC87F4D}: DhcpNameServer=69.145.248.50 69.145.232.4 69.145.248.4 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=69.145.248.50 69.145.232.4 69.145.248.4 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=69.145.248.50 69.145.232.4 69.145.248.4 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=69.145.248.50 69.145.232.4 69.145.248.4 »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End

#13 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 23 August 2007 - 05:43 PM

Here is my smitfraud log. I think that I must have mis-read it. Does it look good to you?


Looks OK, it didn't find anything.


As far as my other pc the device manager is not reporting any problems and I have installed/re-installed the sound card drivers countless times to no avail. It's not a real big deal, I just thought you might know of other instances where people were having these problems.


You'll just have to fight that through...sitting here it's hard for me to trouble shoot something like that.

---------------

Is this computer running OK now?

Let me know, MrC

#14 coldsmoke

coldsmoke

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 23 August 2007 - 06:25 PM

It seems to be running fine. Thanks so much for your help.

#15 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 24 August 2007 - 06:44 PM

OK, That's Great!

If you have any questions - please post back

I'll leave you with........

Some Preventive Maintenance:

Some of the programs you may have run create backups of what was deleted - you can safely delete them now: (delete folders in blue) You can also delete/uninstall the programs themselves.

C:\!KillBox (KillBox)
C:\VundoFix Backups (VundoFix)
C:\QooBox (ComboFix)
C:\SDFix\backups\backups.zip (SDFix)
C:\avenger\backup.zip (Avenger)

If you used AVG Anti-Spyware and/or SuperAntiSpyware...........

Open up SuperAntiSpyware > Preferences > General and Start-up > Start-up Options > Uncheck > Start SAS when Windows Starts.
"SAS free" provides no real time protection so there's no need for it to be running, I suggest you keep the program and update regularly - you can use it to scan for malware. It's an excellent program. When you want to start it - just double click on the SAS icon.

AVG Anti-Spyware will provide 30 days of real time protection and then after that you can use it to scan for malware - you'll have to manually update it first.


------------------Must have or do:-----------------

Now that you're clean: <----Important Step!!!!
Delete your system restore files and create a new restore point:

Note: This will remove all previous Restore Points!

1. Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer,

2. Turn on System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UnCheck Turn off System Restore.
Click Apply, and then click OK.

Visit Windows Update and install all the lastest critical updates.

Install these two free programs, they sit in the backround and protect your system from spy and adware being installed on your system, also from your browser being hijacked.

SpywareBlaster Check for updates weekly.

SpywareGuard

IE-SPYAD
Puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
or try the new ZonedOut

Blocking Unwanted Parasites with a Hosts File
Direct Download - MVPS HOSTS <==> MVPS HOSTS Tutorial

Need a free anti virus?
AVG*free
Avast Free
AntiVir® PersonalEdition Classic
-->Check for updates - daily<---

How about a firewall? The front door to your computer.
Windows firewall is not suffient...install a better one.
Comodo Free Firewall
ZoneAlarm*free
Other free firewalls

Keep those temp files off your system use
ATF Cleaner - hit "select all" then just uncheck "cookies" (uncheck cookies is optional - leave it checked if you want to delete all cookies) then "empty selected"
or
CCleaner
Uncheck "Cookies" under "Internet Explorer".
That will clear out all the temp files on the system.

IMPORTANT!!
Keep your Sun Java up-to-date JRE Version 6 Update 2<--newest version
Delete ALL old versions from add/remove programs if listed first!
Check HERE

Keep the registry backed up - use ERUNT
Print this out and save it
ERUNT Tutorial

Starter Manage you startup programs and services.

----------Free malware removal programs:----------

AVG Anti-Spyware<---VERY GOOD! (XP and 2K only)
SUPERAntiSpyware (free edition)<---Excellent!
AVG Anti-Rootkit Free Edition Run it!!
SpyBot
AD-Aware
CW-Shredder

Please consider using FireFox instead of Internet Explorer. A more secure browser! Easy to make the change!
FireFox Tutorial


Pop-up stoppers:
GoogleToolBar
Pop-upStopperFree

Disable "Windows Messenger Service" XP - 2K (stops pop-up ads -etc):
Shoot The Messenger

Anti-Rootkit Software - Detection, Removal & Protection

Reduce Online Fraud

Don't open e-mail attachments without first scanning them with an up-to-date anti virus program, even after doing that I would be very careful. Don't click on any executables in e-mails or any other links that you're not sure of.
Don't believe e-mails from your bank, financial institution, etc asking for personal informations - they're most likely fraudulent no matter how authentic they look.
Watch your surfing habits, don't click on or download anything you're not sure of. Don't install a program that hasn't been recommended by a reputable organization.

Good luck and thanks for using the forum - MrC

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·