Jump to content
Sign in to follow this  
xdustyx

Hikackthis log: F2- REG:system.ini: UserInit (Resolved)

Recommended Posts

xdustyx   

Hi,

My computer has been running really slow and when i looked in my security centre i noticed that my windows firewall was turned off. I guessed there might be some kind of virus on it, i ran malwarebytes anti-malware and during the scan AVG popped up and said there was a threat detected.

It found:Trojan horseAgent2.GKP in: C\WINDOWS\system32\oembios.exe

I moved the file to the virus vault.

ALSO during the same malwarebytes scan AVG found 2 other viruses:

Trojan horseAgent2.GKP - C\system volume information\_restore

Trojan horseAgent2.GKP - C\Documents and settings\Local settings\Temp\wJQs.exe

I moved both to the virus vault same as the first one.

After trying to find some info on this virus, i read that it can infect other things on the computer... some advice was to do a Hijackthis scan and let someone take a look who maybe be able to help (please)

I did notice that alot of people were concerned about something showing up on their logs, and i have the same thing on mine & don't know what to do OR even if there's something wrong. What's bothering me after i did the scan with trendmicro hijackthis is this:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe

Could someone PLEASE take a look at my log and help me? It's really worrying me.

Many many thanks :)

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:52:20, on 07/05/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,

O1 - Hosts: 193.125.23.12 updates.sald.com

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\billy\Application Data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1238500135000

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1241634729171

O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B9F79165-A264-4C4A-A211-133A5E8D647F} (F-Secure Health Check 1.1) - http://support.f-secure.com/enu/home/onlin.../fshc/fscax.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...428/mcfscan.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Apache - Unknown owner - C:\Program Files\Saurus CMS\Apache\Apache.exe (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: MySql - Unknown owner - C:/Program Files/Saurus CMS/Apache/mysql/bin/mysqld-nt.exe (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

 

--

End of file - 6968 bytes

Edited by xdustyx

Share this post


Link to post
Share on other sites
Katana   

Please note that all instructions given are customised for this computer only,

the tools used may cause damage if used on a computer with different infections.

 

If you think you have similar problems, please post a log in the HJT forum and wait for help.

 

Hello and welcome to the forums

 

My name is Katana and I will be helping you to remove any infection(s) that you may have.

 

Please observe these rules while we work:

  • Please Read All Instructions Carefully
  • If you don't understand something, stop and ask! Don't keep going on.
  • Please do not run any other tools or scans whilst I am helping you
  • Failure to reply within 5 days will result in the topic being closed.
  • Please continue to respond until I give you the "All Clear"

    (Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly Posted Image

 

Please Note, your security programs may give warnings for some of the tools I will ask you to use.

Be assured, any links I give are safe

----------------------------------------------------------------------------------------

 

 

 

==============================WARNING==============================

There is some evidence of what may be a very nasty infection.

If the Computer has been used for any important data, you are strongly advised to do the following, immediately:

  • Back up all important data on the machine.
  • If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:

    Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.

  • From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
  • Take any other steps you think appropriate for an attempted identity theft.
==============================WARNING==============================

 

 

 

Download and Run SD Fix

 

Please download SDFix( by andymanchesta ) and save it to your Desktop.

 

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

 

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt

    (Report.txt will also be copied to Clipboard ready for posting back on the forum).

  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Download and Run RSIT

  • Please download Random's System Information Tool by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt will be opened maximized.
    • info.txt will be opened minimized.
  • Please post the contents of both log.txt and info.txt.

Share this post


Link to post
Share on other sites
xdustyx   

Hello Katana...

First can i please say THANKYOU very very much for replying...

After posting this thread i checked my version of malwarebytes and found that i wasn't using the latest version. I downloaded it and installed it, it seems to have found the:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe

and other things besides...

I also installed SUPER antispyware, and it found quite a few things as well!

I've also rebooted in safe mode and rescanned afterwards and it found NOTHING.

I manually deleted the: O1 - Hosts: 193.125.23.12 updates.sald.com

 

Please could you have a look at the logs you requested? Thankyou again very much :)

(i've included a log of the malware bytes scan first, so you can see what it removed before it came back clear.

 

(malwarebytes after updating scan BEFORE removal)

 

Malwarebytes' Anti-Malware 1.36

Database version: 2092

Windows 5.1.2600 Service Pack 3

 

08/05/2009 14:26:01

mbam-log-2009-05-08 (14-26-01).txt

 

Scan type: Full Scan (C:\|)

Objects scanned: 291276

Time elapsed: 2 hour(s), 35 minute(s), 10 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 1

Registry Data Items Infected: 1

Folders Infected: 4

Files Infected: 6

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Somefox (Trojan.Agent) -> Quarantined and deleted successfully.

 

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

 

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

 

Folders Infected:

C:\WINDOWS\system32\sysproc64 (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\LocalService\Application Data\sysproc64 (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\billy\Local Settings\Temp\snapsnet (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\billy\Application Data\NI.GSCNS (Trojan.Agent) -> Quarantined and deleted successfully.

 

Files Infected:

C:\WINDOWS\system32\MSINET.oca (Rogue.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sysproc64\sysproc32.sys (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sysproc64\sysproc86.sys (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\LocalService\Application Data\sysproc64\sysproc32.sys (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\billy\Application Data\NI.GSCNS\dl.ini (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\billy\Application Data\NI.GSCNS\settings.ini (Trojan.Agent) -> Quarantined and deleted successfully.

 

 

(malwarebytes NEW scan AFTER removal)

 

Malwarebytes' Anti-Malware 1.36

Database version: 2092

Windows 5.1.2600 Service Pack 3

 

10/05/2009 15:18:25

mbam-log-2009-05-10 (15-18-25).txt

 

Scan type: Full Scan (C:\|)

Objects scanned: 289694

Time elapsed: 1 hour(s), 23 minute(s), 31 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

(No malicious items detected)

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

(No malicious items detected)

 

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:35:58, on 10/05/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\slserv.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1238500135000

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1241634729171

O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab

O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab

O16 - DPF: {B9F79165-A264-4C4A-A211-133A5E8D647F} (F-Secure Health Check 1.1) - http://support.f-secure.com/enu/home/onlin.../fshc/fscax.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...428/mcfscan.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Apache - Unknown owner - C:\Program Files\Saurus CMS\Apache\Apache.exe (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: MySql - Unknown owner - C:/Program Files/Saurus CMS/Apache/mysql/bin/mysqld-nt.exe (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

 

--

End of file - 5581 bytes

 

----------------------------------------------------------------------------------------------------------------------------

Edited by xdustyx

Share this post


Link to post
Share on other sites
xdustyx   

Logfile of random's system information tool 1.06 (written by random/random)

Run by billy at 2009-05-10 13:39:14

Microsoft Windows XP Home Edition Service Pack 3

System drive C: has 11 GB (19%) free of 57 GB

Total RAM: 495 MB (51% free)

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:39:16, on 10/05/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\billy\Desktop\RSIT.exe

C:\Program Files\Trend Micro\HijackThis\billy.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1238500135000

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1241634729171

O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab

O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab

O16 - DPF: {B9F79165-A264-4C4A-A211-133A5E8D647F} (F-Secure Health Check 1.1) - http://support.f-secure.com/enu/home/onlin.../fshc/fscax.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...428/mcfscan.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Apache - Unknown owner - C:\Program Files\Saurus CMS\Apache\Apache.exe (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: MySql - Unknown owner - C:/Program Files/Saurus CMS/Apache/mysql/bin/mysqld-nt.exe (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

 

--

End of file - 5592 bytes

 

======Scheduled tasks folder======

 

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1190283110.job

 

======Registry dump======

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]

AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-05-02 1107224]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]

Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 322368]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]

Java Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]

JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-09 73728]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2004-10-08 155648]

"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2004-10-08 126976]

"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2004-05-07 98304]

"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2004-05-07 536576]

"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-05-02 1947928]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMTDeviceService]

C:\Program Files\AMT Media Manager\AMTDeviceService.exe [2009-01-21 184320]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]

C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe [2006-09-28 57344]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE [2004-02-03 401491]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]

C:\Program Files\Nero\Nero8\InCD\InCD.exe []

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

C:\Program Files\iTunes\iTunesHelper.exe [2009-04-02 342312]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]

C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe []

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.GSCNS]

C:\DOCUME~1\billy\LOCALS~1\Temp\xcsoseeamm.tmp []

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]

C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe [2007-06-18 271360]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

C:\Program Files\QuickTime\qttask.exe [2009-01-05 413696]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]

C:\Program Files\Nero\Nero8\InCD\NBHGui.exe []

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-05-07 1830128]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE []

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Planner Reminders Tray Icon.lnk]

C:\SIERRA\CARDST~1\PLNRnote.exe [2000-03-24 167936]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]

C:\WINDOWS\system32\avgrsstx.dll [2009-05-02 11952]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]

C:\WINDOWS\system32\igfxsrvc.dll [2004-10-08 344064]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG Anti-Spyware Driver]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG Anti-Spyware Guard]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"dontdisplaylastusername"=0

"legalnoticecaption"=

"legalnoticetext"=

"shutdownwithoutlogon"=1

"undockwithoutlogon"=1

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoDriveTypeAutoRun"=145

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"HonorAutoRunSetting"=

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\Program Files\Yahoo!\Messenger\YPager.exe"="C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger"

"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"

"C:\Program Files\SmartFTP Client 2.0\SmartFTP.exe"="C:\Program Files\SmartFTP Client 2.0\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0"

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"="C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer"

"C:\Program Files\Grisoft\AVG Free\avginet.exe"="C:\Program Files\Grisoft\AVG Free\avginet.exe:*:Enabled:avginet.exe"

"C:\Program Files\Grisoft\AVG Free\avgamsvr.exe"="C:\Program Files\Grisoft\AVG Free\avgamsvr.exe:*:Enabled:avgamsvr.exe"

"C:\Program Files\Grisoft\AVG Free\avgcc.exe"="C:\Program Files\Grisoft\AVG Free\avgcc.exe:*:Enabled:avgcc.exe"

"C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE:*:Enabled:ActiveSync Connection Manager"

"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"

"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"

"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"

"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

"C:\Program Files\uTorrent\utorrent.exe"="C:\Program Files\uTorrent\utorrent.exe:*:Disabled:µTorrent"

"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Disabled:LimeWire"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

shell\AutoRun\command - F:\MediaManager.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a84d0e96-3af2-11de-acb9-000e35db220a}]

shell\AutoRun\command - F:\MediaManager.exe

 

 

======File associations======

 

.js - edit - "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe" "%1"

.reg - open - regedit.exe "%1" %*

.scr - open - "%1" %*

 

======List of files/folders created in the last 1 months======

 

2009-05-10 00:54:38 ----D---- C:\rsit

2009-05-09 22:27:44 ----D---- C:\Documents and Settings\billy\Application Data\wsInspector

2009-05-09 22:07:27 ----D---- C:\Documents and Settings\All Users\Application Data\SecTaskMan

2009-05-09 22:07:18 ----D---- C:\Program Files\Security Task Manager

2009-05-08 18:24:30 ----A---- C:\WINDOWS\ntbtlog.txt

2009-05-08 14:27:59 ----D---- C:\Avenger

2009-05-07 20:35:28 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

2009-05-07 20:35:09 ----D---- C:\Program Files\SUPERAntiSpyware

2009-05-07 20:35:08 ----D---- C:\Documents and Settings\billy\Application Data\SUPERAntiSpyware.com

2009-05-07 20:34:32 ----D---- C:\Program Files\Common Files\Wise Installation Wizard

2009-05-07 16:27:54 ----D---- C:\Program Files\Trend Micro

2009-05-07 14:21:05 ----D---- C:\Program Files\AMT Media Manager

2009-05-07 09:56:47 ----A---- C:\WINDOWS\system32\mucltui.dll.mui

2009-05-07 09:56:47 ----A---- C:\WINDOWS\system32\mucltui.dll

2009-04-16 22:02:29 ----D---- C:\Program Files\Navman

2009-04-16 22:01:25 ----D---- C:\Documents and Settings\billy\Application Data\InstallShield

2009-04-16 07:42:38 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$

2009-04-16 07:42:22 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$

2009-04-16 07:37:31 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$

2009-04-16 07:37:05 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$

2009-04-16 07:36:53 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$

2009-04-16 07:36:32 ----HDC---- C:\WINDOWS\$NtUninstallKB963027$

2009-04-16 07:36:04 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$

2009-04-16 07:32:44 ----N---- C:\WINDOWS\system32\xpsp4res.dll

 

======List of files/folders modified in the last 1 months======

 

2009-05-10 12:44:15 ----D---- C:\WINDOWS\system32\CatRoot2

2009-05-10 12:35:34 ----D---- C:\WINDOWS\Temp

2009-05-10 02:51:14 ----A---- C:\WINDOWS\SchedLgU.Txt

2009-05-10 00:31:48 ----D---- C:\Program Files\Bonjour

2009-05-10 00:26:20 ----D---- C:\WINDOWS\system32

2009-05-10 00:26:06 ----SD---- C:\WINDOWS\Downloaded Program Files

2009-05-09 22:27:59 ----RD---- C:\Program Files

2009-05-09 10:30:23 ----SHD---- C:\System Volume Information

2009-05-09 10:30:23 ----D---- C:\WINDOWS\system32\Restore

2009-05-08 18:24:30 ----D---- C:\WINDOWS

2009-05-08 16:31:15 ----A---- C:\playout.txt

2009-05-08 14:52:11 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

2009-05-08 14:46:00 ----SH---- C:\boot.ini

2009-05-08 14:46:00 ----A---- C:\WINDOWS\win.ini

2009-05-08 14:46:00 ----A---- C:\WINDOWS\system.ini

2009-05-08 14:27:59 ----D---- C:\WINDOWS\system32\drivers

2009-05-08 14:14:44 ----HD---- C:\$AVG8.VAULT$

2009-05-08 11:14:19 ----D---- C:\Program Files\Malwarebytes' Anti-Malware

2009-05-07 20:35:22 ----SHD---- C:\WINDOWS\Installer

2009-05-07 20:34:32 ----D---- C:\Program Files\Common Files

2009-05-07 20:03:07 ----D---- C:\WINDOWS\Help

2009-05-07 14:21:03 ----HD---- C:\Program Files\InstallShield Installation Information

2009-05-07 09:56:45 ----HD---- C:\WINDOWS\inf

2009-05-02 21:37:11 ----RSHDC---- C:\WINDOWS\system32\dllcache

2009-05-02 09:17:16 ----A---- C:\WINDOWS\system32\avgrsstx.dll

2009-04-30 14:14:25 ----A---- C:\WINDOWS\NeroDigital.ini

2009-04-17 13:19:07 ----D---- C:\WINDOWS\Prefetch

2009-04-16 17:17:07 ----D---- C:\WINDOWS\system32\wbem

2009-04-16 17:17:06 ----D---- C:\WINDOWS\AppPatch

2009-04-16 07:42:34 ----A---- C:\WINDOWS\imsins.BAK

2009-04-16 07:37:19 ----HD---- C:\WINDOWS\$hf_mig$

2009-04-11 12:18:19 ----D---- C:\WINDOWS\Microsoft.NET

2009-04-11 12:18:15 ----RSD---- C:\WINDOWS\assembly

 

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

 

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2004-10-08 35840]

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-05-02 325896]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-05-02 27784]

R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-05-02 108552]

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]

R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []

R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []

R2 ElbyCDIO;ElbyCDIO Driver; C:\WINDOWS\System32\Drivers\ElbyCDIO.sys [2006-12-26 15440]

R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]

R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]

R3 CONAN;CONAN; C:\WINDOWS\system32\drivers\o2mmb.sys [2004-02-12 191092]

R3 ElbyCDFL;ElbyCDFL; C:\WINDOWS\System32\Drivers\ElbyCDFL.sys [2006-12-26 34760]

R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-03-19 23400]

R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2004-10-08 752093]

R3 MbxStby;MbxStby; C:\WINDOWS\system32\drivers\MbxStby.sys [2004-01-28 6100]

R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]

R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2002-02-11 14572]

R3 RTL8023xp;Realtek RTL8139/810x/8169/8110 all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys [2004-04-13 70144]

R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2004-05-07 182688]

R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]

R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]

R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]

R3 VIAudio;Vinyl AC'97 Audio Controller (WDM); C:\WINDOWS\system32\drivers\vinyl97.sys [2004-07-23 159488]

R3 w22n51;Intel® PRO/Wireless 2200 Adapter Driver; C:\WINDOWS\system32\DRIVERS\w22n51.sys [2004-03-08 1657344]

S3 agcl3pp4;agcl3pp4; C:\WINDOWS\system32\drivers\agcl3pp4.sys []

S3 AR5211;TP-LINK Wireless Network Adapter Service; C:\WINDOWS\system32\DRIVERS\ar5211.sys [2005-06-25 463168]

S3 grmnusb;grmnusb; C:\WINDOWS\system32\drivers\grmnusb.sys [2006-03-13 7296]

S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2003-03-09 51024]

S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2003-03-09 16080]

S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2003-03-09 21456]

S3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]

S3 Mtlmnt5;Mtlmnt5; C:\WINDOWS\system32\DRIVERS\Mtlmnt5.sys [2004-04-19 230656]

S3 Mtlstrm;Mtlstrm; C:\WINDOWS\system32\DRIVERS\Mtlstrm.sys [2004-04-19 1301488]

S3 MusCAudio;MusCAudio; C:\WINDOWS\system32\drivers\MusCAudio.sys [2009-03-26 23096]

S3 MusCVideo;MusCVideo; C:\WINDOWS\system32\DRIVERS\MusCVideo.sys [2009-03-26 3768]

S3 nmwcd;Nokia USB Phone Parent; C:\WINDOWS\system32\drivers\nmwcd.sys [2007-02-22 137216]

S3 nmwcdc;Nokia USB Generic; C:\WINDOWS\system32\drivers\nmwcdc.sys [2007-02-22 8320]

S3 nmwcdcj;Nokia USB Port; C:\WINDOWS\system32\drivers\nmwcdcj.sys [2007-02-22 12288]

S3 nmwcdcm;Nokia USB Modem; C:\WINDOWS\system32\drivers\nmwcdcm.sys [2007-02-22 12288]

S3 NtMtlFax;NtMtlFax; C:\WINDOWS\system32\DRIVERS\NtMtlFax.sys [2004-04-19 180664]

S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]

S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter; C:\WINDOWS\system32\DRIVERS\RTL8187.sys [2006-08-16 180480]

S3 SABProcEnum;SABProcEnum; \??\C:\Program Files\Internet Explorer\SABProcEnum.sys []

S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []

S3 Slntamr;SmartLink AMR_PCI Driver; C:\WINDOWS\system32\DRIVERS\slntamr.sys [2004-04-19 635152]

S3 SlNtHal;SlNtHal; C:\WINDOWS\system32\DRIVERS\Slnthal.sys [2004-04-19 95760]

S3 SlWdmSup;SlWdmSup; C:\WINDOWS\system32\DRIVERS\SlWdmSup.sys [2004-04-19 13312]

S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]

S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]

S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]

S3 usbser;Motorola A1000 USB Modem Driver; C:\WINDOWS\system32\DRIVERS\usbser.sys [2008-04-13 26112]

S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]

S3 wceusbsh;Windows CE USB Serial Host Driver; C:\WINDOWS\system32\DRIVERS\wceusbsh.sys [2003-12-22 104064]

S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2004-08-11 18944]

S3 ZD1211U(ZyDAS);WLAN 802.11g USB2.0 Adapter(ZyDAS); C:\WINDOWS\system32\DRIVERS\zd1211u.sys [2004-08-03 237568]

 

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

 

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-03-26 132424]

R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-05-02 908568]

R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-05-02 298776]

R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]

R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]

R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]

S2 Apache;Apache; C:\Program Files\Saurus CMS\Apache\Apache.exe --ntservice []

S2 MySql;MySql; C:/Program Files/Saurus CMS/Apache/mysql/bin/mysqld-nt.exe []

S2 SLService;SmartLinkService; C:\WINDOWS\system32\slserv.exe [2004-04-19 45056]

S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]

S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]

S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]

S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]

S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-04-02 656168]

S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]

S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2003-03-09 65795]

S3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2007-06-15 300544]

S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]

S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

 

-----------------EOF-----------------

Share this post


Link to post
Share on other sites
xdustyx   

info.txt logfile of random's system information tool 1.06 2009-05-10 13:39:18

 

======Uninstall list======

 

-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

µTorrent-->"C:\Program Files\uTorrent\uninstall.exe"

A4Desk v6.15-->"C:\Program Files\A4Desk\unins000.exe"

AAS Template Generator-->MsiExec.exe /I{23E08DBD-FCFA-4B51-98AA-26A3ADCCA893}

AceFTP 3 Freeware-->"C:\Program Files\Visicom Media\AceFTP 3 freeware\uninst-ftp.exe"

Ad-Aware SE Personal-->C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}

Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe

Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}

Adobe Shockwave Player-->C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log

AMT Media Manager-->"C:\Program Files\InstallShield Installation Information\{80AAD9DF-7E64-40D2-80D2-BECA41593EEB}\setup.exe" -runfromtemp -l0x0009 -removeonly

Apple Mobile Device Support-->MsiExec.exe /I{AFA20D47-69C3-4030-8DF8-D37466E70F13}

Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}

AVG 8.5-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL

Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}

CDRWIN-->C:\CDRWIN3\UNWISE.EXE C:\CDRWIN3\INSTALL.LOG

Cell Phone Wallpaper Maker 2.0-->"C:\Program Files\Keronsoft\Cell Phone Wallpaper Maker\unins000.exe"

CloneCD-->"C:\Program Files\SlySoft\CloneCD\ccd-uninst.exe" /D="C:\Program Files\SlySoft\CloneCD"

Consolo-->"C:\Program Files\Consolo\uninstall.exe"

DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC

DivX Content Uploader-->C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER

DivX Converter-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER

DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER

DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN

DJEM 1.1.947-->C:\Program Files\DJEM\uninst.exe

DVD Decrypter (Remove Only)-->"C:\Program Files\DVD Decrypter\uninstall.exe"

DVD Shrink 3.2-->"C:\Program Files\DVD Shrink\unins000.exe"

Ewisoft Template Builder 1.1-->"C:\Program Files\EwisoftTemplate\unins000.exe"

Ewisoft Website Builder (include eCommerce Builder) Version 4.3-->"C:\Program Files\EwisoftWeb\unins000.exe"

FlashWebKit v2.0 Trial-->"C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-FlashWebKit v2.0 Trial.dat

Garmin WebUpdater-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2FD94FBC-07AE-475C-B522-BFE899B9048E}\setup.exe" -l0x9

GTK+ 2.8.18-1 runtime environment-->"C:\Program Files\Common Files\GTK\2.0\unins000.exe"

Hallmark Card Studio-->C:\WINDOWS\IsUninst.exe -fC:\SIERRA\CardStudio\Uninst.isu

HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""

Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"

Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"

HP Memories Disc-->MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}

HP Photo and Imaging 2.0 - All-in-One Drivers-->MsiExec.exe /X{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}

HP Photo and Imaging 2.0 - All-in-One-->MsiExec.exe /X{9867A917-5D17-40DE-83BA-BEA5293194B1}

HP Photo and Imaging 2.0 - hp psc 1200 series-->C:\Program Files\Hewlett-Packard\Digital Imaging\{7C8BB31C-E09E-4c7d-BBF1-45E33B467FE1}\Setup\hpzscr01.exe -datfile hposcr02.dat -forcereboot

hp psc 1200 series-->MsiExec.exe /X{C900EF06-2E76-49C7-8DB0-41F629B21DC5}

hp psc 1200 series-->rundll32 hpzcon07.dll,VendorJettison hp psc 1200 series

Intel® Extreme Graphics 2 Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_3582

iTunes-->MsiExec.exe /I{5EFCBB42-36AB-4FF9-B90C-E78C7B9EE7B3}

Jasc Animation Shop 3 20041030_07 Help file Patch-->C:\Program Files\Jasc Software Inc\Animation Shop 3\Unwise.exe /R /U C:\PROGRA~1\JASCSO~1\ANIMAT~1\INSTALL.LOG

Jasc Animation Shop 3-->MsiExec.exe /I{7C4196CA-CA41-4F34-9C08-7724E7705D52}

Jasc Paint Shop Pro 9 GDI+ Patch-->C:\Program Files\Jasc Software Inc\Paint Shop Pro 9\Unwise.exe /R /U C:\PROGRA~1\JASCSO~1\PAINTS~1\INSTALL.LOG

Jasc Paint Shop Pro 9.01 - (9.0.1.1)-->C:\Program Files\Jasc Software Inc\Paint Shop Pro 9\Unwise.exe /R /U C:\PROGRA~1\JASCSO~1\PAINTS~1\INSTALL.LOG

Jasc Paint Shop Pro 9.01 Patch-->C:\Program Files\Jasc Software Inc\Paint Shop Pro 9\Unwise.exe /R /U C:\PROGRA~1\JASCSO~1\PAINTS~1\INSTALL.LOG

Jasc Paint Shop Pro 9-->MsiExec.exe /I{F843C6A3-224D-4615-94F8-3C461BD9AEA0}

Java 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216012FF}

Java 6 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}

Macromedia Dreamweaver 8-->MsiExec.exe /I{0837A661-FEC3-48B3-876C-91E7D32048A9}

Macromedia Extension Manager-->MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}

Macromedia Fireworks 8-->MsiExec.exe /I{4C24A8C1-7CFA-4650-AF15-732F5BD7B46D}

Macromedia Flash 8 Video Encoder-->MsiExec.exe /X{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}

Macromedia Flash Player 4 for the PocketPC-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0B71D81-1AEB-4C9F-849B-C4CD318F0A46}\Setup.exe"

Macromedia Flash Player 8 Plugin-->MsiExec.exe /X{91057632-CA70-413C-B628-2D3CDBBB906B}

MAGIX Ringtone Maker 2 silver (US)-->C:\MAGIX\Ringtone_Maker_2_silver\instslct.exe

Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"

Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"

Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}

Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}

Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}

Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}

Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe

Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}

Microsoft ActiveSync 3.7-->"C:\WINDOWS\ISUNINST.EXE" -f"C:\Program Files\Microsoft ActiveSync\DeIsL1.isu" -c"C:\Program Files\Microsoft ActiveSync\ceuninst.dll"

Microsoft Arcade PocketPak-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C75445DB-3A6D-11D5-A081-005004F915E3}\Setup.exe" anything

Microsoft Cubicle Chaos for Pocket PC (Remove Only)-->C:\WINDOWS\uninst.exe -f"C:\Program Files\Microsoft ActiveSync\Pocket PC Cubicle Chaos\DeIsL1.isu"

Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}

Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}

Microsoft Visual J# 2.0 Redistributable Package-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft Visual J# 2.0 Redistributable Package\install.exe

MP3+G Toolz-->MsiExec.exe /I{F50A4470-7A45-4A5A-97F8-806990B736C2}

MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}

My Free Web Site Builder-->"C:\Program Files\My Free Web Site Builder\unins000.exe"

Navman NavDesk 2008-->C:\Program Files\InstallShield Installation Information\{9C8732C3-32DE-4569-9E90-30040D76DABC}\Setup.exe -runfromtemp -l0x0009 -removeonly

Nero 6-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL

NeroVision Express 3-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL

NeroVision Express Content-->C:\WINDOWS\UNNVEContent.exe /UNINSTALL

Nokia Connectivity Cable Driver-->MsiExec.exe /X{11964613-805F-432D-A12B-169554B793E7}

Nokia PC Suite-->C:\Documents and Settings\All Users\Application Data\Installations\{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}\Nokia_PC_Suite_6_84_10_3_eng_web.exe

Nokia PC Suite-->MsiExec.exe /I{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}

O2Micro MemoryCardBus Windows Driver-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{015D937D-9D52-45A4-BDAA-2413938C0564} /l1033

PC Connectivity Solution-->MsiExec.exe /I{99A40651-0BC2-4095-8F9A-A40FAB224FEF}

Pocket Wallpaper-->C:\Program Files\PocketWallpaper\uninstal.exe

PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall

QuickTime-->MsiExec.exe /I{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}

ROUTE 66 Safety Camera Update-->C:\Program Files\InstallShield Installation Information\{FB89456A-8EEE-4357-AAE1-1A5A46A974AD}\setup.exe -runfromtemp -l0x0009 -removeonly

scooterrace-->C:\WINDOWS\system32\scooterrace.scr /u /m scooterrace

Security Task Manager 1.7h-->C:\Program Files\Security Task Manager\Uninstal.exe "C:\Documents and Settings\All Users\Start Menu\Programs\Security Task Manager"

Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"

Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"

Security Update for Windows XP (KB913433)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB913433.inf

Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"

Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"

Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"

Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"

Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"

Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"

Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"

Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"

Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"

Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"

Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"

Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"

Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"

Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"

Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"

Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"

Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"

Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"

Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"

Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"

Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"

Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"

Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"

Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"

Security Update for Windows XP (KB963027)-->"C:\WINDOWS\$NtUninstallKB963027$\spuninst\spuninst.exe"

Serif WebManager 1.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FE9A7847-4496-451B-B39F-CF2C11AFABE5}\setup.exe" -l0x9

Serif WebPlus 7.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8702416E-5CFD-4D48-9674-F0ED6AAC13BF}\setup.exe"

Smart Link 56K Modem-->C:\WINDOWS\Modio\SLAMR2KV\Setup.exe /Remove

SmartFTP Client 2.0-->MsiExec.exe /I{C169D3BB-9A27-43F5-9979-09A0D65FE95C}

Sqirlz Water Reflections-->C:\WINDOWS\Sqirlz Water Reflections Uninstaller.exe

SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}

Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall

The GIMP 2.2.12-->"C:\Program Files\GIMP-2.0\unins000.exe"

Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"

Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"

Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"

VIA Audio Driver Setup Program-->RunDll32.exe UnAudioNT.dll,UninstallAudio C:\WINDOWS\IsUninst.exe -y-f"C:\PROGRA~1\VIAudioi\SBASetup\Uninst.isu"

Web Easy Professional 6-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BB46AB60-F603-4FEA-8A0C-590EA4982C0B}\Setup.exe" -l0x9 -removeonly

Windows Driver Package - Nokia (WUDFRd) WPD (06/01/2007 6.84.33.0)-->C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccswpddri_044C8712DB44F83D9DE6C376991EE9254E0A69E4\pccswpddriver.inf

Windows Driver Package - Nokia Modem (02/15/2007 3.1)-->C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccs_bluet_8B37DC72918CCD58A6EC20373AF6242B037A293B\pccs_bluetooth.inf

Windows Driver Package - Nokia Modem (02/15/2007 3.1)-->C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccs_bluet_F12A08B6F776984A95553486F64C541356F86E38\pccs_bluetooth.inf

Windows Driver Package - Nokia Modem (05/24/2007 6.84.0.1)-->C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokbtmdm_5E1541AFF1E1EA3554CE566743CCAD323ED1C108\nokbtmdm.inf

Windows Live Messenger-->MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}

Windows Live Sign-in Assistant-->MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}

Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll

Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe

Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG

 

=====HijackThis Backups=====

 

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) [2009-05-10]

O1 - Hosts: 193.125.23.12 updates.sald.com [2009-05-10]

 

======Hosts File======

 

127.0.0.1 *symantec*

127.0.0.1 symantec.com

127.0.0.1 *avast*

127.0.0.1 *avira*

127.0.0.1 *nod32*

127.0.0.1 nod32.com

127.0.0.1 nod32.ru

127.0.0.1 nod32.co.uk

127.0.0.1 http://nod32.com

127.0.0.1 *eset*

 

======Security center information======

 

AV: AVG Anti-Virus Free

 

======System event log======

 

Computer Name: BILLY007

Event Code: 7000

Message: The Apache service failed to start due to the following error:

The system cannot find the path specified.

 

 

Record Number: 58495

Source Name: Service Control Manager

Time Written: 20090331171505.000000+060

Event Type: error

User:

 

Computer Name: BILLY007

Event Code: 20

Message: Printer Driver Microsoft XPS Document Writer for Windows NT x86 Version-3 was added or updated. Files:- mxdwdrv.dll, unidrvui.dll, mxdwdui.gpd, unidrv.hlp, mxdwdui.dll, mxdwdui.ini, stddtype.gdl, stdnames.gpd, stdschem.gdl, stdschmx.gdl, unidrv.dll, unires.dll, XpsSvcs.dll.

 

Record Number: 58445

Source Name: Print

Time Written: 20090331165645.000000+060

Event Type: warning

User: NT AUTHORITY\SYSTEM

 

Computer Name: BILLY007

Event Code: 20

Message: Printer Driver Microsoft XPS Document Writer for Windows NT x86 Version-3 was added or updated. Files:- mxdwdrv.dll, unidrvui.dll, mxdwdui.gpd, unidrv.hlp, mxdwdui.dll, mxdwdui.ini, stddtype.gdl, stdnames.gpd, stdschem.gdl, stdschmx.gdl, unidrv.dll, unires.dll, XpsSvcs.dll.

 

Record Number: 58444

Source Name: Print

Time Written: 20090331165635.000000+060

Event Type: warning

User: NT AUTHORITY\SYSTEM

 

Computer Name: BILLY007

Event Code: 7000

Message: The MySql service failed to start due to the following error:

The system cannot find the file specified.

 

 

Record Number: 58410

Source Name: Service Control Manager

Time Written: 20090331161524.000000+060

Event Type: error

User:

 

Computer Name: BILLY007

Event Code: 7000

Message: The Apache service failed to start due to the following error:

The system cannot find the path specified.

 

 

Record Number: 58409

Source Name: Service Control Manager

Time Written: 20090331161524.000000+060

Event Type: error

User:

 

======Environment variables======

 

"ComSpec"=%SystemRoot%\system32\cmd.exe

"Path"=C:\Program Files\PC Connectivity Solution\;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\GTK\2.0\bin;C:\Program Files\QuickTime\QTSystem\

"windir"=%SystemRoot%

"FP_NO_HOST_CHECK"=NO

"OS"=Windows_NT

"PROCESSOR_ARCHITECTURE"=x86

"PROCESSOR_LEVEL"=6

"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 13 Stepping 6, GenuineIntel

"PROCESSOR_REVISION"=0d06

"NUMBER_OF_PROCESSORS"=1

"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

"TEMP"=%SystemRoot%\TEMP

"TMP"=%SystemRoot%\TEMP

"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip

"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

 

-----------------EOF-----------------

Share this post


Link to post
Share on other sites
Katana   

Information

I also installed SUPER antispyware, and it found quite a few things as well!

Please do not run any other tools or scans whilst I am helping you

 

IMPORTANT

I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

 

uTorrent

LimeWire

 

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

 

Also available here.

 

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall any P2P programs

Please note: you must NOT use any P2P whilst we are cleaning your machine.

 

----------------------------------------------------------- -----------------------------------------------------------

 

Step 1

 

 

Download and Run ComboFix (by sUBs)

Please visit this webpage for instructions for downloading and running ComboFix:

 

Bleeping Computer ComboFix Tutorial

  • You must download it to and run it from your Desktop

  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

  • Double click combofix.exe & follow the prompts.

  • When finished, it will produce a log. Please save that log to post in your next reply

  • Re-enable all the programs that were disabled during the running of ComboFix..
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.

This tool is not a toy and not for everyday use.

ComboFix SHOULD NOT be used unless requested by a forum helper

 

----------------------------------------------------------- -----------------------------------------------------------

Step 2

 

Restore Host File

 

Download HostsXpert v4.1 and unzip it to your desktop.

  • Double click on HostsXpert.exe to launch the program.
  • Click on Restore MS Hosts File to restore your Hosts file to its default condition.
  • Click on Make ReadOnly to secure it against further infection. (unless you plan to use another host file)
  • Exit the program.
Visit the Website for more information.

 

----------------------------------------------------------- -----------------------------------------------------------

Step 3

Kaspersky Online Scanner .

Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal

NOTE:- This scan is best done from IE (Internet Explorer)

NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin

Go Here http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

 

Read the Requirements and limitations before you click Accept.

Once the database has downloaded, click My Computer in the left pane

Now go and put the kettle on !

When the scan has completed, click Save Report As...

Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)

Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

 

 

**Note**

 

To optimize scanning time and produce a more sensible report for review:

  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

 

 

----------------------------------------------------------- -----------------------------------------------------------

Step 4

 

Logs/Information to Post in Reply

Please post the following logs/Information in your reply

  • Combofix Log
  • Kaspersky Log
  • How are things running now ?
----------------------------------------------------------- -----------------------------------------------------------

 

Additional Notes

 

 

Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.

 

Adobe Reader is a large program and uses unnecessary space.

If you prefer a smaller program you can get Foxit 3.0 from http://www.foxitsoftware.com/pdf/rd_intro.php << Recommended

There is a newer version of Adobe Acrobat Reader available.

  • Please go to this link Adobe Acrobat Reader Download Link
  • Click Download
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts
Remove Programs

 

Older versions of some programs have vulnerabilities that malware can use to infect your system.

 

Now click Start---Control Panel. Double click Add or Remove Programs (XP) / Programs and Features (Vista) . If any of the following programs are listed there,

click on the program to highlight it, and click on remove.

  • Adobe Reader 8.1.2

    Java™ 6 Update 2

Now close the Control Panel. Edited by Katana

Share this post


Link to post
Share on other sites
xdustyx   

Hello Katana,

 

I removed utorrent, i didn't use it anyway... and limewire was removed a long time ago, but it was still ticked in the exceptions on my firewall settings so i deleted it along with the utorrent one.

I did the combofix (please see attached log) and i also did the hosts file AND made it read only, there was absolutely loads of entries in it... i saved a copy before i restored the MShosts file.

I did a kaspersky online scan (please see attached log) i had actually done it the wrong way around (before using combofix) so i've added that one as well.

I've also removed:

Adobe Reader 8.1.2 AND Java™ 6 Update 2

 

Thankyou once again for helping me.

 

ComboFix 09-05-09.05 - billy 11/05/2009 8:11.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.495.201 [GMT 1:00]

Running from: c:\documents and settings\billy\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\temp\FT62

c:\windows\a3kebook.ini

c:\windows\akebook.ini

c:\windows\ANS2000.INI

c:\windows\system32\dPI19

 

.

((((((((((((((((((((((((( Files Created from 2009-04-11 to 2009-05-11 )))))))))))))))))))))))))))))))

.

 

2009-05-09 23:54 . 2009-05-10 12:39 -------- d-----w C:\rsit

2009-05-09 21:27 . 2009-05-09 21:27 -------- d-----w c:\documents and settings\billy\Application Data\wsInspector

2009-05-09 21:07 . 2009-05-09 21:24 -------- d-----w c:\documents and settings\All Users\Application Data\SecTaskMan

2009-05-09 21:07 . 2009-05-09 21:09 -------- d-----w c:\program files\Security Task Manager

2009-05-07 19:35 . 2009-05-07 19:35 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-05-07 19:35 . 2009-05-07 21:23 -------- d-----w c:\program files\SUPERAntiSpyware

2009-05-07 19:35 . 2009-05-07 19:35 -------- d-----w c:\documents and settings\billy\Application Data\SUPERAntiSpyware.com

2009-05-07 19:34 . 2009-05-07 19:34 -------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-05-07 15:27 . 2009-05-07 15:27 -------- d-----w c:\program files\Trend Micro

2009-05-07 13:21 . 2009-05-07 14:53 -------- d-----w c:\program files\AMT Media Manager

2009-05-07 08:56 . 2008-10-16 13:06 268648 ----a-w c:\windows\system32\mucltui.dll

2009-05-02 10:28 . 2008-04-13 18:46 38912 -c--a-w c:\windows\system32\dllcache\avc.sys

2009-05-02 10:21 . 2001-08-17 13:07 101888 -c--a-w c:\windows\system32\dllcache\adpu160m.sys

2009-05-02 10:20 . 2001-08-17 13:56 66048 -c--a-w c:\windows\system32\dllcache\s3legacy.dll

2009-04-16 22:12 . 2009-04-16 22:12 -------- d-----w c:\documents and settings\billy\Local Settings\Application Data\Navman_Technology_New_Zea

2009-04-16 21:02 . 2009-04-16 21:02 -------- d-----w c:\program files\Navman

2009-04-16 21:01 . 2009-04-16 21:01 -------- d-----w c:\documents and settings\billy\Application Data\InstallShield

2009-04-16 06:32 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll

2009-04-16 06:32 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe

2009-04-16 06:31 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll

2009-04-16 06:31 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll

2009-04-16 06:31 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe

2009-04-16 06:31 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll

2009-04-16 06:31 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe

2009-04-16 06:31 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-10 21:59 . 2006-09-03 01:49 -------- d-----w c:\program files\Java

2009-05-10 21:56 . 2006-09-06 14:53 -------- d-----w c:\program files\Common Files\Adobe

2009-05-09 23:31 . 2009-04-06 21:03 -------- d-----w c:\program files\Bonjour

2009-05-08 10:14 . 2008-08-13 05:40 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-05-07 13:21 . 2006-09-03 02:06 -------- d--h--w c:\program files\InstallShield Installation Information

2009-05-02 08:17 . 2008-07-23 07:22 11952 ----a-w c:\windows\system32\avgrsstx.dll

2009-05-02 08:17 . 2008-07-23 07:22 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys

2009-05-02 08:16 . 2008-07-23 07:22 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys

2009-04-06 21:04 . 2009-04-06 21:03 -------- d-----w c:\program files\iTunes

2009-04-06 21:03 . 2009-04-06 21:03 -------- d-----w c:\program files\iPod

2009-04-06 21:02 . 2009-04-06 21:01 -------- d-----w c:\program files\QuickTime

2009-04-06 21:01 . 2009-04-06 21:01 -------- d-----w c:\program files\Apple Software Update

2009-04-06 21:00 . 2009-04-06 21:00 -------- d-----w c:\program files\Common Files\Apple

2009-04-06 20:21 . 2007-01-04 21:00 -------- d-----w c:\program files\MP3+G Toolz .NET 4

2009-04-06 20:20 . 2006-09-03 01:57 263808 ----a-w c:\documents and settings\billy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-04-06 20:18 . 2009-04-06 20:14 -------- d-----w c:\program files\HooTech

2009-04-06 14:32 . 2008-08-13 05:40 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-06 14:32 . 2008-08-13 05:40 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-03-31 18:42 . 2006-09-03 03:42 -------- d-----w c:\program files\MSN Messenger

2009-03-31 15:57 . 2009-03-31 15:57 -------- d-----w c:\program files\MSBuild

2009-03-31 15:57 . 2009-03-31 15:57 -------- d-----w c:\program files\Reference Assemblies

2009-03-31 14:55 . 2009-03-31 14:55 -------- d-----w c:\program files\MSXML 4.0

2009-03-31 13:14 . 2006-09-03 01:45 76487 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-03-26 09:49 . 2009-04-06 20:32 3768 ----a-w c:\windows\system32\drivers\MusCVideo.sys

2009-03-26 09:49 . 2009-04-06 20:32 23096 ----a-w c:\windows\system32\drivers\MusCAudio.sys

2009-03-19 15:32 . 2009-04-06 21:04 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys

2009-03-09 05:19 . 2009-02-25 07:59 410984 ----a-w c:\windows\system32\deploytk.dll

2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll

2009-02-20 08:10 . 2004-09-29 18:47 666112 ----a-w c:\windows\system32\wininet.dll

2009-02-20 08:10 . 2004-08-04 12:00 81920 ----a-w c:\windows\system32\ieencode.dll

2006-10-30 20:58 . 2006-10-30 20:58 59860 ----a-w c:\program files\StreetPiloti3_320.exe

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-08 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-08 126976]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-07 98304]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-07 536576]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-02 1947928]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 10:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-05-02 08:17 11952 ----a-w c:\windows\system32\avgrsstx.dll

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

"wave"= serwvdrv.dll

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Planner Reminders Tray Icon.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Planner Reminders Tray Icon.lnk

backup=c:\windows\pss\Event Planner Reminders Tray Icon.lnkCommon Startup

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=

"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

 

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [23/07/2008 08:22 325896]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [23/07/2008 08:22 108552]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [17/02/2009 11:43 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2009 11:43 55024]

R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [23/07/2008 08:22 908568]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [23/07/2008 08:22 298776]

R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [03/09/2006 03:10 191092]

R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [03/09/2006 03:10 6100]

S3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [06/04/2009 21:32 23096]

S3 MusCVideo;MusCVideo;c:\windows\system32\drivers\MusCVideo.sys [06/04/2009 21:32 3768]

S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [01/03/2007 19:39 180480]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2009 11:43 7408]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

\Shell\AutoRun\command - F:\MediaManager.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a84d0e96-3af2-11de-acb9-000e35db220a}]

\Shell\AutoRun\command - F:\MediaManager.exe

.

Contents of the 'Scheduled Tasks' folder

 

2009-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

 

2007-12-27 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8190283110.job

- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-05 23:52]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://uk.yahoo.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll

DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-11 08:14

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySql]

"ImagePath"="C:/Program Files/Saurus CMS/Apache/mysql/bin/mysqld-nt.exe"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySql]

"ImagePath"="C:/Program Files/Saurus CMS/Apache/mysql/bin/mysqld-nt.exe"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(768)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

Completion time: 2009-05-11 8:17

ComboFix-quarantined-files.txt 2009-05-11 07:17

 

Pre-Run: 11,169,320,960 bytes free

Post-Run: 17,815,207,936 bytes free

 

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

 

180 --- E O F --- 2009-04-16 06:42

Share this post


Link to post
Share on other sites
xdustyx   

KASPERSKY LOG BEFORE combofix

 

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0 REPORT

Monday, May 11, 2009

Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Program database last update: Sunday, May 10, 2009 23:57:18

Records in database: 2156690

--------------------------------------------------------------------------------

 

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

 

Scan area - My Computer:

C:\

D:\

E:\

 

Scan statistics:

Files scanned: 199108

Threat name: 11

Infected objects: 51

Suspicious objects: 0

Duration of the scan: 05:32:14

 

 

File name / Threat name / Threats count

C:\Documents and Settings\billy\Application Data\Sun\Java\Deployment\cache\6.0\22\74018dd6-2c062a7a Infected: Trojan-Downloader.Java.OpenStream.ac 1

C:\Documents and Settings\billy\Desktop\All From Desktop\old stuff\AutomatedeBookStore\files to upload\download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\Desktop\recent downloads\alberts new website\MegaeBookStore200MRR.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\Local Settings\Temp\backup_full.tar.gz Infected: Email-Worm.Win32.Avron.b 1

C:\Documents and Settings\billy\Local Settings\Temp\rrmrcraoxc.tmp Infected: Trojan.Win32.VB.hew 1

C:\Documents and Settings\billy\Local Settings\Temp\xoccaemaar.tmp Infected: Trojan.Win32.VB.hew 1

C:\Documents and Settings\billy\My Documents\albert ebooks\ebooks1.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\albert ebooks\MembershipSiteManager-Rights.zip Infected: Trojan-Clicker.HTML.IFrame.aer 2

C:\Documents and Settings\billy\My Documents\alberts new website\files to upload\download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\alberts new website\MegaeBookStore200MRR.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\backup_full.tar Infected: Email-Worm.Win32.Avron.b 1

C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\digitalsite\download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\dragonfun\newadmin\emailall.php Infected: Email-Worm.Win32.Avron.b 1

C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\backup_full.tar Infected: Email-Worm.Win32.Avron.b 1

C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\digitalsite\download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\dragonfun\newadmin\emailall.php Infected: Email-Worm.Win32.Avron.b 1

C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 28th Aug 07.gz Infected: Email-Worm.Win32.Avron.b 1

C:\Documents and Settings\billy\My Documents\My Pictures\hotchix2006.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1

C:\Documents and Settings\billy\My Documents\My Pictures\hotchix2006.exe Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1

C:\Documents and Settings\billy\My Documents\untouched albert website\MegaeBookStore200MRR.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\billyzx ebooksore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\billyzx ebooksore\AutomatedeBookStore.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\billyzx ebookstore\billyzx ebooksore\AutomatedeBookStore.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\Copy of billyzx ebooksore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\Copy of billyzx ebooksore\AutomatedeBookStore.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\AD Balster.zip Infected: not-a-virus:AdWare.Win32.Megap.a 1

C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\Carradiodecoders\Car Codes\DAEWOO Serials Calculator 1.00.exe Infected: Trojan.Win32.Agent.blfs 1

C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\Carradiodecoders\Car Codes\Decoder Software (most of decoders in here)\Install me for decoders.exe Infected: Trojan.Win32.Agent.blfs 1

C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\Carradiodecoders\Car Codes\Decoder Software (most of decoders in here)\Install me for decoders.exe Infected: Backdoor.Win32.Delf.nuu 1

C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\Carradiodecoders\Car Codes\Decoder Software (most of decoders in here)\Install me for decoders.exe Infected: Backdoor.Win32.Delf.nut 1

C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\davidblaine784.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\membership_site_manager.zip Infected: Trojan-Clicker.HTML.IFrame.aer 2

C:\Documents and Settings\billy\My Documents\website and internet\leonardoe ebook &websites\L ebooks\blaine_mega_magic.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\ebookempyre website backup\backup\public_html\download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\ebookempyre website backup\backup.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\empyre back up disc\3_video_pack.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\empyre manual\bonus_download\davidblaine\davidblaine\David Blaines Mega Magic Guide Book.exe Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\empyre manual\bonus_download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks\Magic\davidblaine784.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks.part2.rar Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks.part3.rar Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks.part4\Ebooks\Magic\davidblaine784.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks.part4.rar Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads2\ebooks1.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\my ebook business\hypnosis_advanced\derren_brown_type_megamagic.exe Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\my ebook business\hypnosis_advanced.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\web stuff\hypnosis_advanced.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\X My Bits & Bobs X\vip-isc.zip Infected: Email-Worm.Win32.Avron.b 1

 

The selected area was scanned.

 

 

 

 

KASPERSKY LOG AFTER combofix

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0 REPORT

Monday, May 11, 2009

Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Program database last update: Monday, May 11, 2009 09:25:16

Records in database: 2159458

--------------------------------------------------------------------------------

 

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

 

Scan area - My Computer:

C:\

D:\

E:\

 

Scan statistics:

Files scanned: 187682

Threat name: 10

Infected objects: 48

Suspicious objects: 0

Duration of the scan: 05:44:50

 

 

File name / Threat name / Threats count

C:\Documents and Settings\billy\Application Data\Sun\Java\Deployment\cache\6.0\22\74018dd6-2c062a7a Infected: Trojan-Downloader.Java.OpenStream.ac 1

C:\Documents and Settings\billy\Desktop\All From Desktop\old stuff\AutomatedeBookStore\files to upload\download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\Desktop\recent downloads\alberts new website\MegaeBookStore200MRR.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\albert ebooks\ebooks1.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\albert ebooks\MembershipSiteManager-Rights.zip Infected: Trojan-Clicker.HTML.IFrame.aer 2

C:\Documents and Settings\billy\My Documents\alberts new website\files to upload\download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\alberts new website\MegaeBookStore200MRR.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\backup_full.tar Infected: Email-Worm.Win32.Avron.b 1

C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\digitalsite\download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\dragonfun\newadmin\emailall.php Infected: Email-Worm.Win32.Avron.b 1

C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\backup_full.tar Infected: Email-Worm.Win32.Avron.b 1

C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\digitalsite\download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\dragonfun\newadmin\emailall.php Infected: Email-Worm.Win32.Avron.b 1

C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07.gz Infected: Email-Worm.Win32.Avron.b 1

C:\Documents and Settings\billy\My Documents\My Pictures\hotchix2006.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1

C:\Documents and Settings\billy\My Documents\My Pictures\hotchix2006.exe Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1

C:\Documents and Settings\billy\My Documents\untouched albert website\MegaeBookStore200MRR.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\billyzx ebooksore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\billyzx ebooksore\AutomatedeBookStore.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\billyzx ebookstore\billyzx ebooksore\AutomatedeBookStore.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\Copy of billyzx ebooksore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\Copy of billyzx ebooksore\AutomatedeBookStore.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\AD Balster.zip Infected: not-a-virus:AdWare.Win32.Megap.a 1

C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\Carradiodecoders\Car Codes\DAEWOO Serials Calculator 1.00.exe Infected: Trojan.Win32.Agent.blfs 1

C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\Carradiodecoders\Car Codes\Decoder Software (most of decoders in here)\Install me for decoders.exe Infected: Trojan.Win32.Agent.blfs 1

C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\Carradiodecoders\Car Codes\Decoder Software (most of decoders in here)\Install me for decoders.exe Infected: Backdoor.Win32.Delf.nuu 1

C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\Carradiodecoders\Car Codes\Decoder Software (most of decoders in here)\Install me for decoders.exe Infected: Backdoor.Win32.Delf.nut 1

C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\davidblaine784.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\membership_site_manager.zip Infected: Trojan-Clicker.HTML.IFrame.aer 2

C:\Documents and Settings\billy\My Documents\website and internet\leonardoe ebook &websites\L ebooks\blaine_mega_magic.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\ebookempyre website backup\backup\public_html\download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\ebookempyre website backup\backup.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\empyre back up disc\3_video_pack.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\empyre manual\bonus_download\davidblaine\davidblaine\David Blaines Mega Magic Guide Book.exe Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\empyre manual\bonus_download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks\Magic\davidblaine784.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks.part2.rar Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks.part3.rar Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks.part4\Ebooks\Magic\davidblaine784.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks.part4.rar Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads2\ebooks1.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\my ebook business\hypnosis_advanced\derren_brown_type_megamagic.exe Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\my ebook business\hypnosis_advanced.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\website and internet\web stuff\hypnosis_advanced.zip Infected: Trojan-PSW.Win32.Agent.klk 1

C:\Documents and Settings\billy\My Documents\X My Bits & Bobs X\vip-isc.zip Infected: Email-Worm.Win32.Avron.b 1

 

The selected area was scanned.

 

 

 

 

HIJACKTHIS log

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:35:49, on 11/05/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1238500135000

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1241634729171

O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab

O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab

O16 - DPF: {B9F79165-A264-4C4A-A211-133A5E8D647F} (F-Secure Health Check 1.1) - http://support.f-secure.com/enu/home/onlin.../fshc/fscax.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...428/mcfscan.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Apache - Unknown owner - C:\Program Files\Saurus CMS\Apache\Apache.exe (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: MySql - Unknown owner - C:/Program Files/Saurus CMS/Apache/mysql/bin/mysqld-nt.exe (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

 

--

End of file - 6001 bytes

Share this post


Link to post
Share on other sites
Katana   

There appear to be a lot of david blaine related zip folders that seem to be infected, do you know anything about them ?

I'm going to upload a couple and see if they are actually infected.

 

There also looks to be some infected backups ..

C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\backup_full.tar

C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\dragonfun\newadmin\emailall.php

C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\backup_full.tar

C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\dragonfun\newadmin\emailall.php

C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07.gz

I don't know if there is anything in those that you need, so if not let me know and then I can remove them.

 

( do you run a website ? )

 

 

Custom CFScript

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

     

    http://forums.pcpitstop.com/index.php?showtopic=168357
    Comment:: Katana
    
    Suspect::[4]
    C:\Documents and Settings\billy\Desktop\All From Desktop\old stuff\AutomatedeBookStore\files to upload\download\davidblaine.zip
    C:\Documents and Settings\billy\Desktop\recent downloads\alberts new website\MegaeBookStore200MRR.zip
    C:\Documents and Settings\billy\My Documents\albert ebooks\ebooks1.zip
    C:\Documents and Settings\billy\My Documents\website and internet\web stuff\hypnosis_advanced.zip
    File::
    C:\Documents and Settings\billy\Application Data\Sun\Java\Deployment\cache\6.0
    C:\Documents and Settings\billy\My Documents\albert ebooks\MembershipSiteManager-Rights.zip
    C:\Documents and Settings\billy\My Documents\My Pictures\hotchix2006.exe
    C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\AD Balster.zip
    C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\Carradiodecoders\Car Codes\DAEWOO Serials Calculator 1.00.exe
    C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\Carradiodecoders\Car Codes\Decoder Software (most of decoders in here)\Install me for decoders.exe
    C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\membership_site_manager.zip
    C:\Documents and Settings\billy\My Documents\X My Bits & Bobs X\vip-isc.zip
    ADS::
  • Save this as CFScript.txt and place it on your desktop.

     

     

    Posted Image

     

     

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

  • **Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

    • Ensure you are connected to the internet and click OK on the message box.
  • Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Share this post


Link to post
Share on other sites
xdustyx   

Hello Katana,

 

The David Blaine zip folders are what my husband bought along with alot more different ones, because he opened an ebookstore online, and was gradually going to use them on there and another "magic" site he was planning to open.

We always scan them after we download them BUT none have ever shown up to have a virus inside. Once when we scanned a file after we'd paid for it and downloaded it, it DID show up to have a virus... it was the: vip-isc.zip and after scanning it found the: Email-Worm.Win32.Avron.b

 

Posted Image

 

We contacted the person who sold it us and he was horrified, he said he had scanned it before he sent it and again after we told him, and it still showed nothing after the virus scan. He refunded us, but we never used or even opened the file, we let AVG have it. I screenshot what came up in AVG and sent it to him to show him.

He sent us another download link to try again, we scanned it and it came up as the same so we never touched it. (forgot to delete it)

Yes i have my own website (a forum) which i started again from scratch with a new domain name etc. We couldn't back the old forum up anymore or make changes anymore, and strange things were happening to it. We couldn't access it through FTP either because it said there was a problem with the passwords. (thecryptt) was the old forum we had & it's still there (www.thecryptt.co.uk) but we don't use it anymore and i just put a redirection link on there for the new forum.

 

I don't need ANY of the files that's on the kaspersky list, and really would appreciate it if you help me get rid of them all please, they're really a worry now.

Once again THANKYOU very very much, and here's the log.

 

Jayne

 

 

ComboFix 09-05-11.01 - billy 11/05/2009 21:47.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.495.132 [GMT 1:00]

Running from: c:\documents and settings\billy\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\billy\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

 

FILE ::

c:\documents and settings\billy\Application Data\Sun\Java\Deployment\cache\6.0

c:\documents and settings\billy\My Documents\albert ebooks\MembershipSiteManager-Rights.zip

c:\documents and settings\billy\My Documents\My Pictures\hotchix2006.exe

c:\documents and settings\billy\My Documents\website and internet\ebooks on ebay (all)\AD Balster.zip

c:\documents and settings\billy\My Documents\website and internet\ebooks on ebay (all)\Carradiodecoders\Car Codes\DAEWOO Serials Calculator 1.00.exe

c:\documents and settings\billy\My Documents\website and internet\ebooks on ebay (all)\Carradiodecoders\Car Codes\Decoder Software (most of decoders in here)\Install me for decoders.exe

c:\documents and settings\billy\My Documents\website and internet\ebooks on ebay (all)\membership_site_manager.zip

c:\documents and settings\billy\My Documents\X My Bits & Bobs X\vip-isc.zip

 

file zipped: c:\documents and settings\billy\Desktop\All From Desktop\old stuff\AutomatedeBookStore\files to upload\download\Suspect_davidblaine.zip.vir

file zipped: c:\documents and settings\billy\Desktop\recent downloads\alberts new website\Suspect_MegaeBookStore200MRR.zip.vir

file zipped: c:\documents and settings\billy\My Documents\albert ebooks\Suspect_ebooks1.zip.vir

file zipped: c:\documents and settings\billy\My Documents\website and internet\web stuff\Suspect_hypnosis_advanced.zip.vir

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\billy\My Documents\albert ebooks\MembershipSiteManager-Rights.zip

c:\documents and settings\billy\My Documents\My Pictures\hotchix2006.exe

c:\documents and settings\billy\My Documents\website and internet\ebooks on ebay (all)\AD Balster.zip

c:\documents and settings\billy\My Documents\website and internet\ebooks on ebay (all)\Carradiodecoders\Car Codes\DAEWOO Serials Calculator 1.00.exe

c:\documents and settings\billy\My Documents\website and internet\ebooks on ebay (all)\Carradiodecoders\Car Codes\Decoder Software (most of decoders in here)\Install me for decoders.exe

c:\documents and settings\billy\My Documents\website and internet\ebooks on ebay (all)\membership_site_manager.zip

c:\documents and settings\billy\My Documents\X My Bits & Bobs X\vip-isc.zip

 

.

((((((((((((((((((((((((( Files Created from 2009-04-11 to 2009-05-11 )))))))))))))))))))))))))))))))

.

 

2009-05-09 23:54 . 2009-05-10 12:39 -------- d-----w C:\rsit

2009-05-09 21:27 . 2009-05-09 21:27 -------- d-----w c:\documents and settings\billy\Application Data\wsInspector

2009-05-09 21:07 . 2009-05-09 21:24 -------- d-----w c:\documents and settings\All Users\Application Data\SecTaskMan

2009-05-09 21:07 . 2009-05-09 21:09 -------- d-----w c:\program files\Security Task Manager

2009-05-07 19:35 . 2009-05-07 19:35 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-05-07 19:35 . 2009-05-07 21:23 -------- d-----w c:\program files\SUPERAntiSpyware

2009-05-07 19:35 . 2009-05-07 19:35 -------- d-----w c:\documents and settings\billy\Application Data\SUPERAntiSpyware.com

2009-05-07 19:34 . 2009-05-07 19:34 -------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-05-07 15:27 . 2009-05-07 15:27 -------- d-----w c:\program files\Trend Micro

2009-05-07 13:21 . 2009-05-07 14:53 -------- d-----w c:\program files\AMT Media Manager

2009-05-07 08:56 . 2008-10-16 13:06 268648 ----a-w c:\windows\system32\mucltui.dll

2009-05-02 10:28 . 2008-04-13 18:46 38912 -c--a-w c:\windows\system32\dllcache\avc.sys

2009-05-02 10:21 . 2001-08-17 13:07 101888 -c--a-w c:\windows\system32\dllcache\adpu160m.sys

2009-05-02 10:20 . 2001-08-17 13:56 66048 -c--a-w c:\windows\system32\dllcache\s3legacy.dll

2009-04-16 22:12 . 2009-04-16 22:12 -------- d-----w c:\documents and settings\billy\Local Settings\Application Data\Navman_Technology_New_Zea

2009-04-16 21:02 . 2009-04-16 21:02 -------- d-----w c:\program files\Navman

2009-04-16 21:01 . 2009-04-16 21:01 -------- d-----w c:\documents and settings\billy\Application Data\InstallShield

2009-04-16 06:32 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll

2009-04-16 06:32 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe

2009-04-16 06:31 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll

2009-04-16 06:31 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll

2009-04-16 06:31 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe

2009-04-16 06:31 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll

2009-04-16 06:31 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe

2009-04-16 06:31 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-10 21:59 . 2006-09-03 01:49 -------- d-----w c:\program files\Java

2009-05-10 21:56 . 2006-09-06 14:53 -------- d-----w c:\program files\Common Files\Adobe

2009-05-09 23:31 . 2009-04-06 21:03 -------- d-----w c:\program files\Bonjour

2009-05-08 10:14 . 2008-08-13 05:40 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-05-07 13:21 . 2006-09-03 02:06 -------- d--h--w c:\program files\InstallShield Installation Information

2009-05-02 08:17 . 2008-07-23 07:22 11952 ----a-w c:\windows\system32\avgrsstx.dll

2009-05-02 08:17 . 2008-07-23 07:22 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys

2009-05-02 08:16 . 2008-07-23 07:22 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys

2009-04-06 21:04 . 2009-04-06 21:03 -------- d-----w c:\program files\iTunes

2009-04-06 21:03 . 2009-04-06 21:03 -------- d-----w c:\program files\iPod

2009-04-06 21:02 . 2009-04-06 21:01 -------- d-----w c:\program files\QuickTime

2009-04-06 21:01 . 2009-04-06 21:01 -------- d-----w c:\program files\Apple Software Update

2009-04-06 21:00 . 2009-04-06 21:00 -------- d-----w c:\program files\Common Files\Apple

2009-04-06 20:21 . 2007-01-04 21:00 -------- d-----w c:\program files\MP3+G Toolz .NET 4

2009-04-06 20:20 . 2006-09-03 01:57 263808 ----a-w c:\documents and settings\billy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-04-06 20:18 . 2009-04-06 20:14 -------- d-----w c:\program files\HooTech

2009-04-06 14:32 . 2008-08-13 05:40 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-06 14:32 . 2008-08-13 05:40 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-03-31 18:42 . 2006-09-03 03:42 -------- d-----w c:\program files\MSN Messenger

2009-03-31 15:57 . 2009-03-31 15:57 -------- d-----w c:\program files\MSBuild

2009-03-31 15:57 . 2009-03-31 15:57 -------- d-----w c:\program files\Reference Assemblies

2009-03-31 14:55 . 2009-03-31 14:55 -------- d-----w c:\program files\MSXML 4.0

2009-03-31 13:14 . 2006-09-03 01:45 76487 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-03-26 09:49 . 2009-04-06 20:32 3768 ----a-w c:\windows\system32\drivers\MusCVideo.sys

2009-03-26 09:49 . 2009-04-06 20:32 23096 ----a-w c:\windows\system32\drivers\MusCAudio.sys

2009-03-19 15:32 . 2009-04-06 21:04 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys

2009-03-09 05:19 . 2009-02-25 07:59 410984 ----a-w c:\windows\system32\deploytk.dll

2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll

2009-02-20 08:10 . 2004-09-29 18:47 666112 ----a-w c:\windows\system32\wininet.dll

2009-02-20 08:10 . 2004-08-04 12:00 81920 ----a-w c:\windows\system32\ieencode.dll

2006-10-30 20:58 . 2006-10-30 20:58 59860 ----a-w c:\program files\StreetPiloti3_320.exe

.

 

((((((((((((((((((((((((((((( SnapShot@2009-05-11_07.14.43 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-05-11 20:24 . 2009-05-11 20:24 16384 c:\windows\Temp\Perflib_Perfdata_7e4.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-08 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-08 126976]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-07 98304]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-07 536576]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-02 1947928]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 10:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-05-02 08:17 11952 ----a-w c:\windows\system32\avgrsstx.dll

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

"wave"= serwvdrv.dll

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Planner Reminders Tray Icon.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Planner Reminders Tray Icon.lnk

backup=c:\windows\pss\Event Planner Reminders Tray Icon.lnkCommon Startup

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=

"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

 

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [23/07/2008 08:22 325896]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [23/07/2008 08:22 108552]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [17/02/2009 11:43 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2009 11:43 55024]

R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [23/07/2008 08:22 908568]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [23/07/2008 08:22 298776]

R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [03/09/2006 03:10 191092]

R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [03/09/2006 03:10 6100]

S3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [06/04/2009 21:32 23096]

S3 MusCVideo;MusCVideo;c:\windows\system32\drivers\MusCVideo.sys [06/04/2009 21:32 3768]

S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [01/03/2007 19:39 180480]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2009 11:43 7408]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

\Shell\AutoRun\command - F:\MediaManager.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a84d0e96-3af2-11de-acb9-000e35db220a}]

\Shell\AutoRun\command - F:\MediaManager.exe

.

Contents of the 'Scheduled Tasks' folder

 

2009-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

 

2007-12-27 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8190283110.job

- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-05 23:52]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://uk.yahoo.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll

DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-11 21:50

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySql]

"ImagePath"="C:/Program Files/Saurus CMS/Apache/mysql/bin/mysqld-nt.exe"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySql]

"ImagePath"="C:/Program Files/Saurus CMS/Apache/mysql/bin/mysqld-nt.exe"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(764)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

Completion time: 2009-05-11 21:53

ComboFix-quarantined-files.txt 2009-05-11 20:53

ComboFix2.txt 2009-05-11 07:17

 

Pre-Run: 17,754,742,784 bytes free

Post-Run: 17,779,912,704 bytes free

 

194 --- E O F --- 2009-04-16 06:42

Share this post


Link to post
Share on other sites
Katana   

I don't need ANY of the files that's on the kaspersky list, and really would appreciate it if you help me get rid of them all please, they're really a worry now.

I can certainly remove them for you, that isn't a going to be a problem :)

If you don't mind though, I would like to examine a couple first and see if they are infected.

The upload didn't work before, so let's try a different method.

 

 

 

Upload a File

 

Go to spykiller

 

Please start a new thread Titled File/s for Katana and give the following information

  • Name:-- Your name
  • Subject:-- File for Katana
In the main text window please put the following link

http://forums.pcpitstop.com/index.php?showtopic=168357
you may also add any comments you wish

then press attach and upload the the following files.

 

C:\Documents and Settings\billy\Desktop\All From Desktop\old stuff\AutomatedeBookStore\files to upload\download\davidblaine.zip

C:\Documents and Settings\billy\My Documents\alberts new website\files to upload\download\davidblaine.zip

C:\Documents and Settings\billy\My Documents\website and internet\leonardoe ebook &websites\L ebooks\blaine_mega_magic.zip

C:\Documents and Settings\billy\My Documents\website and internet\web stuff\hypnosis_advanced.zip

 

Files can be uploaded by anybody but not downloaded at all except for those users that have been given special permissions.

You DO NOT need to be a member to upload, anybody can upload the files

 

You can now delete SFP (exe and Zip) along with the .cab file that was created

 

 

 

 

How are things running at the moment, any problems still ?

Share this post


Link to post
Share on other sites
xdustyx   

Hello Katana,

I've uploaded the files onto the site for you... (hope i did it right)

Sorry i don't understand what you mean by:

You can now delete SFP (exe and Zip) along with the .cab file that was created

Was it a programme?

The computer seems to be running a little slower than it was, and when i turned it on i noticed a different black screen flash up for a second before it started loading.

When i installed the combofix it installed "windows recovery system" for me because it wasn't installed on here... i just wondered if it was anything to do with that?

I looked on msconfig and saw this below and wondered if that was the reason why the start up looked different, should it be changed at all?

 

Posted Image

 

THANKYOU again, very much :)

Jayne

Share this post


Link to post
Share on other sites
Katana   

1) I've uploaded the files onto the site for you... (hope i did it right)

 

2) Sorry i don't understand what you mean by:- You can now delete SFP (exe and Zip) along with the .cab file that was created

 

3) when i turned it on i noticed a different black screen flash up for a second before it started loading.

1) that's fine, I've ran them through a few scanners and they all agree there is an infection present. Too many for a False Positive anyway.

2) Sorry about that, just ignore it. It was part of a different post that got left in by mistake :(

3) The black screen is part of Recovery Console that Combofix installed, it should only last a couple of seconds and it may save your machine one day :)

 

Right, let's remove those files .....

 

 

 

OTMoveIt

Please download OTMoveIt3 by OldTimer and save it to your desktop

  • Double-click OTMoveIt3.exe to run it.
  • Copy the lines in the codebox below. ( Make sure you include :Processes )
:Processes
:Files
C:\Documents and Settings\billy\Desktop\All From Desktop\old stuff\AutomatedeBookStore\files to upload\download\davidblaine.zip
C:\Documents and Settings\billy\Desktop\recent downloads\alberts new website\MegaeBookStore200MRR.zip
C:\Documents and Settings\billy\My Documents\albert ebooks\ebooks1.zip
C:\Documents and Settings\billy\My Documents\alberts new website\files to upload\download\davidblaine.zip
C:\Documents and Settings\billy\My Documents\alberts new website\MegaeBookStore200MRR.zip
C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\digitalsite\download\davidblaine.zip
C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\digitalsite\download\davidblaine.zip
C:\Documents and Settings\billy\My Documents\untouched albert website\MegaeBookStore200MRR.zip
C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\davidblaine.zip
C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\billyzx ebooksore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\davidblaine.zip
C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\billyzx ebooksore\AutomatedeBookStore.zip
C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\billyzx ebookstore\billyzx ebooksore\AutomatedeBookStore.zip
C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\Copy of billyzx ebooksore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\davidblaine.zip
C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\Copy of billyzx ebooksore\AutomatedeBookStore.zip
C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\davidblaine784.zip
C:\Documents and Settings\billy\My Documents\website and internet\leonardoe ebook &websites\L ebooks\blaine_mega_magic.zip
C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\ebookempyre website backup\backup\public_html\download\davidblaine.zip
C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\ebookempyre website backup\backup.zip
C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\empyre back up disc\3_video_pack.zip
C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\empyre manual\bonus_download\davidblaine\davidblaine\David Blaines Mega Magic Guide Book.exe
C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\empyre manual\bonus_download\davidblaine.zip
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks\Magic\davidblaine784.zip
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks.part2.rar
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks.part3.rar
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks.part4\Ebooks\Magic\davidblaine784.zip
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks.part4.rar
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads2\ebooks1.zip
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\my ebook business\hypnosis_advanced\derren_brown_type_megamagic.exe
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\my ebook business\hypnosis_advanced.zip
C:\Documents and Settings\billy\My Documents\website and internet\web stuff\hypnosis_advanced.zip
:Commands
[Purity]
[EmptyTemp]
  • Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • - Close ALL open windows (especially Internet Explorer!)-
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

 

Now .... When is the machine running slower, during usage or boot up ?

 

Please post a fresh HJT log along with the OTMI log

Share this post


Link to post
Share on other sites
xdustyx   

Hi Katana,

I've done all that you requested... THANKYOU!

It seemed to be running slower during usage, doesn't appear as slow today though :unsure:

Here are the logs you asked for...

Thankyou again :)

 

 

========== PROCESSES ==========

========== FILES ==========

C:\Documents and Settings\billy\Desktop\All From Desktop\old stuff\AutomatedeBookStore\files to upload\download\davidblaine.zip moved successfully.

C:\Documents and Settings\billy\Desktop\recent downloads\alberts new website\MegaeBookStore200MRR.zip moved successfully.

C:\Documents and Settings\billy\My Documents\albert ebooks\ebooks1.zip moved successfully.

C:\Documents and Settings\billy\My Documents\alberts new website\files to upload\download\davidblaine.zip moved successfully.

C:\Documents and Settings\billy\My Documents\alberts new website\MegaeBookStore200MRR.zip moved successfully.

C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\digitalsite\download\davidblaine.zip moved successfully.

C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\digitalsite\download\davidblaine.zip moved successfully.

C:\Documents and Settings\billy\My Documents\untouched albert website\MegaeBookStore200MRR.zip moved successfully.

C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\davidblaine.zip moved successfully.

C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\billyzx ebooksore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\davidblaine.zip moved successfully.

C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\billyzx ebooksore\AutomatedeBookStore.zip moved successfully.

C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\billyzx ebookstore\billyzx ebooksore\AutomatedeBookStore.zip moved successfully.

C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\Copy of billyzx ebooksore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\davidblaine.zip moved successfully.

C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\Copy of billyzx ebooksore\AutomatedeBookStore.zip moved successfully.

C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\davidblaine784.zip moved successfully.

C:\Documents and Settings\billy\My Documents\website and internet\leonardoe ebook &websites\L ebooks\blaine_mega_magic.zip moved successfully.

C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\ebookempyre website backup\backup\public_html\download\davidblaine.zip moved successfully.

C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\ebookempyre website backup\backup.zip moved successfully.

C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\empyre back up disc\3_video_pack.zip moved successfully.

C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\empyre manual\bonus_download\davidblaine\davidblaine\David Blaines Mega Magic Guide Book.exe moved successfully.

C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\empyre manual\bonus_download\davidblaine.zip moved successfully.

C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks\Magic\davidblaine784.zip moved successfully.

C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks.part2.rar moved successfully.

C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks.part3.rar moved successfully.

C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks.part4\Ebooks\Magic\davidblaine784.zip moved successfully.

C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks.part4.rar moved successfully.

C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads2\ebooks1.zip moved successfully.

C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\my ebook business\hypnosis_advanced\derren_brown_type_megamagic.exe moved successfully.

C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\my ebook business\hypnosis_advanced.zip moved successfully.

C:\Documents and Settings\billy\My Documents\website and internet\web stuff\hypnosis_advanced.zip moved successfully.

========== COMMANDS ==========

User's Temp folder emptied.

User's Internet Explorer cache folder emptied.

File delete failed. C:\Documents and Settings\billy\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

User's Temporary Internet Files folder emptied.

Local Service Temp folder emptied.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

Local Service Temporary Internet Files folder emptied.

Network Service Temp folder emptied.

File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

Network Service Temporary Internet Files folder emptied.

File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_148.dat scheduled to be deleted on reboot.

Windows Temp folder emptied.

Java cache emptied.

Temp folders emptied.

 

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05132009_072220

 

Files moved on Reboot...

File C:\WINDOWS\temp\Perflib_Perfdata_148.dat not found!

---------------------------------------------------------------------

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 07:37:09, on 13/05/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1238500135000

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1241634729171

O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab

O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab

O16 - DPF: {B9F79165-A264-4C4A-A211-133A5E8D647F} (F-Secure Health Check 1.1) - http://support.f-secure.com/enu/home/onlin.../fshc/fscax.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...428/mcfscan.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Apache - Unknown owner - C:\Program Files\Saurus CMS\Apache\Apache.exe (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: MySql - Unknown owner - C:/Program Files/Saurus CMS/Apache/mysql/bin/mysqld-nt.exe (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

 

--

End of file - 6033 bytes

Share this post


Link to post
Share on other sites
Katana   

Congratulations your logs look clean :)

 

Let's see if I can help you keep it that way

 

First lets tidy up

 

Please delete RSIT.exe and C:\RSIT (entire folder)

You can also delete any logs we have produced, and empty your Recycle bin.

 

 

Uninstall Combofix

  • This will clear your System Volume Information restore points and remove all the infected files that were quarantined
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
  • Posted Image
Uninstall OTMoveIt
  • Open OTMoveIt Click Cleanup,
  • When a box pops up click YES.
----------------------------------------------------------- -----------------------------------------------------------

 

The following is some info to help you stay safe and clean.

 

 

You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.

( Vista users must ensure that any programs are Vista compatible BEFORE installing )

 

Online Scanners

I would recommend a scan at one or more of the following sites at least once a month.

 

http://www.pandasecurity.com/activescan

http://www.kaspersky.com/kos/eng/partner/7...kavwebscan.html

 

!!! Make sure that all your programs are updated !!!

Secunia Software Inspector does all the work for you, .... see HERE for details

 

AntiSpyware

  • AntiSpyware is not the same thing as Antivirus.

    Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.

    You should only have one running all the time, the other/s should be used "on demand" on a regular basis.

    Most of the programs in this list have a free (for Home Users ) and paid versions,

    it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.

  • Spybot - Search & Destroy <<< A must have program
    • It includes host protection and registry protection
    • A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
  • MalwareBytes Anti-malware <<< A New and effective program
  • a-squared Free <<< A good "realtime" or "on demand" scanner
  • superantispyware <<< A good "realtime" or "on demand" scanner
Prevention
  • These programs don't detect malware, they help stop it getting on your machine in the first place.

    Each does a different job, so you can have more than one

  • Winpatrol
    • An excellent startup manager and then some !!
    • Notifies you if programs are added to startup
    • Allows delayed startup
    • A must have addition
  • SpywareBlaster 4.0
    • SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
  • SpywareGuard 2.2
    • SpywareGuard provides real-time protection against spyware.
    • Not required if you have other "realtime" antispyware or Winpatrol
  • ZonedOut
    • Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
  • MVPS HOSTS
    • This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
    • For information on how to download and install, please read this tutorial by WinHelp2002.
    • Not required if you are using other host file protections
Internet Browsers
  • Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.

    Using a different web browser can help stop malware getting on your machine.

    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialise and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
If you are still using IE6 then either update, or get one of the following.
  • FireFox
    • With many addons available that make customization easy this is a very popular choice
    • NoScript and AdBlockPlus addons are essential
  • Opera
    • Another popular alternative
  • Netscape
    • Another popular alternative
    • Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

  • Temporary Internet Files are mainly the files that are downloaded when you open a web page.

    Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.

    It is a good idea to empty the Temporary Internet Files folder on a regular basis.

     

    Tracking Cookies are files that websites use to monitor which sites you visit and how often.

    A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.

    CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

     

    Both of these can be cleaned manually, but a quicker option is to use a program

  • ATF Cleaner
    • Free and very simple to use
  • CCleaner
    • Free and very flexible, you can chose which cookies to keep
Also PLEASE read this article.....So How Did I Get Infected In The First Place

 

The last and most important thing I can tell you is UPDATE.

If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.

Malware changes on a day to day basis. You should update every week at the very least.

 

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D

 

 

If you could post back one more time to let me know everything is OK, then I can have this thread archived.

 

Happy surfing K'

Share this post


Link to post
Share on other sites
xdustyx   

Hi Katana,

Again THANKYOU for all your help and everything you've done for me with the computer... i did everything you mentioned:

Please delete RSIT.exe and C:\RSIT (entire folder)

Uninstall Combofix

Uninstall OTMoveIt

I've actually gained a few GB space :)

What i'm concerned about though is, i have used the kaspersky online scanner all the way through and nothing else and the last scan i did found NOTHING! BUT i ran a scan using the other link you gave me (http://www.pandasecurity.com/activescan) and i was shocked at the results... it took HOURS.

What it found was this below, and i really don't know what to make of it now after kaspersky gave me the thumbs up. Also what i don't understand is where it found:

No C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\backup_full.tar[./digitalsite/download/slowcookerrecipes.zip][250+Slowcookerrecipes/250+ Slow Cooker Recipes.exe]

No C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\digitalsite\download\slowcookerrecipes.zip[250+Slowcookerrecipes/250+ Slow Cooker Recipes.exe]

No C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\backup_full.tar[./digitalsite/download/slowcookerrecipes.zip][250+Slowcookerrecipes/250+ Slow Cooker Recipes.exe]

No C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\digitalsite\download\slowcookerrecipes.zip[250+Slowcookerrecipes/250+ Slow Cooker Recipes.exe]

No C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\backup_full.tar[./digitalsite/download/davidblaine.zip][davidblaine/David Blaines Mega Magic Guide Book.exe]

No C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\backup_full.tar[./digitalsite/download/davidblaine.zip][davidblaine/David Blaines Mega Magic Guide Book.exe]

How can a back up of the forum contain the things it does (the digitalsite/downloads etc) when it was never used for uploading ebooks? It was just a forum... It just seems so very weird.

PLEASE can you take a look at what the scan log says and advise me? I'm really sorry to bother you again with my problems, but i've now become paranoid and really glad i did the scan.

THANKYOU AGAIN :)

Jayne

 

;***********************************************************************************************************************************************************************************

ANALYSIS: 2009-05-13 19:55:46

PROTECTIONS: 1

MALWARE: 9

SUSPECTS: 40

;***********************************************************************************************************************************************************************************

PROTECTIONS

Description Version Active Updated

;===================================================================================================================================================================================

AVG Anti-Virus Free 8.5 Yes Yes

;===================================================================================================================================================================================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===================================================================================================================================================================================

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\billy\Cookies\billy@tribalfusion[2].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\billy\Cookies\billy@ad.yieldmanager[2].txt

00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\billy\Cookies\billy@adrevolver[2].txt

00472802 Adware/Beginto Adware No 0 No No C:\Documents and Settings\billy\My Documents\Lilly's Stuff!\all downloaded stuff misc\DivXInstaller.exe[²ÜÇ\GoogleToolbarFirefox.msi][unk_0020][xpi][components/googletoolbar.dll]

00702834 Bck/Hupigon.LKC Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\resellerrightspack\ProfessionalCoverCreationTutorial.zip[ebct1.exe]

00702834 Bck/Hupigon.LKC Virus/Trojan No 0 No No C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\1000 ebooks part 1\1000ebook1.zip[ee6/toolkittut.rar][ebct1.exe]

00702834 Bck/Hupigon.LKC Virus/Trojan No 0 No No C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\empyre back up disc\1000ebook1.zip[ee6/toolkittut.rar][ebct1.exe]

00702834 Bck/Hupigon.LKC Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\webmaster2 pro\ebct1.exe

03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\alberts new website\files to upload\download\Be_a_WHIZ_at_eBIZ.zip[ebizwhiz-brand.exe]

03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads2\ebooks4.zip[ebooks4/easyspanish.zip][Easy Spanish For Babies & Toddlers/Easy Spanish.exe]

03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\backup_full.tar[./digitalsite/download/easyspanish.zip][Easy Spanish For Babies & Toddlers/Easy Spanish.exe]

03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\digitalsite\download\easyspanish.zip[Easy Spanish For Babies & Toddlers/Easy Spanish.exe]

03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\backup_full.tar[./digitalsite/download/easyspanish.zip][Easy Spanish For Babies & Toddlers/Easy Spanish.exe]

03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\Desktop\All From Desktop\old stuff\AutomatedeBookStore\files to upload\download\easyspanish.zip[Easy Spanish For Babies & Toddlers/Easy Spanish.exe]

03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\albert ebooks\ebooks4.zip[ebooks4/easyspanish.zip][Easy Spanish For Babies & Toddlers/Easy Spanish.exe]

03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\albert ebooks\NicheProductPak2ProductPak.zip[NichePowerPak2ProductBonuses.zip][6pakExtraBonuses.zip][Extra Bonuses/Insider.exe]

03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\alberts new website\files to upload\download\easyspanish.zip[Easy Spanish For Babies & Toddlers/Easy Spanish.exe]

03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\digitalsite\download\easyspanish.zip[Easy Spanish For Babies & Toddlers/Easy Spanish.exe]

03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\easyspanish\Easy Spanish For Babies & Toddlers\Easy Spanish.exe

03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\easyspanish.zip[Easy Spanish For Babies & Toddlers/Easy Spanish.exe]

03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\billyzx ebooksore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\easyspanish.zip[Easy Spanish For Babies & Toddlers/Easy Spanish.exe]

03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\Copy of billyzx ebooksore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\easyspanish.zip[Easy Spanish For Babies & Toddlers/Easy Spanish.exe]

03879004 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\albert ebooks\NPP3MasterR.zip[memberS SITE/NPPP3DL/Insider.zip][insider.exe]

03879004 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\resellerrightspack\TheNicheProductPowerPack.zip[NICHE PRODUCTS/BONUS BOOKS.zip][bONUS BOOKS/Insider.exe]

03879007 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\alberts new website\files to upload\download\inside2222r.exe

03899010 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\Desktop games etc\desktop games\screen buster.exe

;===================================================================================================================================================================================

SUSPECTS

Sent Location

;===================================================================================================================================================================================

No C:\Documents and Settings\billy\Desktop\All From Desktop\old stuff\AutomatedeBookStore\files to upload\download\slowcookerrecipes.zip[250+Slowcookerrecipes/250+ Slow Cooker Recipes.exe]

No C:\Documents and Settings\billy\My Documents\albert ebooks\ebooks4.zip[ebooks4/slowcookerrecipes.zip][250+Slowcookerrecipes/250+ Slow Cooker Recipes.exe]

No C:\Documents and Settings\billy\My Documents\albert ebooks\ColorSchemer_17.zip[Portable_Color_Schemer.exe]

No C:\Documents and Settings\billy\My Documents\albert ebooks\eBayBSP.zip[eBayBSP/AuctionTidBits.zip][auctiontidbits.exe]

No C:\Documents and Settings\billy\My Documents\albert ebooks\ebooks4.zip[ebooks4/easyspanish.zip][Easy Spanish For Babies & Toddlers/Bonus Items/EZ-ebooks.exe]

No C:\Documents and Settings\billy\My Documents\albert ebooks\ebooks4.zip[ebooks4/easyspanish.zip][Easy Spanish For Babies & Toddlers/Bonus Items/princess.exe]

No C:\Documents and Settings\billy\My Documents\albert ebooks\ebooks4.zip[ebooks4/slowcookerrecipes.zip][250+Slowcookerrecipes/Bonus Items/EZ-ebooks.exe]

No C:\Documents and Settings\billy\My Documents\alberts new website\files to upload\download\slowcookerrecipes.zip[250+Slowcookerrecipes/250+ Slow Cooker Recipes.exe]

No C:\Documents and Settings\billy\My Documents\albert ebooks\NicheProductPak1ResellerProductsPak.zip[NICHE PRODUCTS/BONUS BOOKS.zip][bONUS BOOKS/BONUS BOOKS/Insider.exe]

No C:\Documents and Settings\billy\My Documents\albert ebooks\Ultimateforexcourse.zip[insiderSecretsCurrencyTrading.zip][insider.exe]

No C:\Documents and Settings\billy\My Documents\alberts new website\files to upload\download\free_to_sell_6.zip[freetosell 6.02.exe]

No C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\backup_full.tar[./digitalsite/download/slowcookerrecipes.zip][250+Slowcookerrecipes/250+ Slow Cooker Recipes.exe]

No C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\digitalsite\download\slowcookerrecipes.zip[250+Slowcookerrecipes/250+ Slow Cooker Recipes.exe]

No C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\backup_full.tar[./digitalsite/download/slowcookerrecipes.zip][250+Slowcookerrecipes/250+ Slow Cooker Recipes.exe]

No C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\digitalsite\download\slowcookerrecipes.zip[250+Slowcookerrecipes/250+ Slow Cooker Recipes.exe]

No C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\backup_full.tar[./digitalsite/download/davidblaine.zip][davidblaine/David Blaines Mega Magic Guide Book.exe]

No C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\backup_full.tar[./digitalsite/download/davidblaine.zip][davidblaine/David Blaines Mega Magic Guide Book.exe]

No C:\Documents and Settings\billy\My Documents\resellerrightspack\AuctionSourcesBigBook.zip[asbb3.exe]

No C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\slowcookerrecipes.zip[250+Slowcookerrecipes/250+ Slow Cooker Recipes.exe]

No C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\billyzx ebooksore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\slowcookerrecipes.zip[250+Slowcookerrecipes/250+ Slow Cooker Recipes.exe]

No C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\Copy of billyzx ebooksore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\slowcookerrecipes.zip[250+Slowcookerrecipes/250+ Slow Cooker Recipes.exe]

No C:\Documents and Settings\billy\My Documents\website and internet\downloads from ebookdirectory\affirmations.zip[affirmations.exe]

No C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\empyre back up disc\1000ebook2.zip[ef1/freetosell6.2.rar][FREETOSELL.EXE]

No C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\empyre back up disc\1000ebook2.zip[ej1/javascriptmagic.rar][Javascript_Magic\javabookbd.exe]

No C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\part2 of 1000 ebooks\1000ebook2.zip[ef1/freetosell6.2.rar][FREETOSELL.EXE]

No C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\part2 of 1000 ebooks\1000ebook2.zip[ej1/javascriptmagic.rar][Javascript_Magic\javabookbd.exe]

No C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads2\ebooks4.zip[ebooks4/easyspanish.zip][Easy Spanish For Babies & Toddlers/Bonus Items/EZ-ebooks.exe]

No C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads2\ebooks4.zip[ebooks4/easyspanish.zip][Easy Spanish For Babies & Toddlers/Bonus Items/princess.exe]

No C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads2\ebooks4.zip[ebooks4/slowcookerrecipes.zip][250+Slowcookerrecipes/250+ Slow Cooker Recipes.exe]

No C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads2\ebooks4.zip[ebooks4/slowcookerrecipes.zip][250+Slowcookerrecipes/Bonus Items/EZ-ebooks.exe]

No C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\my ebook business\auction_sources_bigbook\asbb3.exe

No C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\my ebook business\auction_sources_bigbook.zip[asbb3.exe]

No C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\my ebook business\java_macromedia_ebooks\java_for_your_web_page_magic.exe

No C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\my ebook business\java_macromedia_ebooks.zip[java_for_your_web_page_magic.exe]

No C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\webmaster profit pack\freetosell6.zip[freetosell6.exe]

No C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\webmaster profit pack\java1.zip[javamagic/javabookbd.exe]

No C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\webmaster profit pack\javamagic1.zip[javamagic/javabookbd.exe]

No C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\webmaster profit pack\java1.zip[javamagic/33scripts.exe]

No C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\webmaster profit pack\javamagic1.zip[javamagic/33scripts.exe]

No C:\Documents and Settings\billy\My Documents\website and internet\web stuff\auction_sources_bigbook.zip[asbb3.exe]

 

==========================================================================================================================================

 

Threats with free disinfection (5)

Low danger level (5) Generic Malwar... Virus Latent Hide + Info

1. C:\Documents and Settings\billy\My Documents\... to upload\download\inside2222r.exe

 

Generic Malwar... Virus Latent Hide + Info

1. C:\Documents and Settings\billy\My Documents\...BOOKS.zip][bONUS BOOKS/Insider.exe]

2. C:\Documents and Settings\billy\My Documents\...E/NPPP3DL/Insider.zip][insider.exe]

 

Generic Malwar... Virus Latent Hide + Info

1. C:\Documents and Settings\billy\My Documents\...etc\desktop games\screen buster.exe

 

Trj/CI.A Virus Latent Hide + Info

1. C:\Documents and Settings\billy\My Documents\...HIZ_at_eBIZ.zip[ebizwhiz-brand.exe]

2. C:\Documents and Settings\billy\Desktop\All F...Babies & Toddlers/Easy Spanish.exe]

3. C:\Documents and Settings\billy\My Documents\...Babies & Toddlers/Easy Spanish.exe]

4. C:\Documents and Settings\billy\My Documents\...Babies & Toddlers/Easy Spanish.exe]

5. C:\Documents and Settings\billy\My Documents\...Babies & Toddlers/Easy Spanish.exe]

6. C:\Documents and Settings\billy\My Documents\...ses.zip][Extra Bonuses/Insider.exe]

7. C:\Documents and Settings\billy\My Documents\...Babies & Toddlers/Easy Spanish.exe]

8. C:\Documents and Settings\billy\My Documents\...Babies & Toddlers/Easy Spanish.exe]

9. C:\Documents and Settings\billy\My Documents\... Babies & Toddlers\Easy Spanish.exe

10. C:\Documents and Settings\billy\My Documents\...Babies & Toddlers/Easy Spanish.exe]

11. C:\Documents and Settings\billy\My Documents\...Babies & Toddlers/Easy Spanish.exe]

12. C:\Documents and Settings\billy\My Documents\...Babies & Toddlers/Easy Spanish.exe]

13. C:\Documents and Settings\billy\My Documents\...Babies & Toddlers/Easy Spanish.exe]

14. C:\Documents and Settings\billy\My Documents\...Babies & Toddlers/Easy Spanish.exe]

 

Bck/Hupigon.LK... Virus Latent Hide + Info Not disinfectable

1. C:\Documents and Settings\billy\My Documents\...ooks&sites\webmaster2 pro\ebct1.exe

2. C:\Documents and Settings\billy\My Documents\...overCreationTutorial.zip[ebct1.exe]

3. C:\Documents and Settings\billy\My Documents\....zip[ee6/toolkittut.rar][ebct1.exe]

4. C:\Documents and Settings\billy\My Documents\....zip[ee6/toolkittut.rar][ebct1.exe]

 

 

Only available for registered users.

Register free - I'm registered

Threats disinfected with the paid version (4)

Low danger level (4) Adware/Beginto Adware Latent Show + Info Not disinfectable

1. C:\Documents and Settings\billy\My Documents\...[xpi][components/googletoolbar.dll]

 

Cookie/YieldMa... Tracking Cookie Latent Show + Info

1. C:\Documents and Settings\billy\Cookies\billy@ad.yieldmanager[2].txt

 

Cookie/Tribalf... Tracking Cookie Latent Show + Info

1. C:\Documents and Settings\billy\Cookies\billy@tribalfusion[2].txt

 

Cookie/Adrevol... Tracking Cookie Latent Show + Info

1. C:\Documents and Settings\billy\Cookies\billy@adrevolver[2].txt

 

 

Only available in paid version.

Share this post


Link to post
Share on other sites
Katana   

1) I really don't know what to make of it now after kaspersky gave me the thumbs up.

2) How can a back up of the forum contain the things it does (the digitalsite/downloads etc) when it was never used for uploading ebooks?

1) Different sanners find different things, so that isn't unexpected.

2) At some point, those files must have been on the site and you made a backup at that time. There is no other explanation.

 

Let's see if I can explain the results for you ...

 

These ones are in the SUSPECTS section, so it could be that they are encrypted, or password protected. It doesn't mean they are infected.

C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\backup_full.tar

C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\backup_full.tar

C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\digitalsite\download\slowcookerrecipes.zip

C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\digitalsite\download\slowcookerrecipes.zip

 

 

These could be False Positives due to the way they work,

If you want to keep them then I would upload them to Virustotal and check if they are safe

(If you don't need them just delete them.)

C:\Documents and Settings\billy\My Documents\resellerrightspack\ProfessionalCoverCreationTutorial.zip

C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\1000 ebooks part 1\1000ebook1.zip

C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\empyre back up disc\1000ebook1.zip

C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\webmaster2 pro\ebct1.exe

C:\Documents and Settings\billy\My Documents\resellerrightspack\TheNicheProductPowerPack.zip

C:\Documents and Settings\billy\My Documents\alberts new website\files to upload\download\inside2222r.exe

C:\Documents and Settings\billy\My Documents\Desktop games etc\desktop games\screen buster.exe

 

 

These others, I would recommend deleting. They aren't active at all, so just select the file and hit Delete

 

C:\Documents and Settings\billy\My Documents\Lilly's Stuff!\all downloaded stuff misc\DivXInstaller.exe

C:\Documents and Settings\billy\My Documents\alberts new website\files to upload\download\Be_a_WHIZ_at_eBIZ.zip

C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads2\ebooks4.zip

C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\backup_full.tar

C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\digitalsite\download\easyspanish.zip

C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\backup_full.tar

C:\Documents and Settings\billy\Desktop\All From Desktop\old stuff\AutomatedeBookStore\files to upload\download\easyspanish.zip

C:\Documents and Settings\billy\My Documents\albert ebooks\ebooks4.zip

C:\Documents and Settings\billy\My Documents\albert ebooks\NicheProductPak2ProductPak.zip

C:\Documents and Settings\billy\My Documents\alberts new website\files to upload\download\easyspanish.zip

C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\digitalsite\download\easyspanish.zip

C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\easyspanish\Easy Spanish For Babies & Toddlers\Easy Spanish.exe

C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\easyspanish.zip

C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\billyzx ebooksore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\easyspanish.zip

C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\Copy of billyzx ebooksore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\easyspanish.zip

C:\Documents and Settings\billy\My Documents\albert ebooks\NPP3MasterR.zip

Edited by Katana

Share this post


Link to post
Share on other sites
xdustyx   

Hello again Katana,

I've deleted most of the files and sent some for analysis :)

I've taken now extra precautions and installed spybot search & destroy AND spywareguard.

I had actually installed a-squared free first and it found this:

 

a-squared Free - Version 4.5

Last update: 14/05/2009 11:05:38

 

Scan settings:

 

Scan type: Quick Scan

Objects: Memory, Traces, Cookies

Scan archives: On

Heuristics: Off

ADS Scan: On

 

Scan start: 14/05/2009 11:24:00

 

Value: HKEY_CLASSES_ROOT\CLSID\{0C1F87AE-AE62-11D3-911C-00105A17B608}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2

Value: HKEY_CLASSES_ROOT\CLSID\{371D0743-7A57-11D2-AD5A-00105A17B608}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2

Value: HKEY_CLASSES_ROOT\CLSID\{4F99A075-5227-11D2-AD06-00105A17B608}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2

Value: HKEY_CLASSES_ROOT\CLSID\{B22FE43C-D1E8-432A-A862-9F83D5F04732}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2

Value: HKEY_CLASSES_ROOT\CLSID\{CA4FC24B-C65C-11D1-AA6F-000000000000}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2

Value: HKEY_CLASSES_ROOT\CLSID\{DDD136CE-517B-11D2-AD03-00105A17B608}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2

Value: HKEY_CLASSES_ROOT\CLSID\{E9D55102-9683-11D2-BA68-0040053687FE}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0C1F87AE-AE62-11D3-911C-00105A17B608}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{371D0743-7A57-11D2-AD5A-00105A17B608}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F99A075-5227-11D2-AD06-00105A17B608}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B22FE43C-D1E8-432A-A862-9F83D5F04732}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CA4FC24B-C65C-11D1-AA6F-000000000000}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DDD136CE-517B-11D2-AD03-00105A17B608}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9D55102-9683-11D2-BA68-0040053687FE}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2

 

Scanned

 

Files: 1289

Traces: 641460

Cookies: 6

Processes: 35

 

Found

 

Files: 0

Traces: 14

Cookies: 0

Processes: 0

Registry keys: 0

 

Scan end: 14/05/2009 11:26:46

Scan time: 0:02:46

 

 

I really didn't know what to do, so i did a search on it and found that many many other people found that it was picking up the same thing and no-one seemed to know why or what it was... so i didn't do anything with what it found, i turned it off and installed spybot search & destroy.

It did the same scan and didn't pick those up BUT found this:

 

Win32.Agent.pz: [sBI $7EC6899E] Settings (Registry value, nothing done)

HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Network\UID

 

Win32.Agent.pz: [sBI $8980C6CD] Settings (Registry value, nothing done)

HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Network\UID

 

i re-scanned, and hope i did the right thing and let them remove them (i had done a back-up of the registry first just incase)

 

Still unsure what to do with what A squared found though, and wondered if you know anything about them please?

 

THANKYOU again :)

Jayne

Share this post


Link to post
Share on other sites
Katana   

The items that Spybot found look to be a couple of leftovers, I wouldn't worry about them.

 

The A-Squared items look to related to Routers, so I would leave those alone. I suspect they are a false positive.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×