Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91631 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] Andrex puppy


  • This topic is locked This topic is locked
15 replies to this topic

#1 numpty

numpty

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 03 April 2008 - 03:58 PM

Darling Daughters tried to install the horrid andrex puppy and then aborted it because they realised Daddy, that is I, would be unhappy. It is now forever trying to install itself and winpatrol plus is always asking me for permission for it to load at startup.

Please can someone have a look at my hijack this log and see where I have gone wrong.

Here is the log file

Logfile of HijackThis v1.99.1
Scan saved at 22:55:13, on 03/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\inKline Global\PC Booster\pcbooster.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\BillP Studios\WinPatrol\WinPatrolEx.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0...S01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....ink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0...S01?FORM=TOOLBR
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PC Booster] C:\Program Files\inKline Global\PC Booster\pcbooster.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Andrex Puppy] "C:\Program Files\Andrex Puppy\Andrex Puppy.exe" -r
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28578.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133602968281
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://esupport.epso...rg/ESTPTest.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro....er/PROFILER.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab28578.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Crypkey License - Unknown owner - crypserv.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

I run Zone alarm
Spybot S&D
AVG
as defences etc
I am on Windows XP
I love puppies but want rid of this one.

Please help

    Advertisements

Register to Remove


#2 RatHat

RatHat

    Retired Staff-Malware Expert

  • Authentic Member
  • PipPipPipPip
  • 816 posts

Posted 03 April 2008 - 05:32 PM

Hi there,

Darling daughters can do things like this can't they? And then give you the big eyes and get forgiven. They certainly know how well Daddy fit's around their little finger :lol:

I know, my four year old does it all the time!

OK, lets send that puppy off to the kennels.

Please disable TeaTimer. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please re-open HiJackThis and scan. Check the box next to the entry listed below.

O4 - HKCU\..\Run: [Andrex Puppy] "C:\Program Files\Andrex Puppy\Andrex Puppy.exe" -r

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\Andrex Puppy


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Open Notepad, and copy everything in the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
  • Save the Notepad file to your Desktop as OTM.txt.
  • Close OTMoveIt
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please include the contents of OTM.txt in your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now just to make sure you have nothing else hiding in there you shouldn't have, download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, DSS will open two Notepad files: main.txt and extra.txt
  • Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Note: A copy of these files can be found in you root drive, usually C:\Deckard\System Scanner\


That pup should now be banished to cyber dog heaven, so please post me the OTM.txt results, the two logs from DSS, and let me know if the pup has really gone.

Regards,
RatHat

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Want to join the fight against Malware? Click here to find out how.

Please do not PM me asking for support. Post on the forums instead :)
Please post the final results, good or bad. We like to know!

Posted Image

If you feel I have helped you and would like to make a small donation, please click here


#3 numpty

numpty

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 03 April 2008 - 05:59 PM

Thank you for your very prompt reply

herewith the DSS bit

Deckard's System Scanner v20071014.68
Run by Jane Jeremy on 2008-04-04 00:44:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
82: 2008-04-03 23:44:50 UTC - RP316 - Deckard's System Scanner Restore Point
81: 2008-04-03 19:14:17 UTC - RP315 - Software Distribution Service 3.0
80: 2008-04-02 08:29:08 UTC - RP314 - Software Distribution Service 3.0
79: 2008-04-01 13:41:38 UTC - RP313 - System Checkpoint
78: 2008-03-30 16:41:10 UTC - RP312 - System Checkpoint


-- First Restore Point --
1: 2008-01-05 16:39:02 UTC - RP235 - Removed PC Suite


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Jane Jeremy.exe) -----------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-04 00:48:53
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
C:\Program Files\Grisoft\AVG Free\avgemc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\inKline Global\PC Booster\PCBooster.exe
C:\WINDOWS\SYSTEM32\fxssvc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Jane Jeremy\Desktop\dss.exe
C:\Documents and Settings\Jane Jeremy\Desktop\Jane Jeremy.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0...S01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....ink/?linkid=677
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0...S01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PC Booster] C:\Program Files\inKline Global\PC Booster\pcbooster.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28578.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.micr...heckControl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ntent/opuc2.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133602968281
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://esupport.epso...rg/ESTPTest.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro....er/PROFILER.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab28578.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
O23 - Service: Crypkey License - Unknown owner - crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\SYSTEM32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


--
End of file - 14347 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\JANEJE~1\Desktop\backups\) ------------

backup-20070310-154517-107 O20 - Winlogon Notify: ssttu - C:\WINDOWS\system32\ssttu.dll (file missing)
backup-20070310-154517-143 O2 - BHO: (no name) - {0F01FF26-18F5-4613-BFD6-14DE2FBA24C3} - C:\WINDOWS\system32\iifefcc.dll
backup-20070310-154517-951 O20 - Winlogon Notify: iifefcc - C:\WINDOWS\SYSTEM32\iifefcc.dll
backup-20070310-154558-231 O20 - Winlogon Notify: iifefcc - C:\WINDOWS\SYSTEM32\iifefcc.dll
backup-20070310-154558-416 O2 - BHO: (no name) - {0F01FF26-18F5-4613-BFD6-14DE2FBA24C3} - C:\WINDOWS\system32\iifefcc.dll
backup-20070310-154558-739 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
backup-20070311-103616-562 O2 - BHO: (no name) - {0F01FF26-18F5-4613-BFD6-14DE2FBA24C3} - C:\WINDOWS\system32\iifefcc.dll (file missing)
backup-20070311-103616-603 O20 - Winlogon Notify: iifefcc - iifefcc.dll (file missing)
backup-20080404-003815-162 O4 - HKCU\..\Run: [Andrex Puppy] "C:\Program Files\Andrex Puppy\Andrex Puppy.exe" -r

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 agp440 (Intel AGP Bus Filter) - c:\windows\\systemroot\system32\drivers\agp440.sys (file missing)
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>

S1 NetworkX - c:\windows\system32\ckldrv.sys (file missing)
S2 ADILOADER (General Purpose USB Driver (adildr.sys)) - c:\windows\system32\drivers\adildr.sys <Not Verified; Analog Deivces; ADI ADSL chipset loader>
S2 Ca50xav (Digital Blue DMC2 Video Device) - c:\windows\system32\drivers\ca50xav.sys <Not Verified; Digital Camera; Digital Camera Driver>
S3 adiusbaw (USB ADSL WAN Adapter) - c:\windows\system32\drivers\adiusbaw.sys <Not Verified; Analog Devices Inc.; ADSL USB WAN Driver>
S3 BCMModem (BCM V.92 56K Modem) - c:\windows\system32\drivers\bcmsm.sys (file missing)
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 jbridgep - c:\docume~1\janeje~1\locals~1\temp\jbridgep.sys (file missing)
S3 Ser2pl (MAT Serial port driver) - c:\windows\system32\drivers\ser2pl.sys <Not Verified; Prolific Technology Inc.; Prolific USB-to-Serial Bridge Cable>
S3 usb2vcom (USB Data Cable) - c:\windows\system32\drivers\usb2vcom.sys <Not Verified; USB World Technology Inc. http://www.usbworld.net; USB Data Cable>
S3 USBCamera (Digital Blue DMC2 Still Camera) - c:\windows\system32\drivers\bulk50x.sys <Not Verified; USB BULK; Platform SDK Sample Code>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

S2 Crypkey License - crypserv.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-03 21:42:16 474 --a------ C:\WINDOWS\Tasks\SDMsgUpdate (TE).job
2008-04-03 21:41:55 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-04-01 13:19:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-03-04 and 2008-04-04 -----------------------------

2008-03-25 14:33:45 0 d-------- C:\Program Files\Safari
2008-03-25 14:31:31 0 d-------- C:\Program Files\iTunes
2008-03-22 15:05:48 70656 --a------ C:\WINDOWS\system32\3DViewer.dll <Not Verified; Apple Computer, Inc.; Apple Computer, Inc. QuickDraw 3D Viewer Controller>
2008-03-22 15:05:47 553984 --a------ C:\WINDOWS\system32\Rave.dll <Not Verified; Apple Computer, Inc.; Apple Computer, Inc. QuickDraw 3D Rendering Acceleration Virtual Engine - RAVE>
2008-03-22 15:05:47 909312 --a------ C:\WINDOWS\system32\QD3D.dll <Not Verified; Apple Computer Inc.; Apple Computer, Inc. QuickDraw 3D>
2008-03-22 15:01:54 0 d-------- C:\DesignWorkshop Lite Installer
2008-03-04 19:41:18 0 d-------- C:\823117d15c779af883390e


-- Find3M Report ---------------------------------------------------------------

2008-04-03 21:48:51 120242 --a------ C:\logfile
2008-04-03 21:36:31 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-03-25 14:31:45 0 d-------- C:\Program Files\iPod
2008-03-25 14:29:21 0 d-------- C:\Program Files\QuickTime
2008-02-11 00:33:53 3452 --a------ C:\WINDOWS\unins000.dat
2008-02-11 00:33:04 691545 --a------ C:\WINDOWS\unins000.exe
2008-01-20 19:24:02 4347 --a------ C:\WINDOWS\mozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
23/12/2007 15:31 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [23/12/2007 15:31 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [19/08/2003 02:01]
"PC Booster"="C:\Program Files\inKline Global\PC Booster\pcbooster.exe" [10/09/2003 18:51]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [22/12/2007 14:07]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [04/02/2002 23:32]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 19:20]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [08/11/2006 17:32]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [19/04/2007 18:33]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [24/09/2006 15:01]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [07/06/2005 00:46]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [01/02/2008 00:13]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [19/02/2008 14:10]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [13/03/2008 23:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 08:56]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [08/11/2006 17:32]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\Jane Jeremy\Start Menu\Programs\Startup\
DESKTOP.INI [03/09/2002 10:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [13/07/2004 23:46:37]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 23:05:26]
DESKTOP.INI [03/09/2002 10:00:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=01000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
AutoRun\command- H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{26afa260-6935-11dc-8a7e-0007e951dbb1}]
AutoRun\command- G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f1949d1a-4865-11d8-a199-806d6172696f}]
play\command- c:\program files\interactual\interactual player\iplayer.exe -startup=autorun




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.altnet.com
127.0.0.1 search.kazaa.com
127.0.0.1 www.kazaaplus.com
127.0.0.1 ssa.kazaa.com
127.0.0.1 ssm.kazaa.com
127.0.0.1 www.cydoor.com
127.0.0.1 ads.kazaa.com
127.0.0.1 www.bullguard.com
127.0.0.1 www.certifiedkazaa.com
127.0.0.1 puma.kazaa.com

9728 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-04 00:50:57 ------------

The OTM cannot find it

File/Folder C:\Program Files\Andrex Puppy not found.

OTMoveIt2 by OldTimer - Version 1.0.4.0 log created on 04042008_003953

I think that was all.

How am I doing?

There seem to be entries for other stuff that I did not put on but that is probably the girls or the BOY (always mucking about with the beast) (what the heck is KAZZA (sp?))

Cheers the Numpty

#4 RatHat

RatHat

    Retired Staff-Malware Expert

  • Authentic Member
  • PipPipPipPip
  • 816 posts

Posted 03 April 2008 - 06:04 PM

Could you post the Extra.txt that DSS should have produced. Looks like you may have a bit more in there that first thought. Regards, RatHat

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Want to join the fight against Malware? Click here to find out how.

Please do not PM me asking for support. Post on the forums instead :)
Please post the final results, good or bad. We like to know!

Posted Image

If you feel I have helped you and would like to make a small donation, please click here


#5 numpty

numpty

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 03 April 2008 - 06:19 PM

This appears to be it all. It combined HJT with something all in the 1 notebook.

Cheers
Deckard's System Scanner v20071014.68
Run by Jane Jeremy on 2008-04-04 01:16:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Jane Jeremy.exe) -----------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-04 01:16:35
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
C:\Program Files\Grisoft\AVG Free\avgemc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\inKline Global\PC Booster\PCBooster.exe
C:\WINDOWS\SYSTEM32\fxssvc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jane Jeremy\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0...S01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....ink/?linkid=677
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0...S01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PC Booster] C:\Program Files\inKline Global\PC Booster\pcbooster.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28578.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.micr...heckControl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ntent/opuc2.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133602968281
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://esupport.epso...rg/ESTPTest.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro....er/PROFILER.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab28578.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
O23 - Service: Crypkey License - Unknown owner - crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\SYSTEM32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


--
End of file - 14330 bytes

-- Files created between 2008-03-04 and 2008-04-04 -----------------------------

2008-03-25 14:33:45 0 d-------- C:\Program Files\Safari
2008-03-25 14:31:31 0 d-------- C:\Program Files\iTunes
2008-03-22 15:05:48 70656 --a------ C:\WINDOWS\system32\3DViewer.dll <Not Verified; Apple Computer, Inc.; Apple Computer, Inc. QuickDraw 3D Viewer Controller>
2008-03-22 15:05:47 553984 --a------ C:\WINDOWS\system32\Rave.dll <Not Verified; Apple Computer, Inc.; Apple Computer, Inc. QuickDraw 3D Rendering Acceleration Virtual Engine - RAVE>
2008-03-22 15:05:47 909312 --a------ C:\WINDOWS\system32\QD3D.dll <Not Verified; Apple Computer Inc.; Apple Computer, Inc. QuickDraw 3D>
2008-03-22 15:01:54 0 d-------- C:\DesignWorkshop Lite Installer
2008-03-04 19:41:18 0 d-------- C:\823117d15c779af883390e


-- Find3M Report ---------------------------------------------------------------

2008-04-03 21:48:51 120242 --a------ C:\logfile
2008-04-03 21:36:31 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-03-25 14:31:45 0 d-------- C:\Program Files\iPod
2008-03-25 14:29:21 0 d-------- C:\Program Files\QuickTime
2008-02-11 00:33:53 3452 --a------ C:\WINDOWS\unins000.dat
2008-02-11 00:33:04 691545 --a------ C:\WINDOWS\unins000.exe
2008-01-20 19:24:02 4347 --a------ C:\WINDOWS\mozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
23/12/2007 15:31 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [23/12/2007 15:31 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [19/08/2003 02:01]
"PC Booster"="C:\Program Files\inKline Global\PC Booster\pcbooster.exe" [10/09/2003 18:51]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [22/12/2007 14:07]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [04/02/2002 23:32]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 19:20]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [08/11/2006 17:32]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [19/04/2007 18:33]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [24/09/2006 15:01]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [07/06/2005 00:46]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [01/02/2008 00:13]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [19/02/2008 14:10]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [13/03/2008 23:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 08:56]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [08/11/2006 17:32]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\Jane Jeremy\Start Menu\Programs\Startup\
DESKTOP.INI [03/09/2002 10:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [13/07/2004 23:46:37]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 23:05:26]
DESKTOP.INI [03/09/2002 10:00:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=01000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
AutoRun\command- H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{26afa260-6935-11dc-8a7e-0007e951dbb1}]
AutoRun\command- G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f1949d1a-4865-11d8-a199-806d6172696f}]
play\command- c:\program files\interactual\interactual player\iplayer.exe -startup=autorun




-- End of Deckard's System Scanner: finished at 2008-04-04 01:17:28 ------------

#6 RatHat

RatHat

    Retired Staff-Malware Expert

  • Authentic Member
  • PipPipPipPip
  • 816 posts

Posted 03 April 2008 - 06:22 PM

OK, no problem, please post me an Uninstall List from HijackThis:
  • Re-Open HijackThis, click Config, click Misc Tools
  • Click "Open Uninstall Manager"
  • Click "Save List" (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Want to join the fight against Malware? Click here to find out how.

Please do not PM me asking for support. Post on the forums instead :)
Please post the final results, good or bad. We like to know!

Posted Image

If you feel I have helped you and would like to make a small donation, please click here


#7 numpty

numpty

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 03 April 2008 - 06:27 PM

Yer Tiz 100,000 Clipart - Volume 2 4oD Adobe Flash Player Plugin Adobe PDF IFilter 6.0 Adobe Photoshop 7.0 Adobe Reader 7.0.9 Adobe Shockwave Player Adobe® Photoshop® Album Starter Edition 3.0 Apple Mobile Device Support Apple Software Update AVG Free Edition CCleaner (remove only) CCScore Creative Jukebox Driver Creative MediaSource Creative Removable Disk Manager Creative System Information Creative Zen DA940EN DAO DesignWorkshop Lite Disc2Phone DVDSentry EAX™ Unified (SHELL) EPSON CardMonitor EPSON Print CD EPSON PRINT Image Framer Tool2.1 EPSON Printer Software ESPR300 Reference Guide ESPR300 Software Guide ESPR300 Standalone Guide ESSBrwr ESSCDBK ESScore ESScore ESSgui ESSini ESSPCD ESSPDock ESSSONIC ESSTOOLS essvatgt EULAlyzer v1.1 Family Tree Maker 2005 fflink FinePixViewer Ver.4.3 FUJIFILM USB Driver Google Earth Google Toolbar for Internet Explorer HD Tune 2.53 HijackThis 1.99.1 Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB914440) Hotfix for Windows XP (KB915865) Hotfix for Windows XP (KB926239) Hotfix for Windows XP (KB928388) HP Precisionscan Pro 3.1 Inspiration 7.6 Intl Intel® PRO Network Adapters and Drivers Intel® PROSet InterActual Player iTunes Java™ 6 Update 3 kgcbaby kgcbase kgchday kgchlwn kgcinvt kgckids kgcmove kgcvday Kodak EasyShare software KSU Macromedia Flash Player 8 Map Button (Windows Live Toolbar) Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft .NET Framework 2.0 Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Data Access Components KB870669 Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office Professional Edition 2003 Microsoft Text-to-Speech Engine 4.0 (English) Microsoft User-Mode Driver Framework Feature Pack 1.0 Mozilla Firefox (2.0.0.13) MSN Music Assistant MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) Nero 6 Ultra Edition netbrdg Netstorm Launcher (Console) Notifier NVIDIA Display Driver NVIDIA Drivers NVIDIA Windows 2000/XP Display Drivers OfotoXMI Olympus DSS Player 2002 OLYMPUS DSS Player-Lite OneCare Advisor (Windows Live Toolbar) Paint Shop Pro 7 PC Booster Popup Blocker (Windows Live Toolbar) QuickTime RAW FILE CONVERTER LE RealPlayer Safari SafeCom Wizard SAGEM F@st 800-840 Security Update for CAPICOM (KB931906) Security Update for CAPICOM (KB931906) Security Update for Microsoft .NET Framework 2.0 (KB928365) Security Update for Step By Step Interactive Training (KB898458) Security Update for Step By Step Interactive Training (KB923723) Security Update for Windows Internet Explorer 7 (KB928090) Security Update for Windows Internet Explorer 7 (KB929969) Security Update for Windows Internet Explorer 7 (KB931768) Security Update for Windows Internet Explorer 7 (KB933566) Security Update for Windows Internet Explorer 7 (KB937143) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB939653) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB883939) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896422) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB896688) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899588) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901190) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB903235) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB905915) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB908531) Security Update for Windows XP (KB911280) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911567) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB912812) Security Update for Windows XP (KB912919) Security Update for Windows XP (KB913446) Security Update for Windows XP (KB913580) Security Update for Windows XP (KB914388) Security Update for Windows XP (KB914389) Security Update for Windows XP (KB916281) Security Update for Windows XP (KB917159) Security Update for Windows XP (KB917344) Security Update for Windows XP (KB917422) Security Update for Windows XP (KB917953) Security Update for Windows XP (KB918118) Security Update for Windows XP (KB918439) Security Update for Windows XP (KB918899) Security Update for Windows XP (KB919007) Security Update for Windows XP (KB920213) Security Update for Windows XP (KB920214) Security Update for Windows XP (KB920670) Security Update for Windows XP (KB920683) Security Update for Windows XP (KB920685) Security Update for Windows XP (KB921398) Security Update for Windows XP (KB921503) Security Update for Windows XP (KB921883) Security Update for Windows XP (KB922616) Security Update for Windows XP (KB922760) Security Update for Windows XP (KB922819) Security Update for Windows XP (KB923191) Security Update for Windows XP (KB923414) Security Update for Windows XP (KB923694) Security Update for Windows XP (KB923980) Security Update for Windows XP (KB924191) Security Update for Windows XP (KB924270) Security Update for Windows XP (KB924496) Security Update for Windows XP (KB924667) Security Update for Windows XP (KB925454) Security Update for Windows XP (KB925486) Security Update for Windows XP (KB925902) Security Update for Windows XP (KB926255) Security Update for Windows XP (KB926436) Security Update for Windows XP (KB927779) Security Update for Windows XP (KB927802) Security Update for Windows XP (KB928255) Security Update for Windows XP (KB928843) Security Update for Windows XP (KB929123) Security Update for Windows XP (KB930178) Security Update for Windows XP (KB931261) Security Update for Windows XP (KB931784) Security Update for Windows XP (KB932168) Security Update for Windows XP (KB933729) Security Update for Windows XP (KB935839) Security Update for Windows XP (KB935840) Security Update for Windows XP (KB936021) Security Update for Windows XP (KB938829) Security Update for Windows XP (KB941202) Security Update for Windows XP (KB941568) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB941644) Security Update for Windows XP (KB943055) Security Update for Windows XP (KB943460) Security Update for Windows XP (KB943485) Security Update for Windows XP (KB944653) Security Update for Windows XP (KB946026) SFR SHASTA SKIN0001 SKINXSDK Smart Menus (Windows Live Toolbar) Sonic RecordNow! Sonic Update Manager Sony Ericsson PC Suite Spybot - Search & Destroy Spybot - Search & Destroy 1.5.2.20 staticcr tooltips Update for Windows XP (KB894391) Update for Windows XP (KB896727) Update for Windows XP (KB898461) Update for Windows XP (KB900485) Update for Windows XP (KB900930) Update for Windows XP (KB904942) Update for Windows XP (KB910437) Update for Windows XP (KB916595) Update for Windows XP (KB920872) Update for Windows XP (KB922582) Update for Windows XP (KB927891) Update for Windows XP (KB929338) Update for Windows XP (KB930916) Update for Windows XP (KB931836) Update for Windows XP (KB933360) Update for Windows XP (KB936357) Update for Windows XP (KB938828) Update for Windows XP (KB942763) VPRINTOL Winamp (remove only) Windows Defender Windows Defender Signatures Windows Installer 3.1 (KB893803) Windows Installer 3.1 (KB893803) Windows Internet Explorer 7 Windows Live Favorites for Windows Live Toolbar Windows Live Messenger Windows Live Outlook Toolbar (Windows Live Toolbar) Windows Live Sign-in Assistant Windows Live Toolbar Windows Live Toolbar Windows Live Toolbar Extension (Windows Live Toolbar) Windows Live Toolbar Feed Detector (Windows Live Toolbar) Windows Media Format 11 runtime Windows Media Format 11 runtime Windows Media Player 11 Windows Media Player 11 Windows Media Player Firefox Plugin Windows XP Hotfix - KB834707 Windows XP Hotfix - KB867282 Windows XP Hotfix - KB873333 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885250 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB885884 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB887742 Windows XP Hotfix - KB887797 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890047 Windows XP Hotfix - KB890175 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB890923 Windows XP Hotfix - KB891781 Windows XP Hotfix - KB893066 Windows XP Hotfix - KB893086 Windows XP Service Pack 2 WIRELESS Yahoo! Toolbar ZoneAlarm ZoneAlarm Spy Blocker

#8 RatHat

RatHat

    Retired Staff-Malware Expert

  • Authentic Member
  • PipPipPipPip
  • 816 posts

Posted 03 April 2008 - 06:36 PM

OK, you dont have any P2P programs in there, which was what I was looking for, so that's good.

Thos entries that have Kazaa mentioned are from your hosts file and are OK.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Now let's just have a couple of double checks:

Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
  • Check the box that says Scan All User Accounts
  • Check the box that says Include MD5
  • Check the Radio buttons for Files/Folders Created Within 60 Days and Files/Folders Modified Within 60 Days
  • Check the radio button under Rootkit Search for Yes
  • Under Additional Scans check the following:
    • File - Additional Folder Scans
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

If the log is too large to post, please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please run an online scan with Kaspersky WebScanner. Note: You must use Internet Explorer to run this scan.

Click the Accept button.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display the results if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop as Kaspersky.txt.
  • Copy and paste that information in your next post.

By the way, has the puppy gone?

Regards,
RatHat

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Want to join the fight against Malware? Click here to find out how.

Please do not PM me asking for support. Post on the forums instead :)
Please post the final results, good or bad. We like to know!

Posted Image

If you feel I have helped you and would like to make a small donation, please click here


#9 numpty

numpty

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 04 April 2008 - 12:54 AM

Sorry had to go to bed it was 0200 here the puppy has left the building! Real ones arrive Tuesday 1x andrex yellow 1 x andrex black hence the wish to download. Kaspersky scan running

Attached Files



#10 numpty

numpty

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 04 April 2008 - 07:26 AM

kaspersky as follows: ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Friday, April 04, 2008 2:24:23 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 4/04/2008 Kaspersky Anti-Virus database records: 681352 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ E:\ F:\ Scan Statistics: Total number of scanned objects: 137123 Number of viruses found: 7 Number of infected objects: 17 Number of suspicious objects: 1 Duration of the scan process: 02:33:41 Infected Object Name / Virus Name / Last Action C:\1709b9365f4f7dcdc2b811a748cd07d3\sp2\update\update.exe Object is locked skipped C:\avenger\backup.zip/avenger/iifefcc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ha skipped C:\avenger\backup.zip ZIP: infected - 1 skipped C:\Deckard\System Scanner\20080404011611\backup\DOCUME~1\JANEJE~1\LOCALS~1\Temp\chifcbgj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped C:\Deckard\System Scanner\20080404011611\backup\DOCUME~1\JANEJE~1\LOCALS~1\Temp\cqaacsxe.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped C:\Deckard\System Scanner\20080404011611\backup\DOCUME~1\JANEJE~1\LOCALS~1\Temp\rpsjrqel.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped C:\Documents and Settings\All Users\Application Data\AVG7\Log\emc.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped C:\Documents and Settings\All Users\Application Data\Kontiki\error.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12142006-142703.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\InboxLOG.txt Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\OutboxLOG.txt Object is locked skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch.zip/bar/1.bin/F3POPSWT.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.d skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch.zip/bar/1.bin/F3SCRCTR.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch.zip/bar/1.bin/F3WPHOOK.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch.zip/bar/1.bin/MWSOEPLG.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch.zip/bar/1.bin/MWSOESTB.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch.zip ZIP: infected - 5 skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtuMonde.zip/VSAdd-in.dll Infected: not-a-virus:AdWare.Win32.Agent.at skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtuMonde.zip ZIP: infected - 1 skipped C:\Documents and Settings\Jane Jeremy\Application Data\Microsoft\MSNLiveFav\LiveFavorites.xml Object is locked skipped C:\Documents and Settings\Jane Jeremy\Application Data\Mozilla\Firefox\Profiles\b3o3nllb.default\cert8.db Object is locked skipped C:\Documents and Settings\Jane Jeremy\Application Data\Mozilla\Firefox\Profiles\b3o3nllb.default\formhistory.dat Object is locked skipped C:\Documents and Settings\Jane Jeremy\Application Data\Mozilla\Firefox\Profiles\b3o3nllb.default\history.dat Object is locked skipped C:\Documents and Settings\Jane Jeremy\Application Data\Mozilla\Firefox\Profiles\b3o3nllb.default\key3.db Object is locked skipped C:\Documents and Settings\Jane Jeremy\Application Data\Mozilla\Firefox\Profiles\b3o3nllb.default\parent.lock Object is locked skipped C:\Documents and Settings\Jane Jeremy\Application Data\Mozilla\Firefox\Profiles\b3o3nllb.default\search.sqlite Object is locked skipped C:\Documents and Settings\Jane Jeremy\Application Data\Mozilla\Firefox\Profiles\b3o3nllb.default\urlclassifier2.sqlite Object is locked skipped C:\Documents and Settings\Jane Jeremy\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Jane Jeremy\Desktop\backups\backup-20070310-154517-143.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ha skipped C:\Documents and Settings\Jane Jeremy\Desktop\backups\backup-20070310-154558-416.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ha skipped C:\Documents and Settings\Jane Jeremy\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped C:\Documents and Settings\Jane Jeremy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Jane Jeremy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Jane Jeremy\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{3E94F557-05A9-4D5B-AC0B-2499A39E3E33} Object is locked skipped C:\Documents and Settings\Jane Jeremy\Local Settings\Application Data\Mozilla\Firefox\Profiles\b3o3nllb.default\Cache\_CACHE_001_ Object is locked skipped C:\Documents and Settings\Jane Jeremy\Local Settings\Application Data\Mozilla\Firefox\Profiles\b3o3nllb.default\Cache\_CACHE_002_ Object is locked skipped C:\Documents and Settings\Jane Jeremy\Local Settings\Application Data\Mozilla\Firefox\Profiles\b3o3nllb.default\Cache\_CACHE_003_ Object is locked skipped C:\Documents and Settings\Jane Jeremy\Local Settings\Application Data\Mozilla\Firefox\Profiles\b3o3nllb.default\Cache\_CACHE_MAP_ Object is locked skipped C:\Documents and Settings\Jane Jeremy\Local Settings\Application Data\Mozilla\Firefox\Profiles\b3o3nllb.default\XUL.mfl Object is locked skipped C:\Documents and Settings\Jane Jeremy\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Jane Jeremy\Local Settings\History\History.IE5\MSHist012008040420080405\index.dat Object is locked skipped C:\Documents and Settings\Jane Jeremy\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\Jane Jeremy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Jane Jeremy\Local Settings\Temporary Internet Files\Content.IE5\IU1JQZ2G\wbkE7.tmp Suspicious: Trojan-Spy.HTML.Fraud.gen skipped C:\Documents and Settings\Jane Jeremy\ntuser.dat Object is locked skipped C:\Documents and Settings\Jane Jeremy\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\Microsoft AntiSpyware\Quarantine\62F8224D-3642-4B6C-9F5A-8EE1FA\1CF214A9-893B-43EA-ABB2-E71EE3 Infected: not-a-virus:AdWare.Win32.180Solutions.az skipped C:\Program Files\Microsoft AntiSpyware\Quarantine\6C0E4F55-D98A-472F-87A1-79AA9C\2931FEC5-21D4-4462-91CC-98C857 Infected: not-a-virus:AdWare.Win32.180Solutions.az skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP316\change.log Object is locked skipped C:\WINDOWS\$NtUninstallKB839645$\fldrclnr.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB839645$\shell32.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB839645$\shlwapi.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB839645$\sxs.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB839645$\xpsp2res.dll Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\Internet Logs\ENGLEBERT.ldb Object is locked skipped C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{EDA4E0DB-8EDB-4F28-968C-86F0D84116EA}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat Object is locked skipped C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx Object is locked skipped C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\Temp\Perflib_Perfdata_100.dat Object is locked skipped C:\WINDOWS\Temp\ZLT01114.TMP Object is locked skipped C:\WINDOWS\Temp\ZLT01158.TMP Object is locked skipped C:\WINDOWS\WIADEBUG.LOG Object is locked skipped C:\WINDOWS\WIASERVC.LOG Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped D:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP316\change.log Object is locked skipped Scan process completed. Thanks

    Advertisements

Register to Remove


#11 RatHat

RatHat

    Retired Staff-Malware Expert

  • Authentic Member
  • PipPipPipPip
  • 816 posts

Posted 04 April 2008 - 07:56 AM

Looks like all you have is the remnants of a previous infection that has been cleaned, so we should soon be in good shape. :thumbup:

Start OTScanIt.exe Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Registry - Non-Microsoft Only]
< RunOnceEx [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
YN -> ~EmptyValue -> []
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> 33 domain(s) and sub-domain(s) not assigned to a zone. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> 39 domain(s) and sub-domain(s) not assigned to a zone. -> 
[Files/Folders - Created Within 60 days]
NY -> 2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files/Folders - Modified Within 30 days]
NY -> 1 C:\*.tmp files -> C:\*.tmp
NY -> 4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> 2 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
[Extra Files]
C:\avenger
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtuMonde.zip
C:\Documents and Settings\Jane Jeremy\Desktop\backups\backup-20070310-154517-143.dll
C:\Documents and Settings\Jane Jeremy\Desktop\backups\backup-20070310-154558-416.dll
C:\Documents and Settings\Jane Jeremy\Local Settings\Temporary Internet Files\Content.IE5\IU1JQZ2G\wbkE7.tmp
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new HijackThis log.

Let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Regards,
RatHat

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Want to join the fight against Malware? Click here to find out how.

Please do not PM me asking for support. Post on the forums instead :)
Please post the final results, good or bad. We like to know!

Posted Image

If you feel I have helped you and would like to make a small donation, please click here


#12 numpty

numpty

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 04 April 2008 - 10:33 AM

No popup but I found these if they are of any use

[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\\~EmptyValue not found.
[Files/Folders - Created Within 60 days]
[Files/Folders - Modified Within 30 days]
File delete failed. C:\WINDOWS\Temp\ZLT026ea.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\Temp\ZLT02701.TMP scheduled to be deleted on reboot.
[Extra Files]
< C:\avenger >
File/Folder C:\avenger not found.
< C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch.zip >
File/Folder C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch.zip not found.
< C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtuMonde.zip >
File/Folder C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtuMonde.zip not found.
< C:\Documents and Settings\Jane Jeremy\Desktop\backups\backup-20070310-154517-143.dll >
File/Folder C:\Documents and Settings\Jane Jeremy\Desktop\backups\backup-20070310-154517-143.dll not found.
< C:\Documents and Settings\Jane Jeremy\Desktop\backups\backup-20070310-154558-416.dll >
File/Folder C:\Documents and Settings\Jane Jeremy\Desktop\backups\backup-20070310-154558-416.dll not found.
< C:\Documents and Settings\Jane Jeremy\Local Settings\Temporary Internet Files\Content.IE5\IU1JQZ2G\wbkE7.tmp >
File/Folder C:\Documents and Settings\Jane Jeremy\Local Settings\Temporary Internet Files\Content.IE5\IU1JQZ2G\wbkE7.tmp not found.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Jane Jeremy\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_168.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT026ea.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT02701.TMP scheduled to be deleted on reboot.
User temp folders emptied.
SystemRoot temp folder emptied.
IE temp folders emptied
RecycleBin -> emptied.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.8.3 fix logfile created on 04042008_171401


[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\\~EmptyValue not found.
[Files/Folders - Created Within 60 days]
[Files/Folders - Modified Within 30 days]
File delete failed. C:\WINDOWS\Temp\ZLT026ea.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\Temp\ZLT02701.TMP scheduled to be deleted on reboot.
[Extra Files]
< C:\avenger >
File/Folder C:\avenger not found.
< C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch.zip >
File/Folder C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch.zip not found.
< C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtuMonde.zip >
File/Folder C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtuMonde.zip not found.
< C:\Documents and Settings\Jane Jeremy\Desktop\backups\backup-20070310-154517-143.dll >
File/Folder C:\Documents and Settings\Jane Jeremy\Desktop\backups\backup-20070310-154517-143.dll not found.
< C:\Documents and Settings\Jane Jeremy\Desktop\backups\backup-20070310-154558-416.dll >
File/Folder C:\Documents and Settings\Jane Jeremy\Desktop\backups\backup-20070310-154558-416.dll not found.
< C:\Documents and Settings\Jane Jeremy\Local Settings\Temporary Internet Files\Content.IE5\IU1JQZ2G\wbkE7.tmp >
File/Folder C:\Documents and Settings\Jane Jeremy\Local Settings\Temporary Internet Files\Content.IE5\IU1JQZ2G\wbkE7.tmp not found.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Jane Jeremy\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_168.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT026ea.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT02701.TMP scheduled to be deleted on reboot.
User temp folders emptied.
SystemRoot temp folder emptied.
IE temp folders emptied
RecycleBin -> emptied.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.8.3 fix logfile created on 04042008_172001



[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\\~EmptyValue not found.
[Files/Folders - Created Within 60 days]
[Files/Folders - Modified Within 30 days]
File delete failed. C:\WINDOWS\Temp\ZLT01888.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\Temp\ZLT01892.TMP scheduled to be deleted on reboot.
[Extra Files]
< C:\avenger >
File/Folder C:\avenger not found.
< C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch.zip >
File/Folder C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch.zip not found.
< C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtuMonde.zip >
File/Folder C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtuMonde.zip not found.
< C:\Documents and Settings\Jane Jeremy\Desktop\backups\backup-20070310-154517-143.dll >
File/Folder C:\Documents and Settings\Jane Jeremy\Desktop\backups\backup-20070310-154517-143.dll not found.
< C:\Documents and Settings\Jane Jeremy\Desktop\backups\backup-20070310-154558-416.dll >
File/Folder C:\Documents and Settings\Jane Jeremy\Desktop\backups\backup-20070310-154558-416.dll not found.
< C:\Documents and Settings\Jane Jeremy\Local Settings\Temporary Internet Files\Content.IE5\IU1JQZ2G\wbkE7.tmp >
File/Folder C:\Documents and Settings\Jane Jeremy\Local Settings\Temporary Internet Files\Content.IE5\IU1JQZ2G\wbkE7.tmp not found.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Jane Jeremy\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7a4.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\TMP00000034F50A5C0767963AA2 scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT01888.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT01892.TMP scheduled to be deleted on reboot.
User temp folders emptied.
SystemRoot temp folder emptied.
IE temp folders emptied
RecycleBin -> emptied.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.8.3 fix logfile created on 04042008_172807

And the HJT says:

Logfile of HijackThis v1.99.1
Scan saved at 17:31:41, on 04/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\inKline Global\PC Booster\pcbooster.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Jane Jeremy\Desktop\Jane Jeremy.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0...S01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....ink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0...S01?FORM=TOOLBR
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PC Booster] C:\Program Files\inKline Global\PC Booster\pcbooster.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [OTScanIt] C:\Documents and Settings\Jane Jeremy\Desktop\OTScanIt\OTScanIt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28578.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133602968281
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://esupport.epso...rg/ESTPTest.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro....er/PROFILER.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab28578.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Crypkey License - Unknown owner - crypserv.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

All looks better now but I await your decision.

Cheers

#13 RatHat

RatHat

    Retired Staff-Malware Expert

  • Authentic Member
  • PipPipPipPip
  • 816 posts

Posted 04 April 2008 - 10:57 AM

Everything looks good, and I think you are clean here. Could you reboot your computer though and see if OTScanIt produces another log for you as it is scheduled to run once more when your computer is restarted. Regards, RatHat

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Want to join the fight against Malware? Click here to find out how.

Please do not PM me asking for support. Post on the forums instead :)
Please post the final results, good or bad. We like to know!

Posted Image

If you feel I have helped you and would like to make a small donation, please click here


#14 RatHat

RatHat

    Retired Staff-Malware Expert

  • Authentic Member
  • PipPipPipPip
  • 816 posts

Posted 11 April 2008 - 05:29 PM

Do you still require assistance with this log? Regards, RatHat

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Want to join the fight against Malware? Click here to find out how.

Please do not PM me asking for support. Post on the forums instead :)
Please post the final results, good or bad. We like to know!

Posted Image

If you feel I have helped you and would like to make a small donation, please click here


#15 RatHat

RatHat

    Retired Staff-Malware Expert

  • Authentic Member
  • PipPipPipPip
  • 816 posts

Posted 13 April 2008 - 08:01 PM

Due to lack of feedback, this topic has been closed. If you need this topic reopened, please contact myself or another staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Want to join the fight against Malware? Click here to find out how.

Please do not PM me asking for support. Post on the forums instead :)
Please post the final results, good or bad. We like to know!

Posted Image

If you feel I have helped you and would like to make a small donation, please click here

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users