There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
 
Tag Cloud
access audio avg avg 8 bios blue screen boot browser bsod computer cpu crash css dell desktop driver drivers dvd email error excel explorer firefox firefox 3 freeze gimp graphics hard drive hardware hijackthis hjt install internet internet explorer itunes keyboard laptop macro malware missing monitor network networking outlook outlook 2003 outlook 2007 outlook express password popups problem problems router seo server slow sound sp3 spyware trojan usb video virtumonde virus vista vundo windows windows vista windows xp winxp wireless
General Security
Search
Search in:
 
Advanced Search
Tech Support Guy Forums > Security & Malware Removal > General Security >
Solved: virus or trojan


HELLO AND WELCOME! Before you can post your question, you'll have to register -- it's completely free! Click here to join today! We highly recommend that you print a copy of our Guide for New Members. Enjoy!

 
Thread Tools
DesperateDan's Avatar
Senior Member with 189 posts.
 
Join Date: Aug 2005
Location: England, UK.
Experience: Intermediate
05-Nov-2007, 10:36 AM #1
Solved: virus or trojan
hi, I keep getting viruses or trojans I move them to the chest but when I restart my computer I get them back again, my automatic updates keeps getting disabled, I have avast anti virus I never had a problem before I've done a boot scan it found a win32 virus I move it to the chest but as I say they keep coming back. would you please have a look and see if you see if I have any thing bad. here is the Hijackthis log


Logfile of HijackThis v1.99.1
Scan saved at 3:07:27 PM, on 11/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Common Files\AOL\1186954596\ee\AOLSoftware.exe
C:\WINDOWS\system32\winsock32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\common files\aol\1186954596\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
c:\program files\common files\aol\1186954596\ee\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\DANSAN~1\LOCALS~1\Temp\Rar$EX00.250\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://a.tribalfusion.com/p.media/aT...01716/pop.html
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1186954596\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [] winsock32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [] winsock32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-GB\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D1D98C0F-A339-42AB-BD5F-EA0FF5D0E65F} (RockYou Image Uploader Control) - http://www.rockyou.com/RockYouImageUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{96501477-46A7-4C7F-81AE-388209F962FD}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP4a\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP4a\RpcSandraSrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
__________________
Cheeseball81's Avatar
Moderator with 71,414 posts.
 
Join Date: Mar 2004
Location: New York
Experience: Mighty Nerdy
05-Nov-2007, 04:19 PM #2
Download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • ...
--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
__________________
Member of ASAP

Microsoft MVP/Windows - Consumer Security

If we've helped, please donate to TSG.
DesperateDan's Avatar
Senior Member with 189 posts.
 
Join Date: Aug 2005
Location: England, UK.
Experience: Intermediate
06-Nov-2007, 04:16 AM #3
Tjhanks for youe help here is the Combofix log and hijackthis log

ComboFix 07-11-05.2 - Dan Sanderson 2007-11-06 9:03:03.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1541 [GMT 0:00]
Running from: C:\Documents and Settings\Dan Sanderson\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\WinAble

.
((((((((((((((((((((((((( Files Created from 2007-10-06 to 2007-11-06

)))))))))))))))))))))))))))))))
.

2007-11-06 09:02 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-06 07:41 <DIR> d-------- C:\Program Files\Uniblue
2007-11-06 07:41 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\Uniblue
2007-11-05 21:11 30,770 --a------ C:\WINDOWS\system32\ertws.exe
2007-11-05 19:28 35,840 --a------ C:\WINDOWS\mrofinu173.exe
2007-11-05 19:27 9,806 --a------ C:\WINDOWS\sadasd.exe
2007-11-05 18:31 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\Grisoft
2007-11-05 18:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-05 18:31 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-05 08:48 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-05 08:20 <DIR> d-------- C:\Program Files\iTunes
2007-11-05 08:20 <DIR> d-------- C:\Program Files\iPod
2007-11-05 08:20 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\Apple Computer
2007-11-05 08:19 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-11-05 08:14 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-05 08:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-04 11:25 <DIR> d-------- C:\Program Files\QuickTime
2007-11-04 11:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-04 10:01 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\DoctorWeb
2007-11-03 13:39 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\Vso
2007-11-03 13:39 81,920 --a------ C:\Documents and Settings\Dan Sanderson\Application Data\ezpinst.exe
2007-11-03 13:39 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-11-03 13:39 47,360 --a------ C:\Documents and Settings\Dan Sanderson\Application Data\pcouffin.sys
2007-11-03 13:13 33,824 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2007-11-02 17:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
2007-11-02 17:05 <DIR> d-------- C:\Program Files\SlySoft
2007-11-02 08:04 <DIR> d-------- C:\Program Files\MagicDisc
2007-11-02 08:04 92,544 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2007-11-02 06:49 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-11-01 10:37 <DIR> d-------- C:\Program Files\Real Alternative
2007-10-30 17:52 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\Publish Providers
2007-10-30 17:50 33,340 --------- C:\WINDOWS\system32\dbmsqlgc.dll
2007-10-30 17:50 24,576 --------- C:\WINDOWS\system32\dbmsgnet.dll
2007-10-30 17:49 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2007-10-30 17:49 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\Sony
2007-10-30 17:48 <DIR> d-------- C:\Program Files\Vstplugins
2007-10-30 17:48 <DIR> d-------- C:\Program Files\Sony
2007-10-30 17:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony
2007-10-30 17:39 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\Sony Setup
2007-10-30 17:38 <DIR> d-------- C:\Program Files\Sony Setup
2007-10-30 16:47 <DIR> d-------- C:\Program Files\WinAce
2007-10-30 15:28 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-29 14:20 <DIR> d-------- C:\Program Files\Common Files\DeskShare Shared
2007-10-29 14:20 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll
2007-10-29 13:14 <DIR> d-------- C:\Program Files\Deskshare
2007-10-28 17:16 96,832 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-10-27 14:30 <DIR> d-------- C:\Program Files\XP Codec Pack
2007-10-26 12:37 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-26 12:37 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-10-26 11:56 <DIR> d-------- C:\Program Files\Real
2007-10-26 11:56 <DIR> d-------- C:\Program Files\Common Files\Real
2007-10-26 11:54 <DIR> d-------- C:\My Downloads
2007-10-26 11:35 45,056 --a------ C:\WINDOWS\system32\wnaspi32.dll
2007-10-26 11:35 25,244 --a------ C:\WINDOWS\system32\drivers\aspi32.sys
2007-10-26 11:35 5,600 --a------ C:\WINDOWS\system\winaspi.dll
2007-10-26 11:35 4,672 --a------ C:\WINDOWS\system\wowpost.exe
2007-10-26 08:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-25 12:33 <DIR> d-------- C:\Program Files\Audacity
2007-10-25 10:04 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-10-25 10:04 <DIR> d-------- C:\Program Files\Windows Live Favorites
2007-10-25 10:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2007-10-25 10:03 <DIR> d-------- C:\Program Files\MSN Messenger
2007-10-23 16:23 <DIR> d-------- C:\Program Files\NCH Swift Sound
2007-10-23 16:23 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\NCH Swift Sound
2007-10-23 16:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-10-22 20:06 <DIR> d-------- C:\Program Files\RadioXpi
2007-10-22 17:18 <DIR> d-------- C:\WINDOWS\Freecorder Toolbar
2007-10-22 17:18 <DIR> d-------- C:\Program Files\Freecorder Toolbar
2007-10-22 17:18 <DIR> d-------- C:\Program Files\Freecorder
2007-10-22 17:07 <DIR> d-------- C:\Program Files\RipCast 1.9
2007-10-19 08:48 <DIR> d-------- C:\Program Files\CrossLoop
2007-10-15 12:32 61,056 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys
2007-10-15 12:32 61,056 --a--c--- C:\WINDOWS\system32\dllcache\ohci1394.sys
2007-10-15 12:32 53,248 --a------ C:\WINDOWS\system32\drivers\1394bus.sys
2007-10-15 12:32 53,248 --a--c--- C:\WINDOWS\system32\dllcache\1394bus.sys
2007-10-15 12:32 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2007-10-15 12:32 6,400 --a--c--- C:\WINDOWS\system32\dllcache\enum1394.sys
2007-10-14 15:22 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Contacts
2007-10-14 13:51 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\MSNInstaller
2007-10-10 17:13 <DIR> d-------- C:\Program Files\AskTBar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-05 06:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-04 11:11 --------- d-----w C:\Program Files\Java
2007-11-04 10:48 --------- d-----w C:\Program Files\Common Files\FTL Shared
2007-11-03 09:47 --------- d-----w C:\Program Files\AOL 9.0
2007-11-03 09:13 --------- d-----w C:\Documents and Settings\Dan Sanderson\Application Data\LimeWire
2007-11-02 10:03 --------- d-----w C:\Program Files\DivX
2007-10-27 08:37 --------- d-----w C:\Program Files\LimeWire
2007-10-26 08:05 --------- d-----w C:\Program Files\AOL Toolbar
2007-10-25 08:22 --------- d-----w C:\Program Files\Dell AIO Printer A920
2007-10-01 17:56 --------- d-----w C:\Documents and Settings\Dan Sanderson\Application Data\Joost
2007-09-29 10:24 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-09-20 10:38 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-16 09:02 --------- d-----w C:\Documents and Settings\Dan Sanderson\Application Data\dvdcss
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05 92,848 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-09-06 10:00 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-21 11:35 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-08-21 11:35 249,856 ------w C:\WINDOWS\Setup1.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-14 21:39 81,920 ------r C:\WINDOWS\bwUnin-6.1.4.36-8876480L.exe
2007-08-10 19:56 93,128 ----a-w C:\WINDOWS\system32\ElbyCDIO.dll
2006-08-09 17:42 3,198,976 ----a-w C:\Program Files\ViewSonicregistration.exe
2007-06-13 10:23:07 1,561,600 --sh--r C:\WINDOWS\system32\winsock32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GSICONEXE"="gsicon.exe" [2003-05-14 19:26 C:\WINDOWS\system32\gsicon.exe]
"DSLAGENTEXE"="dslagent.exe" [2003-04-25 09:22 C:\WINDOWS\system32\dslagent.exe]
"HostManager"="C:\Program Files\Common Files\AOL\1186954596\ee\AOLSoftware.exe" [2006-11-17 13:21]
"36X Raid Configurer"="C:\WINDOWS\system32\JMRaidSetup.exe" [2006-11-16 17:05]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 10:06]
"@"="winsock32.exe" [2007-06-13 10:23 C:\WINDOWS\system32\winsock32.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 12:00]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-10-22 10:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"<NO NAME>"=winsock32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\AOL 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=C:\WINDOWS\pss\AOL Companion.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dan Sanderson^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Dan Sanderson\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dan Sanderson^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\Dan Sanderson\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup
winsock32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\%FP%Friendly fts.exe]
"C:\Program Files\VoyagerTest\fts.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner]
"C:\Program Files\CCleaner\ccleaner.exe" /AUTO

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
"C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1186954596\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
C:\WINDOWS\JM\JMInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3Trayp]
S3trayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WheelMouse]
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys
R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
R3 glausb;GlobeSpan USB ADSL LAN Modem;C:\WINDOWS\system32\DRIVERS\glausb.sys
R3 PPPoEWin;PPPoEWin Miniport;C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS
R3 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-11-05 08:14:45 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-06 08:58:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-11-06 06:59:24 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-06 09:03:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-06 9:04:22
.
--- E O F ---

Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 9:14:03 AM, on 11/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Common Files\AOL\1186954596\ee\AOLSoftware.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\winsock32.exe
c:\program files\common files\aol\1186954596\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
c:\program files\common files\aol\1186954596\ee\aolsoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\DANSAN~1\LOCALS~1\Temp\Rar$EX00.657\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://a.tribalfusion.com/p.media/aT...01716/pop.html
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1186954596\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [] winsock32.exe
O4 - HKLM\..\RunServices: [] winsock32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-GB\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D1D98C0F-A339-42AB-BD5F-EA0FF5D0E65F} (RockYou Image Uploader Control) - http://www.rockyou.com/RockYouImageUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{96501477-46A7-4C7F-81AE-388209F962FD}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP4a\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP4a\RpcSandraSrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Cheeseball81's Avatar
Moderator with 71,414 posts.
 
Join Date: Mar 2004
Location: New York
Experience: Mighty Nerdy
06-Nov-2007, 06:43 PM #4
Download the Trial version of Superantispyware Pro (SAS):
http://www.superantispyware.com/supe....html?rid=3132


Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.
· To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
· Click close and close again to exit the program.
· Please paste that information here for me with a new Hijack This log.
__________________
Member of ASAP

Microsoft MVP/Windows - Consumer Security

If we've helped, please donate to TSG.
DesperateDan's Avatar
Senior Member with 189 posts.
 
Join Date: Aug 2005
Location: England, UK.
Experience: Intermediate
07-Nov-2007, 02:15 AM #5
Thanks Cheeseball81, after running the program it rebooted but when I got to my desktop The same virus was detected by avast, here is the log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/07/2007 at 06:53 AM

Application Version : 3.9.1008

Core Rules Database Version : 3339
Trace Rules Database Version: 1340

Scan type : Complete Scan
Total Scan Time : 00:18:00

Memory items scanned : 426
Memory threats detected : 0
Registry items scanned : 5538
Registry threats detected : 26
File items scanned : 26768
File threats detected : 19

Unclassified.Oreans32
HKLM\System\ControlSet001\Services\oreans32
C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS
HKLM\System\ControlSet002\Services\oreans32
HKLM\System\CurrentControlSet\Services\oreans32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#Active Service
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstance

Adware.Tracking Cookie
C:\Documents and Settings\Dan Sanderson\Cookies\dan_sanderson@aoluk.122.2o7[1].txt
C:\Documents and Settings\Dan Sanderson\Cookies\dan_sanderson@statcounter[1].txt
C:\Documents and Settings\Dan Sanderson\Cookies\dan_sanderson@doubleclick[2].txt
C:\Documents and Settings\Dan Sanderson\Cookies\dan_sanderson@ads.techguy[2].txt
C:\Documents and Settings\Dan Sanderson\Cookies\dan_sanderson@toplist[1].txt
C:\Documents and Settings\Dan Sanderson\Cookies\dan_sanderson@ads.aol.co[1].txt
C:\Documents and Settings\Dan Sanderson\Cookies\dan_sanderson@media.adrevolver[2].txt
C:\Documents and Settings\Dan Sanderson\Cookies\dan_sanderson@mediaplex[1].txt
C:\Documents and Settings\Dan Sanderson\Cookies\dan_sanderson@adrevolver[1].txt
C:\Documents and Settings\Dan Sanderson\Cookies\dan_sanderson@media.adrevolver[3].txt
C:\Documents and Settings\Dan Sanderson\Cookies\dan_sanderson@ad.uk.tangozebra[1].txt
C:\Documents and Settings\Dan Sanderson\Cookies\dan_sanderson@advertising[2].txt
C:\Documents and Settings\Dan Sanderson\Cookies\dan_sanderson@aoleusearch.122.2o7[1].txt
C:\Documents and Settings\Dan Sanderson\Cookies\dan_sanderson@linksynergy[1].txt
C:\Documents and Settings\Dan Sanderson\Cookies\dan_sanderson@tradedoubler[1].txt
C:\Documents and Settings\Dan Sanderson\Cookies\dan_sanderson@atdmt[2].txt

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4473571C-5010-468B-B028-4C36014D560D}\RP137\A0022633.EXE

Trojan.Downloader-Gen/Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4473571C-5010-468B-B028-4C36014D560D}\RP137\A0022634.EXE


Logfile of HijackThis v1.99.1
Scan saved at 7:14:13 AM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Common Files\AOL\1186954596\ee\AOLSoftware.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\winsock32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\common files\aol\1186954596\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
c:\program files\common files\aol\1186954596\ee\aolsoftware.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\DANSAN~1\LOCALS~1\Temp\Rar$EX00.672\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://a.tribalfusion.com/p.media/aT...01716/pop.html
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1186954596\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [] winsock32.exe
O4 - HKLM\..\RunServices: [] winsock32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-GB\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D1D98C0F-A339-42AB-BD5F-EA0FF5D0E65F} (RockYou Image Uploader Control) - http://www.rockyou.com/RockYouImageUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{96501477-46A7-4C7F-81AE-388209F962FD}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP4a\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP4a\RpcSandraSrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Cheeseball81's Avatar
Moderator with 71,414 posts.
 
Join Date: Mar 2004
Location: New York
Experience: Mighty Nerdy
07-Nov-2007, 02:39 PM #6
I know, you're very infected so we still have plenty more to do.
Please rerun Combofix and post those results.
DesperateDan's Avatar
Senior Member with 189 posts.
 
Join Date: Aug 2005
Location: England, UK.
Experience: Intermediate
07-Nov-2007, 04:35 PM #7
thanks for your help

ComboFix 07-11-05.2 - Dan Sanderson 2007-11-07 21:28:13.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1590 [GMT 0:00]
Running from: C:\Documents and Settings\Dan Sanderson\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-07 to 2007-11-07 )))))))))))))))))))))))))))))))
.

2007-11-07 21:21 33,824 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2007-11-07 06:24 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-07 06:24 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\SUPERAntiSpyware.com
2007-11-07 06:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-06 09:56 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\.housecall6.6
2007-11-06 09:02 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-06 07:41 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\Uniblue
2007-11-05 18:31 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\Grisoft
2007-11-05 18:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-05 18:31 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-05 08:48 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-05 08:20 <DIR> d-------- C:\Program Files\iTunes
2007-11-05 08:20 <DIR> d-------- C:\Program Files\iPod
2007-11-05 08:20 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\Apple Computer
2007-11-05 08:19 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-11-05 08:14 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-05 08:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-04 11:25 <DIR> d-------- C:\Program Files\QuickTime
2007-11-04 11:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-04 10:01 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\DoctorWeb
2007-11-03 13:39 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\Vso
2007-11-03 13:39 81,920 --a------ C:\Documents and Settings\Dan Sanderson\Application Data\ezpinst.exe
2007-11-03 13:39 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-11-03 13:39 47,360 --a------ C:\Documents and Settings\Dan Sanderson\Application Data\pcouffin.sys
2007-11-02 17:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
2007-11-02 17:05 <DIR> d-------- C:\Program Files\SlySoft
2007-11-02 08:04 <DIR> d-------- C:\Program Files\MagicDisc
2007-11-02 08:04 92,544 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2007-11-02 06:49 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-11-01 10:37 <DIR> d-------- C:\Program Files\Real Alternative
2007-10-30 17:52 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\Publish Providers
2007-10-30 17:50 33,340 --------- C:\WINDOWS\system32\dbmsqlgc.dll
2007-10-30 17:50 24,576 --------- C:\WINDOWS\system32\dbmsgnet.dll
2007-10-30 17:49 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2007-10-30 17:49 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\Sony
2007-10-30 17:48 <DIR> d-------- C:\Program Files\Vstplugins
2007-10-30 17:48 <DIR> d-------- C:\Program Files\Sony
2007-10-30 17:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony
2007-10-30 17:39 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\Sony Setup
2007-10-30 17:38 <DIR> d-------- C:\Program Files\Sony Setup
2007-10-30 16:47 <DIR> d-------- C:\Program Files\WinAce
2007-10-30 15:28 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-29 14:20 <DIR> d-------- C:\Program Files\Common Files\DeskShare Shared
2007-10-29 14:20 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll
2007-10-29 13:14 <DIR> d-------- C:\Program Files\Deskshare
2007-10-28 17:16 96,832 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-10-27 14:30 <DIR> d-------- C:\Program Files\XP Codec Pack
2007-10-26 12:37 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-26 12:37 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-10-26 11:56 <DIR> d-------- C:\Program Files\Real
2007-10-26 11:56 <DIR> d-------- C:\Program Files\Common Files\Real
2007-10-26 11:54 <DIR> d-------- C:\My Downloads
2007-10-26 11:35 45,056 --a------ C:\WINDOWS\system32\wnaspi32.dll
2007-10-26 11:35 25,244 --a------ C:\WINDOWS\system32\drivers\aspi32.sys
2007-10-26 11:35 5,600 --a------ C:\WINDOWS\system\winaspi.dll
2007-10-26 11:35 4,672 --a------ C:\WINDOWS\system\wowpost.exe
2007-10-26 08:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-25 12:33 <DIR> d-------- C:\Program Files\Audacity
2007-10-25 10:04 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-10-25 10:04 <DIR> d-------- C:\Program Files\Windows Live Favorites
2007-10-25 10:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2007-10-25 10:03 <DIR> d-------- C:\Program Files\MSN Messenger
2007-10-23 16:23 <DIR> d-------- C:\Program Files\NCH Swift Sound
2007-10-23 16:23 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\NCH Swift Sound
2007-10-23 16:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-10-22 20:06 <DIR> d-------- C:\Program Files\RadioXpi
2007-10-22 17:18 <DIR> d-------- C:\WINDOWS\Freecorder Toolbar
2007-10-22 17:18 <DIR> d-------- C:\Program Files\Freecorder Toolbar
2007-10-22 17:18 <DIR> d-------- C:\Program Files\Freecorder
2007-10-22 17:07 <DIR> d-------- C:\Program Files\RipCast 1.9
2007-10-19 08:48 <DIR> d-------- C:\Program Files\CrossLoop
2007-10-15 12:32 61,056 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys
2007-10-15 12:32 61,056 --a--c--- C:\WINDOWS\system32\dllcache\ohci1394.sys
2007-10-15 12:32 53,248 --a------ C:\WINDOWS\system32\drivers\1394bus.sys
2007-10-15 12:32 53,248 --a--c--- C:\WINDOWS\system32\dllcache\1394bus.sys
2007-10-15 12:32 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2007-10-15 12:32 6,400 --a--c--- C:\WINDOWS\system32\dllcache\enum1394.sys
2007-10-14 15:22 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Contacts
2007-10-14 13:51 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\MSNInstaller
2007-10-10 17:13 <DIR> d-------- C:\Program Files\AskTBar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 08:22 --------- d-----w C:\Documents and Settings\Dan Sanderson\Application Data\Ahead
2007-11-07 06:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-06 13:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-04 11:11 --------- d-----w C:\Program Files\Java
2007-11-04 10:48 --------- d-----w C:\Program Files\Common Files\FTL Shared
2007-11-03 09:47 --------- d-----w C:\Program Files\AOL 9.0
2007-11-03 09:13 --------- d-----w C:\Documents and Settings\Dan Sanderson\Application Data\LimeWire
2007-11-02 10:03 --------- d-----w C:\Program Files\DivX
2007-10-27 08:37 --------- d-----w C:\Program Files\LimeWire
2007-10-26 08:05 --------- d-----w C:\Program Files\AOL Toolbar
2007-10-25 08:22 --------- d-----w C:\Program Files\Dell AIO Printer A920
2007-10-01 17:56 --------- d-----w C:\Documents and Settings\Dan Sanderson\Application Data\Joost
2007-09-29 10:24 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-09-20 10:38 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-16 09:02 --------- d-----w C:\Documents and Settings\Dan Sanderson\Application Data\dvdcss
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-08-21 11:35 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-08-21 11:35 249,856 ------w C:\WINDOWS\Setup1.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-14 21:39 81,920 ------r C:\WINDOWS\bwUnin-6.1.4.36-8876480L.exe
2007-08-10 19:56 93,128 ----a-w C:\WINDOWS\system32\ElbyCDIO.dll
2006-08-09 17:42 3,198,976 ----a-w C:\Program Files\ViewSonicregistration.exe
2007-06-13 10:23:07 1,561,600 --sh--r C:\WINDOWS\system32\winsock32.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-06_ 9.04.01.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-09-21 15:53:44 385,536 ----a-w C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
+ 2007-11-07 06:24:25 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-11-07 06:24:25 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-11-07 06:24:25 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2007-11-07 21:21:39 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_730.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GSICONEXE"="gsicon.exe" [2003-05-14 19:26 C:\WINDOWS\system32\gsicon.exe]
"DSLAGENTEXE"="dslagent.exe" [2003-04-25 09:22 C:\WINDOWS\system32\dslagent.exe]
"HostManager"="C:\Program Files\Common Files\AOL\1186954596\ee\AOLSoftware.exe" [2006-11-17 13:21]
"36X Raid Configurer"="C:\WINDOWS\system32\JMRaidSetup.exe" [2006-11-16 17:05]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 10:06]
"@"="winsock32.exe" [2007-06-13 10:23 C:\WINDOWS\system32\winsock32.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 12:00]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2006-09-15 14:27]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"<NO NAME>"=winsock32.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell ExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\AOL 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=C:\WINDOWS\pss\AOL Companion.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dan Sanderson^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Dan Sanderson\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dan Sanderson^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\Dan Sanderson\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup
winsock32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\%FP%Friendly fts.exe]
"C:\Program Files\VoyagerTest\fts.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner]
"C:\Program Files\CCleaner\ccleaner.exe" /AUTO

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
"C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1186954596\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
C:\WINDOWS\JM\JMInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3Trayp]
S3trayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WheelMouse]
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys
R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
R3 glausb;GlobeSpan USB ADSL LAN Modem;C:\WINDOWS\system32\DRIVERS\glausb.sys
R3 PPPoEWin;PPPoEWin Miniport;C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS
R3 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys

*Newly Created Service* - OREANS32
.
Contents of the 'Scheduled Tasks' folder
"2007-11-05 08:14:45 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-07 09:58:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-11-07 21:24:44 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-07 21:29:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-07 21:29:39
C:\ComboFix2.txt ... 2007-11-06 09:04
.
--- E O F ---
ralucagymnast's Avatar
Computer Specs
Junior Member with 5 posts.
 
Join Date: Nov 2007
Experience: Very much a beginner but not totally illiterate
07-Nov-2007, 05:34 PM #8
help
Hi I am new here, and go easy on me, because I am a beginner!!! I have the dreaded virtumonde trojan, I have Avastantivirus, but it hasnt got rid of it. I have spywaredoctor, and that also hasnt gotten rid. I need to get rid of it, but havent a clue about manually removing it. Could someone give me a real dummies guide to removing it??I mean, real Janet and John stuff!!! I am a beginner, in the true sense of the word!! Help!!
Cheers!
blues_harp28's Avatar
Distinguished Member with 7,582 posts.
 
Join Date: Jan 2005
Location: London England
07-Nov-2007, 05:46 PM #9
Hi and welcome to TSG.
Best to start your own thread as you can see this one belongs to DesperateDan.
Go to the Malware removal and Hijack this log Forum and post a Hijack this log there.

http://www.thespykiller.co.uk/files/HJTsetup.exe
Link not working..try.
http://tomcoyote.com/hjt

Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
B