Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Badly Infected


  • This topic is locked This topic is locked
9 replies to this topic

#1 ice2921

ice2921

    Authentic Member

  • Authentic Member
  • PipPip
  • 42 posts

Posted 08 September 2007 - 08:23 AM

Hey I am on my sisters computer and sadly she has become nfected with quite a few infections. Take a look at this mess.I figured I would come here because ths is where i usually go.

Logfile of HijackThis v1.99.1
Scan saved at 10:12:12 AM, on 9/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: MSVPS System - {88418AA3-16F5-4FC2-A9D8-90B1266DF841} - C:\WINDOWS\nsduo.dll
O2 - BHO: MSVPS System - {F4CF814F-970F-405D-A42C-0CE06EB97373} - C:\WINDOWS\mxduo.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [uga6pcw] "C:\PROGRA~1\COMMON~1\PCSECU~1\uga6pcw.exe" -start
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O21 - SSODL: wmpenv - {D54E570A-8CE7-4186-B84F-EB7AB606968E} - C:\WINDOWS\wmpenv.dll (file missing)
O21 - SSODL: wmphost - {C371CBCD-CEAE-4188-83EA-84942596EC55} - C:\WINDOWS\wmphost.dll (file missing)
O21 - SSODL: msmhost - {92F7487F-E9CC-4254-BD05-5A93DFCB4D9A} - C:\WINDOWS\msmhost.dll
O21 - SSODL: msmdev - {C2CE4C1D-A45D-4CE7-99BB-EB809BB30B4C} - C:\WINDOWS\msmdev.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    Advertisements

Register to Remove


#2 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 08 September 2007 - 08:57 AM

Hi! Welcome to the WTT forums.
I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research.
Please be patient and I'd be grateful if you would note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.


Download AVG Anti-Spyware.
  • Install AVG Anti-Spyware.
  • Launch AVG by double-clicking on the icon.
  • The program will now open to the main screen.
  • You will need to update AVG to the latest definition files.
  • At the top of the main screen click Update.
  • Then in the Manual Update section, click on Start Update.
[*]The update will start and a progress bar will show the updates being installed.
[*]When updates are completed, close AVG.
[/list]If you are having problems with the updater, you can use this link to manually update AVG.
AVG manual updates

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.
Download and Run ComboFix
  • Download this file from below:

    Here
  • Disconnect from the Internet, than disable your anti-virus and any real-time anti-spyware monitors that are running.
  • Then double click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.
Note 1: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Note 2:Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#3 ice2921

ice2921

    Authentic Member

  • Authentic Member
  • PipPip
  • 42 posts

Posted 08 September 2007 - 10:42 AM

here you go thanks for helpin

ComboFix 07-09-08.8 - "Owner" 2007-09-09 12:29:41.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.84 [GMT -4:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\Owner\FAVORI~1\Error Cleaner.url
C:\DOCUME~1\Owner\FAVORI~1\Privacy Protector.url
C:\DOCUME~1\Owner\FAVORI~1\Spyware&Malware Protection.url
C:\UGA6P
C:\WINDOWS\privacy_danger


((((((((((((((((((((((((( Files Created from 2007-08-09 to 2007-09-09 )))))))))))))))))))))))))))))))
.

2007-09-09 12:22 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-09 12:18 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-09 10:55 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-09-09 10:54 <DIR> dr-h----- C:\DOCUME~1\ALLUSE~1\APPLIC~1\yahoo!
2007-09-09 10:54 <DIR> d-------- C:\Program Files\Yahoo!
2007-09-09 10:54 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Yahoo!
2007-09-09 10:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-09-09 10:53 <DIR> d-------- C:\WINDOWS\cache
2007-09-09 10:47 <DIR> d-------- C:\VundoFix Backups
2007-09-09 09:58 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-08 13:49 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-09-08 13:42 <DIR> d-------- C:\DOCUME~1\Owner\.housecall6.6
2007-09-08 13:29 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\ntr
2007-09-07 07:55 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-09-07 07:55 <DIR> d-------- C:\Program Files\PCSecureSystem
2007-09-07 07:55 <DIR> d-------- C:\Program Files\Common Files\PCSecureSystem
2007-09-07 07:55 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\PCSecureSystem
2007-09-06 10:33 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-09-06 10:31 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-09-06 10:31 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-08-20 09:35 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\CyberLink
2007-08-19 17:25 <DIR> d-------- C:\Program Files\Synaptics
2007-08-19 17:15 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-08-19 17:15 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-08-19 17:15 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-08-19 16:56 12,292,303 --------- C:\avg7qt.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-09 12:28 16896 --a------ C:\WINDOWS\system32\Rpcnetp.exe
2007-09-09 12:27 47104 --a------ C:\WINDOWS\system32\rpcnet.dll
2007-09-09 12:20 --------- d-------- C:\Program Files\Google
2007-09-09 09:49 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-08-24 08:37 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-24 08:37 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-20 09:19 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Google
2007-08-09 19:43 32256 --a------ C:\WINDOWS\system32\identprv.dll
2007-08-05 01:07 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-05 01:07 --------- d-------- C:\Program Files\CyberLink
2007-08-04 23:55 --------- d-------- C:\Program Files\Windows Messaging
2007-08-04 23:34 --------- d-------- C:\Program Files\Lavasoft
2007-08-04 23:34 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-04 23:33 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-04 22:51 47104 --a------ C:\WINDOWS\system32\rpcnet.exe
2007-08-04 22:49 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-04 22:49 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-04 21:34 --------- d-------- C:\Program Files\SigmaTel
2007-08-04 21:32 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\ATI
2007-08-04 21:30 5 --a------ C:\WINDOWS\system32\drivers\DELL_INS_1501.MRK
2007-08-04 21:30 5 --a------ C:\WINDOWS\system32\drivers\1028_DELL_INS_1501.MRK
2007-08-04 21:30 --------- d-------- C:\Program Files\ATI Technologies
2007-08-04 21:29 --------- d-------- C:\Program Files\Dell
2007-08-04 21:26 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-08-04 21:24 --------- d-------- C:\Program Files\Broadcom
2007-08-04 21:23 --------- d-------- C:\Program Files\DIFX
2007-08-04 21:23 --------- d-------- C:\Program Files\CONEXANT
2007-08-04 21:22 --------- d-------- C:\Program Files\AMD
2007-08-04 20:56 --------- d-------- C:\Program Files\microsoft frontpage
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 09:08]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 14:19 C:\WINDOWS\stsystra.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-19 17:04]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 20:29]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 18:40]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 18:38]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 10:59]
"SDFix"="C:\SDFix\RunThis.bat /second" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-07-11]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-07-11]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-09 12:30:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-09 12:31:23
C:\ComboFix-quarantined-files.txt ... 2007-09-09 12:31
.
--- E O F ---





Logfile of HijackThis v1.99.1
Scan saved at 12:33:50 PM, on 9/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\JOE\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

#4 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 08 September 2007 - 12:18 PM

I need to see the SDFix report too.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#5 ice2921

ice2921

    Authentic Member

  • Authentic Member
  • PipPip
  • 42 posts

Posted 08 September 2007 - 01:05 PM

not sure where to fnd the SDfix report.

#6 ice2921

ice2921

    Authentic Member

  • Authentic Member
  • PipPip
  • 42 posts

Posted 08 September 2007 - 10:00 PM

is this it ? SDFix: Version 1.102 Run by Owner on Sun 09/09/2007 at 09:23 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File

#7 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 09 September 2007 - 03:47 AM

Hi

Go to Start > Control Panel > Display Properties > Desktop > Customize Desktop... > Web tab
Select everything named Privacy_Danger you find in there and press the Delete button on the right.
Hit OK then Apply in previous window.

Open Notepad and Copy/Paste the text in the codebox below into it:

Folder::
C:\SDFix
 
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SDFix"=-

Save this as "CFScript"

Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log with a new HijackThis log.

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:

      + Extended(If available otherwise Standard)
    • Scan Options:

      + Scan Archives
      + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#8 ice2921

ice2921

    Authentic Member

  • Authentic Member
  • PipPip
  • 42 posts

Posted 09 September 2007 - 01:14 PM

ComboFix 07-09-08.8 - "Owner" 2007-09-10 13:49:53.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.145 [GMT -4:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\SDFix
C:\SDFix\apps\assosfix.reg
C:\SDFix\apps\cliptext.exe
C:\SDFix\apps\download.exe
C:\SDFix\apps\dummy.sys
C:\SDFix\apps\Enable_Command_Prompt.reg
C:\SDFix\apps\ERDNT.E_E
C:\SDFix\apps\ERDNTDOS.LOC
C:\SDFix\apps\ERDNTWIN.LOC
C:\SDFix\apps\ERUNT.EXE
C:\SDFix\apps\ERUNT.LOC
C:\SDFix\apps\fix.reg
C:\SDFix\apps\FixBH.reg
C:\SDFix\apps\FIXCU.reg
C:\SDFix\apps\FIXLM.reg
C:\SDFix\apps\FixPath.exe
C:\SDFix\apps\FixRedir.reg
C:\SDFix\apps\FixWebCheck.reg
C:\SDFix\apps\fixXP.reg
C:\SDFix\apps\FixXPsp2.reg
C:\SDFix\apps\HPFix.reg
C:\SDFix\apps\HPFix2.reg
C:\SDFix\apps\HPFix3.reg
C:\SDFix\apps\isadmin.exe
C:\SDFix\apps\leg2.txt
C:\SDFix\apps\legacy.txt
C:\SDFix\apps\legacybk.txt
C:\SDFix\apps\locate.com
C:\SDFix\apps\LS.exe
C:\SDFix\apps\MD5File.exe
C:\SDFix\apps\moveex.exe
C:\SDFix\apps\MyGcpvFix.reg
C:\SDFix\apps\MyGkFix2.reg
C:\SDFix\apps\Process.exe
C:\SDFix\apps\RegDACL.exe
C:\SDFix\apps\Rem.txt
C:\SDFix\apps\Rem2.txt
C:\SDFix\apps\Replace\W2K.exe
C:\SDFix\apps\Replace\w2k\null.sys
C:\SDFix\apps\Replace\XP.exe
C:\SDFix\apps\Replace\xp\null.sys
C:\SDFix\apps\Reset_AppInit_DLLs.reg
C:\SDFix\apps\RestartIt!.exe
C:\SDFix\apps\Restore_SecurityCenter.reg
C:\SDFix\apps\Restore_SharedAccess.reg
C:\SDFix\apps\sc.exe
C:\SDFix\apps\SF.exe
C:\SDFix\apps\shutdown.exe
C:\SDFix\apps\srv2.txt
C:\SDFix\apps\svc.txt
C:\SDFix\apps\svcbk.txt
C:\SDFix\apps\swreg.exe
C:\SDFix\apps\swsc.exe
C:\SDFix\apps\unzip.exe
C:\SDFix\apps\WINMSG.EXE
C:\SDFix\apps\zip.exe
C:\SDFix\attrib.exe
C:\SDFix\backupreg\AppInit_DLLs.reg
C:\SDFix\backupreg\BackupSDRepairXP.reg
C:\SDFix\backupreg\bat_shell_open.reg
C:\SDFix\backupreg\BHO.reg
C:\SDFix\backupreg\CLSID.reg
C:\SDFix\backupreg\com_shell_open.reg
C:\SDFix\backupreg\ControlPanel_Load.reg
C:\SDFix\backupreg\ControlPanel_Load1.reg
C:\SDFix\backupreg\exe_shell_open.reg
C:\SDFix\backupreg\HKCUPolicy.reg
C:\SDFix\backupreg\HKCURun.reg
C:\SDFix\backupreg\HKCURunServices.reg
C:\SDFix\backupreg\HKLMPolicy.reg
C:\SDFix\backupreg\HKLMRun.reg
C:\SDFix\backupreg\HKLMRunServices.reg
C:\SDFix\backupreg\hta_shell_open.reg
C:\SDFix\backupreg\IEMain.reg
C:\SDFix\backupreg\Installed_Components.reg
C:\SDFix\backupreg\Legacy.reg
C:\SDFix\backupreg\pif_shell_open.reg
C:\SDFix\backupreg\reg_shell_open.reg
C:\SDFix\backupreg\Services.reg
C:\SDFix\backupreg\SharedTaskScheduler.reg
C:\SDFix\backupreg\ShellServiceObjectDelayLoad.reg
C:\SDFix\backupreg\txt_shell_open.reg
C:\SDFix\backupreg\Winlogon.reg
C:\SDFix\backupreg\WinlogonNotify.reg
C:\SDFix\backups_old1\capt.gif
C:\SDFix\backups_old1\danger.jpg
C:\SDFix\backups_old1\dat.txt
C:\SDFix\backups_old1\down.gif
C:\SDFix\backups_old1\index.htm
C:\SDFix\backups_old1\msmdev.dll
C:\SDFix\backups_old1\msmhost.dll
C:\SDFix\backups_old1\nsduo.dll
C:\SDFix\backups_old1\rs.txt
C:\SDFix\backups_old1\spacer.gif
C:\SDFix\backups_old1\wmpdev.dll
C:\SDFix\catchme.exe
C:\SDFix\dummy.sys
C:\SDFix\find.exe
C:\SDFix\Find.txt
C:\SDFix\FindMurlo.txt
C:\SDFix\Findrun.txt
C:\SDFix\Findrun2.txt
C:\SDFix\Findrun3.txt
C:\SDFix\Findrun66.txt
C:\SDFix\Findrun67.txt
C:\SDFix\findstr.exe
C:\SDFix\HOSTS
C:\SDFix\kill.txt
C:\SDFix\ndloc.txt
C:\SDFix\regedit.exe
C:\SDFix\Report.txt
C:\SDFix\Report_old_1.txt
C:\SDFix\RunThis.bat
C:\SDFix\SDFIX_ReadMe_Online.url


((((((((((((((((((((((((( Files Created from 2007-08-10 to 2007-09-10 )))))))))))))))))))))))))))))))
.

2007-09-10 00:05 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-09-09 23:44 <DIR> dr-h----- C:\DOCUME~1\ALLUSE~1\APPLIC~1\yahoo!
2007-09-09 23:44 <DIR> d-------- C:\WINDOWS\cache
2007-09-09 23:44 <DIR> d-------- C:\VundoFix Backups
2007-09-09 23:44 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-09 23:44 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-09-09 23:44 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Yahoo!
2007-09-09 23:40 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-09-09 12:22 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-09 12:18 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-09 10:54 <DIR> d-------- C:\Program Files\Yahoo!
2007-09-09 10:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-09-08 13:42 <DIR> d-------- C:\DOCUME~1\Owner\.housecall6.6
2007-09-08 13:29 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\ntr
2007-09-07 07:55 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-09-07 07:55 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\PCSecureSystem
2007-09-06 10:33 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-09-06 10:31 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-08-20 09:35 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\CyberLink
2007-08-19 17:25 <DIR> d-------- C:\Program Files\Synaptics
2007-08-19 17:15 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-08-19 17:15 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-08-19 17:15 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-08-19 16:56 12,292,303 --------- C:\avg7qt.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-09 23:44 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-09-09 23:38 --------- d-------- C:\Program Files\Google
2007-08-24 08:37 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-24 08:37 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-20 09:19 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Google
2007-08-05 01:07 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-05 01:07 --------- d-------- C:\Program Files\CyberLink
2007-08-04 23:55 --------- d-------- C:\Program Files\Windows Messaging
2007-08-04 23:34 --------- d-------- C:\Program Files\Lavasoft
2007-08-04 23:34 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-04 23:33 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-04 22:49 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-04 22:49 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-04 21:34 --------- d-------- C:\Program Files\SigmaTel
2007-08-04 21:32 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\ATI
2007-08-04 21:30 5 --a------ C:\WINDOWS\system32\drivers\DELL_INS_1501.MRK
2007-08-04 21:30 5 --a------ C:\WINDOWS\system32\drivers\1028_DELL_INS_1501.MRK
2007-08-04 21:30 --------- d-------- C:\Program Files\ATI Technologies
2007-08-04 21:29 --------- d-------- C:\Program Files\Dell
2007-08-04 21:26 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-08-04 21:24 --------- d-------- C:\Program Files\Broadcom
2007-08-04 21:23 --------- d-------- C:\Program Files\DIFX
2007-08-04 21:23 --------- d-------- C:\Program Files\CONEXANT
2007-08-04 21:22 --------- d-------- C:\Program Files\AMD
2007-08-04 20:56 --------- d-------- C:\Program Files\microsoft frontpage
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
.

((((((((((((((((((((((((((((( snapshot_2007-09-09_123105.32 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 39,424 2006-10-04 14:05:26 C:\WINDOWS\AppPatch\acadproc.dll
----a-w 141,424 2006-08-24 12:28:54 C:\WINDOWS\Downloaded Program Files\asinst.dll
----a-w 1,683,456 2007-09-10 01:22:19 C:\WINDOWS\ERUNT\SDFIX\Users000001\NTUSER.DAT
----a-w 143,360 2007-09-10 01:22:19 C:\WINDOWS\ERUNT\SDFIX\Users000002\UsrClass.dat
----a-w 73,728 2006-08-02 16:39:06 C:\WINDOWS\system32\asuninst.exe
----a-w 47,104 2007-09-10 17:53:45 C:\WINDOWS\system32\rpcnet.dll
----a-w 16,896 2007-09-10 17:53:52 C:\WINDOWS\system32\Rpcnetp.exe
----a-w 11,776 2003-03-25 22:53:50 C:\WINDOWS\system32\ZPORT4AS.dll
----a-w 110,592 2007-03-29 13:20:50 C:\WINDOWS\system32\ActiveScan\as.dll
----a-w 233,472 2006-10-05 20:15:26 C:\WINDOWS\system32\ActiveScan\ascontrol.dll
----a-w 96,256 2005-06-03 18:03:18 C:\WINDOWS\system32\ActiveScan\asmdat.dll
----a-w 36,864 2003-08-01 15:00:16 C:\WINDOWS\system32\ActiveScan\certdll.dll
----a-w 86,016 2005-05-20 17:42:44 C:\WINDOWS\system32\ActiveScan\instlsp.dll
----a-w 4,608 2006-02-16 22:20:20 C:\WINDOWS\system32\ActiveScan\memvfile.dll
----a-w 348,160 2005-10-25 22:08:32 C:\WINDOWS\system32\ActiveScan\msvcr71.dll
----a-w 139,264 2004-05-04 19:01:02 C:\WINDOWS\system32\ActiveScan\pavaleas.dll
----a-w 45,056 2006-07-14 17:04:10 C:\WINDOWS\system32\ActiveScan\pavdr.exe
----a-w 159,832 2006-04-10 14:50:02 C:\WINDOWS\system32\ActiveScan\pavexcom.dll
----a-w 94,208 2006-02-14 17:05:38 C:\WINDOWS\system32\ActiveScan\pavinas.dll
----a-w 180,224 2006-02-16 22:35:38 C:\WINDOWS\system32\ActiveScan\pavoe.dll
----a-w 122,880 2006-10-05 20:15:38 C:\WINDOWS\system32\ActiveScan\pavpz.dll
----a-w 8,704 2006-06-30 18:13:38 C:\WINDOWS\system32\ActiveScan\pfdnnt.exe
----a-w 49,152 2004-02-04 18:08:42 C:\WINDOWS\system32\ActiveScan\port32.dll
----a-w 69,632 2006-08-01 17:23:10 C:\WINDOWS\system32\ActiveScan\pscpu.dll
----a-w 1,388,544 2006-08-23 17:06:08 C:\WINDOWS\system32\ActiveScan\pskahk.dll
----a-w 10,752 2006-08-17 15:38:14 C:\WINDOWS\system32\ActiveScan\pskalloc.dll
----a-w 61,440 2006-09-04 15:49:54 C:\WINDOWS\system32\ActiveScan\pskas.dll
----a-w 779,264 2006-08-18 12:46:18 C:\WINDOWS\system32\ActiveScan\pskavs.dll
----a-w 417,792 2007-03-26 18:25:34 C:\WINDOWS\system32\ActiveScan\pskcmp.dll
----a-w 90,112 2006-08-09 14:42:24 C:\WINDOWS\system32\ActiveScan\pskfss.dll
----a-w 208,896 2006-07-19 14:55:58 C:\WINDOWS\system32\ActiveScan\pskhtml.dll
----a-w 9,728 2006-01-20 20:57:00 C:\WINDOWS\system32\ActiveScan\pskmas.dll
----a-w 14,336 2006-05-17 13:50:12 C:\WINDOWS\system32\ActiveScan\pskmdfs.dll
----a-w 33,280 2006-08-16 14:58:12 C:\WINDOWS\system32\ActiveScan\pskpack.dll
----a-w 266,240 2006-06-30 18:42:36 C:\WINDOWS\system32\ActiveScan\pskscs.dll
----a-w 62,976 2006-08-17 18:33:14 C:\WINDOWS\system32\ActiveScan\pskutil.dll
----a-w 13,312 2006-08-08 17:13:10 C:\WINDOWS\system32\ActiveScan\pskvfile.dll
----a-w 69,632 2006-08-18 12:53:08 C:\WINDOWS\system32\ActiveScan\pskvfs.dll
----a-w 167,936 2006-08-18 12:49:50 C:\WINDOWS\system32\ActiveScan\pskvm.dll
----a-w 353,840 2007-04-18 21:16:04 C:\WINDOWS\system32\ActiveScan\psscan.dll
----a-w 35,328 2007-01-22 18:42:48 C:\WINDOWS\system32\ActiveScan\rawvfile.dll
----a-w 9,488 1997-09-18 10:12:32 C:\WINDOWS\system32\ActiveScan\sporder.dll
----a-w 69,632 2006-02-28 21:23:40 C:\WINDOWS\system32\ActiveScan\tcpvfile.dll
----a-r 190,696 2007-06-11 17:04:38 C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe
----a-w 1,714,036 2007-09-10 03:44:42 C:\WINDOWS\system32\Restore\rstrlog.dat
--sha-w 16,384 2007-09-10 17:53:54 C:\WINDOWS\temp\Cookies\index.dat
--sha-w 16,384 2007-09-10 17:53:54 C:\WINDOWS\temp\History\History.IE5\index.dat
--sha-w 32,768 2007-09-10 17:53:54 C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\index.dat
.
------w 39,424 2006-10-04 14:05:26 C:\WINDOWS\AppPatch\acadproc.dll
----a-w 372,736 2007-09-09 16:23:20 C:\WINDOWS\ERUNT\SDFIX\Users000001\NTUSER.DAT
----a-w 8,192 2007-09-09 16:23:21 C:\WINDOWS\ERUNT\SDFIX\Users000002\UsrClass.dat
----a-w 47,104 2007-09-09 16:27:44 C:\WINDOWS\system32\rpcnet.dll
----a-w 16,896 2007-09-09 16:28:07 C:\WINDOWS\system32\Rpcnetp.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 09:08]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 14:19 C:\WINDOWS\stsystra.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-19 17:04]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 20:29]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 18:40]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 18:38]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 10:59]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-07-11]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-07-11]

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-10 13:54:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-10 13:55:33 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-10 13:55
C:\ComboFix2.txt ... 2007-09-09 12:31
.
--- E O F ---




Logfile of HijackThis v1.99.1
Scan saved at 3:07:16 PM, on 9/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\JOE\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.verizon.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, September 10, 2007 3:05:49 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 9/09/2007
Kaspersky Anti-Virus database records: 410621
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 29065
Number of viruses found: 6
Number of infected objects: 16
Number of suspicious objects: 0
Duration of the scan process: 00:23:50

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\BITCA7.tmp.bac_a07840/ac8zt2/duocore.dll Infected: not-a-virus:AdWare.Win32.Agent.el skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\BITCA7.tmp.bac_a07840/ac8zt2/edi.exe Infected: Trojan-Downloader.Win32.Zlob.cdd skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\BITCA7.tmp.bac_a07840/ac8zt2/wmpconf.dll Infected: not-a-virus:AdWare.Win32.Agent.fr skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\BITCA7.tmp.bac_a07840/ac8zt2/wmpenv.dll Infected: not-a-virus:AdWare.Win32.Agent.fg skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\BITCA7.tmp.bac_a07840 ZIP: infected - 4 skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\BITCA7.tmp.bac_a07840 CryptFF.b: infected - 4 skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\BITCAF.tmp.bac_a07840/ac8zt2/duocore.dll Infected: not-a-virus:AdWare.Win32.Agent.el skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\BITCAF.tmp.bac_a07840/ac8zt2/edi.exe Infected: Trojan-Downloader.Win32.Zlob.cdd skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\BITCAF.tmp.bac_a07840/ac8zt2/wmpconf.dll Infected: not-a-virus:AdWare.Win32.Agent.fr skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\BITCAF.tmp.bac_a07840/ac8zt2/wmpenv.dll Infected: not-a-virus:AdWare.Win32.Agent.fg skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\BITCAF.tmp.bac_a07840 ZIP: infected - 4 skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\BITCAF.tmp.bac_a07840 CryptFF.b: infected - 4 skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_234.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_aa0.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF92FC.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{DE2D026A-F7AF-4887-A898-2733F722913D}\RP33\A0010504.dll Infected: not-a-virus:AdWare.Win32.HotBar.cc skipped
C:\System Volume Information\_restore{DE2D026A-F7AF-4887-A898-2733F722913D}\RP34\A0010571.dll Infected: not-a-virus:AdWare.Win32.Agent.fr skipped
C:\System Volume Information\_restore{DE2D026A-F7AF-4887-A898-2733F722913D}\RP34\A0010587.exe Infected: not-a-virus:AdWare.Win32.Agent.gy skipped
C:\System Volume Information\_restore{DE2D026A-F7AF-4887-A898-2733F722913D}\RP34\A0010595.exe Infected: not-a-virus:AdWare.Win32.Agent.gy skipped
C:\System Volume Information\_restore{DE2D026A-F7AF-4887-A898-2733F722913D}\RP40\A0010998.exe Object is locked skipped
C:\System Volume Information\_restore{DE2D026A-F7AF-4887-A898-2733F722913D}\RP41\A0011166.exe Object is locked skipped
C:\System Volume Information\_restore{DE2D026A-F7AF-4887-A898-2733F722913D}\RP42\A0011790.exe Object is locked skipped
C:\System Volume Information\_restore{DE2D026A-F7AF-4887-A898-2733F722913D}\RP42\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{E3D77804-09F5-498C-984A-EF1842C8C376}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#9 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 09 September 2007 - 01:22 PM

Hi

Navigate to this folder

C:\Documents and Settings\Owner\.housecall6.6\Quarantine

and delete the items in there.

Navigate to and delete the following folders (if they are present):

Folders:
C:\Qoobox
C:\Combofix

Delete the Combofix.exe from your Desktop.

This is my usual speech for when you are clean, which you appear to be.

Please follow these simple steps in order to keep your computer clean and secure:
Disable and Enable System Restore.
  • Click Start | Help and Support | Undo changes to your computer with System Restore.
  • Click Create A Restore Point then click Next. Give it a name it and then click Create, then Close.
  • Close the Help and Support Center box.
  • Click Start | Run and type Cleanmgr
  • Select (C: ) then click OK.
  • Click the More Options tab.
  • Click Clean Up in the System Restore Section.
This will remove all previous restore points except the newly created one.

Here are some free programs, I recommend.

Spybot Search and Destroy
Download it from here . Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here

Install Spyware Guard
Download it from here
Find here the tutorial on how to use Spyware Guard here

Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here


Make sure your Windows is ALWAYS up to date!

An unpatched Windows is vulnerable and even with the "best" Antivirus and Firewall installed, malware will find its way through.
So visit http://windowsupdate.microsoft.com/ to download and install the latest updates.


Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?"


Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#10 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 10 September 2007 - 05:05 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users