Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Solved: Solved: 6 Trojan Infections in Windows XP


(!)

wishbear's Avatar
wishbear wishbear is offline
Junior Member with 13 posts.
THREAD STARTER
 
Join Date: Apr 2008
Location: Philippines
Experience: Beginner
10-Apr-2008, 03:34 AM #1
Unhappy Solved: 6 Trojan Infections in Windows XP
Hi there!

Last Friday, I had a few pictures developed in the nearby developing center. When I got my flash disk back, the AVG in my laptop detected this threat: Trojan Horse psw.onlinegames.z and asked me to heal it, which I did. Apparently, it still wasn't because when I inserted another flash disk in the USB drive to copy some files to another computer (desktop), the AVG installed there reported the same Trojan. I downloaded Spyware Terminator and TrojanHunter 5.0 for both computers and 2 Trojans were found and fixed in the hard drive and there were no reported Trojans found in the flash disk I used to copy files from the laptop to the desktop but then again, maybe it was because I reformatted the flash disk after AVG asked me to heal the trojan.

I still wasn't convinced that everything is fixed though so I checked my AVG Virus Vault in the desktop (still haven't done that in the laptop because I found so many infections in the desktop so I want to fix it one computer at a time). I found the following infections with their corresponding details:

attribute name: value
object name: uulaqvl.cmd
object path: g:\
discovery: Trojan Horse psw.onlinegames.aq
date of detection: 4/10/2008 1:55:23PM
file size: 145.72kb
healable: no
source: backup copy
status: infected

attribute name: value
object name: uulaqvl.cmd
object path: g:\
discovery: Trojan Horse psw.onlinegames.aq
date of detection: 4/09/2008 11:29:10AM
file size: 145.72kb
healable: no
source: backup copy
status: infected

attribute name: value
object name: dxdlg.dll
object path: c:\windows\system32\
discovery: Trojan Horse psw.generic.qcp
date of detection: 5/29/2007 11:35:08AM
file size: 94kb
healable: no
source: backup copy
status: infected

attribute name: value
object name: uulaqvl.cmd
object path: g:\
discovery: Trojan Horse psw.onlinegames.aq
date of detection: 4/07/2008 03:10:17PM
file size: 145.72kb
healable: no
source: backup copy
status: infected

attribute name: value
object name: NDNUninstall4_50.exe
object path: f:\windows\
discovery: Trojan Horse dialer.23.aw
date of detection: 5/29/2007 11:35:097PM
file size: 53kb
healable: no
source: backup copy
status: infected

attribute name: value
object name: msdlupd.dll
object path: f:\windows\system32
discovery: Trojan Horse downloader.dyfica.3.N
date of detection: 5/29/2007 11:35:097PM
file size: 53kb
healable: no
source: backup copy
status: infected

C:\ and F:\ are both hard drives, with the latter being a back-up of my previous files in another computer. G:\ is the USB Drive I used when I inserted the flash disk.

Thing is, when I searched for the object names, I didn't find the files so I couldn't manually delete them. I didn't even know that my desktop had this much infection until I got hit with the psw.onlinegames.z trojan which I could not find because it seemed to have evolved into psw.onlinegames.aq.

Another thing I noticed after the infection is that when I double-click the USB drive to access it, a new window pops up asking me what program I want to use to open the flash disk. This problem was "solved" when I reformatted the disk but is now back again because of the trojan found by AVG (but when I ran TrojanHunter to check the flash disk, there were no trojans found). The only way to access the disk is to either reformat the disk or type the drive directly in the address bar.

Help please.

I downloaded and ran HijackThis and this is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:00:10 PM, on 4/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Grisoft\AVG7\avgvv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {06663B56-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Pando Search Assistant BHO - {06663B51-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Pando Toolbar BHO - {E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Pando Toolbar - {E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TV Remote Control.lnk = C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Y!mLite - {9B04D939-D9D1-45e0-9FBF-5A31AAF7A68A} - C:\Program Files\Y!mLite\ymlite.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 7849 bytes

Sorry if there are so many infections and thanks in advance

p.s. Before I posted this, I searched and found a thread here that was diagnosed to have a flash drive infected. I downloaded and installed the 3 files (elindirfix_2.zip, regfix.zip and flash_disinfector.exe) I saw there but I don't think my infections have been solved nor is the problem with accessing the usb drive in windows explorer. The hijacthis scan was done after all the 3 files have been installed.

Last edited by wishbear; 10-Apr-2008 at 03:50 AM.. Reason: additional information
dvk01's Avatar
dvk01   (Derek) dvk01 is offline dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 45,749 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
12-Apr-2008, 02:43 AM #2
Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix: especially follow the advice about installing the recovery console

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply

Make sure the USB drives are plugged in so we can disinfect them at the same time
__________________
Derek Microsoft MVP/Windows - Security | Thespykiller | How to protect yourself and other Security Advice
Find out all about the European Wild Hedgehog, what you can do to save it from extinction Hedgehog Rescue
wishbear's Avatar
wishbear wishbear is offline
Junior Member with 13 posts.
THREAD STARTER
 
Join Date: Apr 2008
Location: Philippines
Experience: Beginner
12-Apr-2008, 12:13 PM #3
Hello Derek, here are the logs that you requested:

ComboFix 08-04-11.8 - Brian 2008-04-12 23:33:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.126 [GMT 8:00]
Running from: C:\Documents and Settings\Brian\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-03-12 to 2008-04-12 )))))))))))))))))))))))))))))))
.

2008-04-12 10:56 . 2008-04-12 11:01 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-04-10 14:59 . 2008-04-10 14:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-10 12:30 . 2008-04-10 12:30 <DIR> d-------- C:\Program Files\WinClamAVShield
2008-04-10 11:49 . 2008-04-10 12:01 <DIR> d-------- C:\Program Files\Crawler
2008-04-10 11:49 . 2008-04-12 11:00 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\Spyware Terminator
2008-04-10 11:49 . 2008-04-12 11:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-04-10 11:49 . 2008-04-10 11:49 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-04-10 11:48 . 2008-04-12 11:38 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-04-10 10:59 . 2008-04-10 12:49 <DIR> d-------- C:\Program Files\TweakNow RegCleaner Std
2008-04-09 19:44 . 2008-04-09 19:44 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\TrojanHunter
2008-04-09 17:52 . 2008-04-10 12:51 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-04-04 11:08 . 2008-04-04 11:08 10 -r------- C:\WINDOWS\PSTUDIO.SN
2008-04-04 11:03 . 2008-04-04 11:03 572 --a------ C:\WINDOWS\maxlink.ini
2008-04-04 11:03 . 2008-04-04 11:03 0 --a------ C:\WINDOWS\OP70.INI
2008-04-04 11:02 . 2008-04-04 11:02 <DIR> d-------- C:\WINDOWS\Pixtran
2008-04-04 11:02 . 2008-04-04 11:03 <DIR> d-------- C:\Program Files\Common Files\Caere
2008-04-04 11:02 . 1998-10-12 18:08 299,520 --a------ C:\WINDOWS\Uninsop9.exe
2008-04-04 11:02 . 1998-10-12 18:13 97,280 --a------ C:\WINDOWS\system32\opshel32.dll
2008-04-04 11:02 . 1998-10-16 09:45 44,032 --a------ C:\WINDOWS\OP9Deins.exe
2008-04-04 11:01 . 2008-04-04 11:01 <DIR> d-------- C:\Program Files\Caere
2008-04-04 10:58 . 1997-04-08 20:08 299,520 --a------ C:\WINDOWS\uninst.exe
2008-04-04 10:57 . 2008-04-04 10:57 <DIR> d-------- C:\Program Files\ArcSoft
2008-04-04 10:57 . 2008-04-04 10:57 <DIR> d-------- C:\Documents and Settings\Brian\WINDOWS
2008-04-04 10:57 . 1995-07-31 13:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2008-04-04 10:57 . 2008-04-04 11:16 1,079 --a------ C:\WINDOWS\pstudio.ini
2008-04-04 10:57 . 2008-04-04 11:16 28 --a------ C:\WINDOWS\album.ini
2008-04-04 10:57 . 1998-07-21 20:29 21 --a------ C:\WINDOWS\Ps_setup.ini
2008-04-03 13:00 . 2008-04-03 13:00 <DIR> d-------- C:\Program Files\BFG
2008-04-02 11:33 . 2008-04-02 11:33 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-03-27 14:34 . 2008-03-27 17:12 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\Gamelab
2008-03-27 14:34 . 2008-03-27 14:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-12 02:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-04-11 09:11 --------- d-----w C:\Documents and Settings\Brian\Application Data\AVG7
2008-04-05 06:56 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-04 03:16 --------- d-----w C:\Documents and Settings\Brian\Application Data\Canon
2008-04-04 02:56 --------- d-----w C:\Program Files\Java
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-11 23:42 --------- d-----w C:\Program Files\LimeWire
2008-03-08 23:44 --------- d-----w C:\Program Files\Incomplete
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-21 20:30 --------- d-----w C:\Program Files\QuickTime
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E3EA4FD9-CADE-4AE5-84F7-086EEE888BE4}"= "C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL" [2008-01-31 12:00 266240]

[HKEY_CLASSES_ROOT\clsid\{e3ea4fd9-cade-4ae5-84f7-086eee888be4}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{E3EA4FD9-CADE-4AE5-84F7-086EEE888BE4}"= C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL [2008-01-31 12:00 266240]

[HKEY_CLASSES_ROOT\clsid\{e3ea4fd9-cade-4ae5-84f7-086eee888be4}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-01-20 20:04 77824 C:\WINDOWS\SOUNDMAN.EXE]
"RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [2004-10-11 14:54 589824]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-09 09:18 151552]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-11 03:49 163840]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-23 10:29 303104]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-12 04:05 212992]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-11 06:21 188416]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 13:02 53248]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-27 02:38 866816]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-26 13:11 579072]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2007-09-09 09:31 1046688]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-04-10 11:49 2957824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 15:15 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-09-26 05:54 229952 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-14 00:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 21:24 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-05-28 05:58 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uninstall_CToolbar]
--a------ 2008-02-19 23:23 1978320 C:\DOCUME~1\Brian\LOCALS~1\Temp\CUninst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\FreeStyle Online\\FreeStyle.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Pando Networks\\Pando\\pando.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"56589:TCP"= 56589:TCP:Pando P2P TCP Listening Port
"56589:UDP"= 56589:UDP:Pando P2P UDP Listening Port

R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-04-10 11:49]
R3 Cap713x;Philips Cap713x Video Capture;C:\WINDOWS\system32\DRIVERS\Cap713x.sys [2005-04-04 09:55]
S2 713xTVCard;SAA7131 TV Card;C:\WINDOWS\system32\DRIVERS\SAA713x.sys [2005-03-16 03:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{2f26c92a-dbd6-11da-9a0c-00142a57057f}]
\Shell\AutoRun\command - G:\LaunchU3.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-09-17 20:40:43 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-12 23:35:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-13 0:04:02
ComboFix-quarantined-files.txt 2008-04-12 16:03:54
Pre-Run: 31,770,972,160 bytes free
Post-Run: 31,909,224,448 bytes free
.
2008-04-12 08:42:36 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:07:21 AM, on 4/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {06663B56-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Pando Search Assistant BHO - {06663B51-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Pando Toolbar BHO - {E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Pando Toolbar - {E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TV Remote Control.lnk = C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Y!mLite - {9B04D939-D9D1-45e0-9FBF-5A31AAF7A68A} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 7606 bytes

No, prevention of autorun of all CDs, floppies or USB devices are not a problem for me. Also, I plugged in the USB drives when I ran ComboFix.

Another thing, I share this computer with my brother so there are 2 user profiles. He's the administrator and I'm not sure if all the stuff I've downloaded (Spyware Terminator, TrojanHunter, HijackThis, ComboFix, TweakNow Registry Cleaner and Free Registry Cleaner) in my profile after the AVG in this desktop discovered the Trojans affects all the files in the whole computer or just mine. I ran the ComboFix using my profile only. Just thought this information may be pertinent.

Again, many thanks in advance for taking time to help!

Last edited by wishbear; 12-Apr-2008 at 12:21 PM.. Reason: additional information
dvk01's Avatar
dvk01   (Derek) dvk01 is offline dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 45,749 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
13-Apr-2008, 05:19 AM #4
most of the problems are due to, using P2P and teh pando toolbar is adware & causes ads to be displayed and that is a big part of the problems

you have far too many antitrojans, antiviruses, antispyware installed to even start to eb able to fix anything as they will all interfere & clash

uninstall everything antivirus & antispyware etc except your main antivirus

which do you use mcafee or AVG as both are active & running

then reboot & post a fresh HJT log so we can see

once you have posted the HJT log with none of the multitude of antispywares that aren't always then best choice as teh ones you haev don't detect a great amount

download Sunbelt Counterspy Free trial

Save the install file to desktop and double click it to install counterspy

Once it has installed, follow the set up wizard which will automatically start, allow it to update itself

It will take a few minutes to update to the latest definitions file versions

run a full scan & when it finishes a window will open with all items found

They should all be marked as quarantine or delete by default so scroll down & check that nothing you know to be good or want to keep is detected. Just in case of an error select Quarantine for everything rather than delete.Then just press the take action button & follow any prompts ( set anything you want to keep as ignore)

post back with it's report ( on the scan page, press view details & copy that report & paste it back here )
wishbear's Avatar
wishbear wishbear is offline
Junior Member with 13 posts.
THREAD STARTER
 
Join Date: Apr 2008
Location: Philippines
Experience: Beginner
13-Apr-2008, 11:35 PM #5
Oh..I thought that having many AV and spyware would help protect the computer more. I've removed everything except for AVG and 2 McAfee files which refuse to be removed from the Programs folder (error always occurs saying that these files are write-protected or are currently being used but I've installed the whole McAfee in Add/Remove programs and the Startup programs in msconfig, what should I do? The files are: Mcdetect.exe and McTskshd.exe)

Here is the new HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33:55 AM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TV Remote Control.lnk = C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Y!mLite - {9B04D939-D9D1-45e0-9FBF-5A31AAF7A68A} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)

--
End of file - 5856 bytes

Will download the Counterspy Free Trial next and keep you posted.
wishbear's Avatar
wishbear wishbear is offline
Junior Member with 13 posts.
THREAD STARTER
 
Join Date: Apr 2008
Location: Philippines
Experience: Beginner
14-Apr-2008, 02:51 AM #6
Counterspy Scan results:

Scan History Details
Start Date: 4/14/2008 5:49:25 AM
End Date: 4/14/2008 6:41:45 AM
Total Time: 52 Min 20 Sec
Detected security risks

BrilliantDigital Adware (General) more information...
Details: Brilliant Digital Entertainment (BDE) provides the ability for advertising and other content to be displayed using rich multimedia.
Status: Quarantined

Files detected
F:\WINDOWS\BDE\b3dlogo\b3d.b3d
F:\WINDOWS\BDE\Cache\b3d.b3d
F:\WINDOWS\SYSTEM32\BDErastMMX3.dll


ClearSearch Hijacker more information...
Details: ClearSearch is an adware component that periodically contacts the search site, www.clrsch.com, for advertisement-tracking purposes.
Status: Quarantined

Files detected
F:\WINDOWS\TEMP\ClrSch\FNuninstaller.EX_


DownloadWare Adware (General) more information...
Details: DownloadWare is a process that runs on Windows startup. If a network connection is available it will connect to its servers, which can direct it to download and install software from advertisers. It may be installed through an ActiveX control.
Status: Quarantined

Files detected
F:\Program Files\MediaLoads Enhanced\install.exe
F:\Program Files\Support Software\install.exe


Claria.GAIN.CommonElements Adware (General) more information...
Details: Claria's GAIN network consists of several applications inlcuding Gator eWallet, GotSmiley, ScreenSeenes, WebSecureAlert, DashBar, Weatherscope, Date Manager and Precision Time.
Status: Quarantined

Files detected
F:\Program Files\Common Files\CMEII\store\core\appmgrgui.zip


Hotbar Toolbar more information...
Details: Hotbar Web Tools is a collection of browser and system enhancements. The primary application is the Hotbar toolbar, which is a "skinable" browser toolbar for Internet Explorer.
Status: Quarantined

Files detected
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\HostOI\static\1\progress.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\HostOI\static\2\progress.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\HostOL\static\1\progress.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\HostOL\static\2\progress.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_2000.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_3000.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar1.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar10.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar11.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar12.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar2.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar3.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar5.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar6.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar8.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar9.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_x.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_weather.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\1\icons2.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\1\progress.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\1\t2_bg.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\2\d_icons_buttons_2000.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\2\d_icons_buttons_3000.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\2\d_icons_buttons_bbar1.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\2\d_icons_buttons_bbar10.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\2\d_icons_buttons_bbar11.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\2\d_icons_buttons_bbar12.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\2\d_icons_buttons_bbar2.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\2\d_icons_buttons_bbar3.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\2\d_icons_buttons_bbar5.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\2\d_icons_buttons_bbar6.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\2\d_icons_buttons_bbar8.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\2\d_icons_buttons_bbar9.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\2\d_icons_buttons_x.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\2\d_icons_weather.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\2\icons2.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\2\progress.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\2\t2_bg.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\d_icons_buttons_2000.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\d_icons_buttons_3000.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_2000.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_3000.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar1.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar2.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar3.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar5.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_weather.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\progress.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\t2_bg.res
F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\progress.res


KaZaA P2P Program more information...
Details: KaZaA is a peer-to-peer (P2P) application that allows its users to join together in a network via the Internet and share files from each other's hard drives.
Status: Ignored

Registry entries detected
HKEY_USERS\S-1-5-21-1708537768-790525478-725345543-1005\SOFTWARE\KAZAA
HKEY_USERS\S-1-5-21-1708537768-790525478-725345543-1005\SOFTWARE\KAZAA\LocalContent


C2.Lop Hijacker more information...
Details: Lop is a group of spyware and hijacker programs that set your Internet Explorer start page and search features to use the site lop.com ('Live Online Portal') or one of its clone sites.
Status: Quarantined

Registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/DOWNLOADED PROGRAM FILES/ISTACTIVEX.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/DOWNLOADED PROGRAM FILES/ISTACTIVEX.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/DOWNLOADED PROGRAM FILES/ISTACTIVEX.DLL


MyWebSearch Toolbar Potentially Unwanted Program more information...
Details: MyWebSearch Toolbar is a customizable Internet Explorer search toolbar with various other tools.
Status: Ignored

Files detected
F:\Program Files\Uninstall My Web Search.dll


iSearch.Toolbar Toolbar more information...
Details: iSearch.Toolbar is a spyware/adware toolbar that is purported to deliver advanced toolbar functions to Internet Explorer, however, it changes your browser settings.
Status: Quarantined

Files detected
F:\System Volume Information\_restore{CD8420D9-5815-41FE-9E3A-D58ABCFACA89}\RP1\A0000017.exe
F:\System Volume Information\_restore{CD8420D9-5815-41FE-9E3A-D58ABCFACA89}\RP1\A0000020.exe


180solutions.SearchAssistant Adware (General) more information...
Details: 180search Assistant is an adware application that monitors users' search queries and web surfing in order to display targeted advertising.
Status: Quarantined

Registry entries detected
HKEY_LOCAL_MACHINE\Software\Classes\APPID\ACTIVEX.DLL
HKEY_LOCAL_MACHINE\Software\Classes\APPID\ACTIVEX.DLL
HKEY_LOCAL_MACHINE\Software\Classes\APPID\{D28CD14C-50BE-4CFA-951E-B37F25DA3472}
HKEY_LOCAL_MACHINE\Software\Classes\APPID\{D28CD14C-50BE-4CFA-951E-B37F25DA3472}


IST.SideFind Browser Plug-in more information...
Details: SideFind is a browser helper object (BHO) that add a side bar to Internet Explorer and displays alternate search results in the side bar.
Status: Quarantined

Registry entries detected
HKEY_USERS\S-1-5-21-1708537768-790525478-725345543-1005\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EXTENSIONS\CMDMAPPING


My Search Bar Potentially Unwanted Program more information...
Details: My Search Bar and the variants "My Way Speedbar" and "My Way Search Assistant", are browser helper objects that allows you to search on multiple search engines.
Status: Ignored

Registry entries detected
HKEY_LOCAL_MACHINE\Software\Classes\IMSIDE1EGATE.APPLICATION.1
HKEY_LOCAL_MACHINE\Software\Classes\IMSIDE1EGATE.APPLICATION.1
HKEY_LOCAL_MACHINE\Software\Classes\IMSIDE1EGATE.APPLICATION.1\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\IMSIDE1EGATE.APPLICATION.1\CLSID


Zango.SearchAssistant Adware (General) more information...
Details: Zango Search Assistant opens new browser windows showing websites based on the previous websites you visit.
Status: Quarantined

Registry entries detected
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{610E0E95-8F2F-4B71-966E-F91701D4DC2C}
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{610E0E95-8F2F-4B71-966E-F91701D4DC2C}
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{610E0E95-8F2F-4B71-966E-F91701D4DC2C}\ProxyStubClsid
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{610E0E95-8F2F-4B71-966E-F91701D4DC2C}\ProxyStubClsid
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{610E0E95-8F2F-4B71-966E-F91701D4DC2C}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{610E0E95-8F2F-4B71-966E-F91701D4DC2C}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{610E0E95-8F2F-4B71-966E-F91701D4DC2C}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{610E0E95-8F2F-4B71-966E-F91701D4DC2C}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{610E0E95-8F2F-4B71-966E-F91701D4DC2C}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{91E523DB-2A1C-4231-BB06-9BE27C28739A}
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{91E523DB-2A1C-4231-BB06-9BE27C28739A}\1.0
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{91E523DB-2A1C-4231-BB06-9BE27C28739A}\1.0
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{91E523DB-2A1C-4231-BB06-9BE27C28739A}\1.0\0
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{91E523DB-2A1C-4231-BB06-9BE27C28739A}\1.0\0\win32
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{91E523DB-2A1C-4231-BB06-9BE27C28739A}\1.0\0\win32
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{91E523DB-2A1C-4231-BB06-9BE27C28739A}\1.0\FLAGS
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{91E523DB-2A1C-4231-BB06-9BE27C28739A}\1.0\FLAGS
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{91E523DB-2A1C-4231-BB06-9BE27C28739A}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{91E523DB-2A1C-4231-BB06-9BE27C28739A}\1.0\HELPDIR


FunWebProducts Potentially Unwanted Program more information...
Details: Fun Web Products bundles adware software in its products.
Status: Ignored

Files detected
F:\System Volume Information\_restore{CD8420D9-5815-41FE-9E3A-D58ABCFACA89}\RP1\A0000007.scr


Netwebsearch/Adblaster Toolbar more information...
Status: Quarantined

Files detected
F:\WINDOWS\Downloaded Program Files\AdInstaller.ocx


Bifrost Backdoor more information...
Details: Bifrost is an advanced remote administration tool that allows users to remotely control computers that are behind firewalls and routers.
Status: Quarantined

Registry entries detected
HKEY_USERS\S-1-5-21-1708537768-790525478-725345543-1005\SOFTWARE\WGET


AntiVirus Gold Rogue Security Program more information...
Details: AntiVirus Gold is a is a purported anti-spyware and antivirus application to scan for and remove malware from users' computers.
Status: Quarantined

Files detected
F:\WINDOWS\TEMP\mhfo.exe


WindUpdates.MediaGateway Adware (General) more information...
Details: WindUpdates.MediaGateway is an adware application that displays advertising on the desktop, usually pop-ups.
Status: Quarantined

Registry entries detected
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{144B9C7E-235A-4316-9EB3-5E393714C77A}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{144B9C7E-235A-4316-9EB3-5E393714C77A}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{144B9C7E-235A-4316-9EB3-5E393714C77A}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{144B9C7E-235A-4316-9EB3-5E393714C77A}\Implemented Categories
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{144B9C7E-235A-4316-9EB3-5E393714C77A}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{144B9C7E-235A-4316-9EB3-5E393714C77A}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{144B9C7E-235A-4316-9EB3-5E393714C77A}\ProgID
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{144B9C7E-235A-4316-9EB3-5E393714C77A}\ProgID
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{144B9C7E-235A-4316-9EB3-5E393714C77A}\Programmable
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{144B9C7E-235A-4316-9EB3-5E393714C77A}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{144B9C7E-235A-4316-9EB3-5E393714C77A}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{144B9C7E-235A-4316-9EB3-5E393714C77A}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{144B9C7E-235A-4316-9EB3-5E393714C77A}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D676F999-4608-4DC5-A135-4F51F4212739}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D676F999-4608-4DC5-A135-4F51F4212739}
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{67A89831-6BC7-4CC0-A2C3-560F9A581E64}
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{67A89831-6BC7-4CC0-A2C3-560F9A581E64}
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{67A89831-6BC7-4CC0-A2C3-560F9A581E64}\ProxyStubClsid
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{67A89831-6BC7-4CC0-A2C3-560F9A581E64}\ProxyStubClsid
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{67A89831-6BC7-4CC0-A2C3-560F9A581E64}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{67A89831-6BC7-4CC0-A2C3-560F9A581E64}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{67A89831-6BC7-4CC0-A2C3-560F9A581E64}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{67A89831-6BC7-4CC0-A2C3-560F9A581E64}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{67A89831-6BC7-4CC0-A2C3-560F9A581E64}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{DD469A88-316C-441D-B712-783D9B9A6707}
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{DD469A88-316C-441D-B712-783D9B9A6707}
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{DD469A88-316C-441D-B712-783D9B9A6707}\ProxyStubClsid
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{DD469A88-316C-441D-B712-783D9B9A6707}\ProxyStubClsid
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{DD469A88-316C-441D-B712-783D9B9A6707}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{DD469A88-316C-441D-B712-783D9B9A6707}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{DD469A88-316C-441D-B712-783D9B9A6707}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{DD469A88-316C-441D-B712-783D9B9A6707}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{DD469A88-316C-441D-B712-783D9B9A6707}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\MEDIAGATEWAY.INSTALLER.1
HKEY_LOCAL_MACHINE\Software\Classes\MEDIAGATEWAY.INSTALLER.1
HKEY_LOCAL_MACHINE\Software\Classes\MEDIAGATEWAY.INSTALLER.1\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\MEDIAGATEWAY.INSTALLER.1\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\MEDIAGATEWAY.LICENSEINSTALLER
HKEY_LOCAL_MACHINE\Software\Classes\MEDIAGATEWAY.LICENSEINSTALLER
HKEY_LOCAL_MACHINE\Software\Classes\MEDIAGATEWAY.LICENSEINSTALLER.1
HKEY_LOCAL_MACHINE\Software\Classes\MEDIAGATEWAY.LICENSEINSTALLER.1
HKEY_LOCAL_MACHINE\Software\Classes\MEDIAGATEWAY.LICENSEINSTALLER.1\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\MEDIAGATEWAY.LICENSEINSTALLER.1\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\MEDIAGATEWAY.LICENSEINSTALLER\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\MEDIAGATEWAY.LICENSEINSTALLER\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\MEDIAGATEWAY.LICENSEINSTALLER\CurVer
HKEY_LOCAL_MACHINE\Software\Classes\MEDIAGATEWAY.LICENSEINSTALLER\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/DOWNLOADED PROGRAM FILES/MEDIAGATEWAYX.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/DOWNLOADED PROGRAM FILES/MEDIAGATEWAYX.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/DOWNLOADED PROGRAM FILES/MEDIAGATEWAYX.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\MEDI AGATEWAY
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\MEDI AGATEWAY


Trojan-Dropper.Multi.Gen Trojan Downloader more information...
Status: Quarantined

Files detected
F:\System Volume Information\_restore{CD8420D9-5815-41FE-9E3A-D58ABCFACA89}\RP1\A0000009.exe
F:\System Volume Information\_restore{CD8420D9-5815-41FE-9E3A-D58ABCFACA89}\RP1\A0000010.exe


Dialer.Creazione Porn Dialer more information...
Status: Quarantined

Files detected
F:\WINDOWS\Downloaded Program Files\internazionale_98_ver11.INF


I-Spy (the_seed) Password Cracker/Stealer more information...
Details: I-Spy (the_seed) is a kind of spyware program that captures passwords of dialup, cached, e-mail, network and Mozilla in a text file and uploads that file automatically to a predefined web address.
Status: Quarantined

Registry entries detected
HKEY_USERS\S-1-5-21-1708537768-790525478-725345543-1005\SOFTWARE\NIRSOFT\MAILPASSVIEW
HKEY_USERS\S-1-5-21-1708537768-790525478-725345543-1005\SOFTWARE\NIRSOFT\NETPASS


Trojan.Flooder.Vb E-Mail Flooder more information...
Status: Quarantined

Files detected
C:\Documents and Settings\bryan\Local Settings\Temp\ProphecyOfDistress\Prophecy Of Distress\Prophecy Of Distress.exe


Cookie: Tracking Cookies Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\brian\cookies\brian@247realmedia[1].txt
c:\documents and settings\brian\cookies\brian@ad.yieldmanager[2].txt
c:\documents and settings\brian\cookies\brian@adrevolver[2].txt
c:\documents and settings\brian\cookies\brian@adsremote.scripps[1].txt
c:\documents and settings\brian\cookies\brian@atdmt[2].txt
c:\documents and settings\brian\cookies\brian@belointeractive[1].txt
c:\documents and settings\brian\cookies\brian@bs.serving-sys[1].txt
c:\documents and settings\brian\cookies\brian@casalemedia[2].txt
c:\documents and settings\brian\cookies\brian@citi.bridgetrack[1].txt
c:\documents and settings\brian\cookies\brian@doubleclick[1].txt
c:\documents and settings\brian\cookies\brian@mysearch[1].txt
c:\documents and settings\brian\cookies\brian@realmedia[2].txt
c:\documents and settings\brian\cookies\brian@sales.liveperson[2].txt
c:\documents and settings\brian\cookies\brian@sales.liveperson[3].txt
c:\documents and settings\brian\cookies\brian@tradedoubler[2].txt
c:\documents and settings\brian\cookies\brian@www.bigfishgames[1].txt
c:\documents and settings\brian\cookies\brian@xiti[1].txt
c:\documents and settings\bryan\cookies\bryan@2o7[2].txt
c:\documents and settings\bryan\cookies\bryan@ad.yieldmanager[2].txt
c:\documents and settings\bryan\cookies\bryan@adrevolver[2].txt
c:\documents and settings\bryan\cookies\bryan@ads.pointroll[2].txt
c:\documents and settings\bryan\cookies\bryan@adsremote.scripps[1].txt
c:\documents and settings\bryan\cookies\bryan@advertising[1].txt
c:\documents and settings\bryan\cookies\bryan@amazon[2].txt
c:\documents and settings\bryan\cookies\bryan@atdmt[2].txt
c:\documents and settings\bryan\cookies\bryan@azjmp[1].txt
c:\documents and settings\bryan\cookies\bryan@belnk[1].txt
c:\documents and settings\bryan\cookies\bryan@bluestreak[1].txt
c:\documents and settings\bryan\cookies\bryan@bs.serving-sys[2].txt
c:\documents and settings\bryan\cookies\bryan@counter.hitslink[2].txt
c:\documents and settings\bryan\cookies\bryan@dist.belnk[2].txt
c:\documents and settings\bryan\cookies\bryan@doubleclick[2].txt
c:\documents and settings\bryan\cookies\bryan@fastclick[2].txt
c:\documents and settings\bryan\cookies\bryan@hitbox[2].txt
c:\documents and settings\bryan\cookies\bryan@mediaplex[1].txt
c:\documents and settings\bryan\cookies\bryan@overture[1].txt
c:\documents and settings\bryan\cookies\bryan@phg.hitbox[2].txt
c:\documents and settings\bryan\cookies\bryan@questionmarket[2].txt
c:\documents and settings\bryan\cookies\bryan@realmedia[1].txt
c:\documents and settings\bryan\cookies\bryan@revenue[1].txt
c:\documents and settings\bryan\cookies\bryan@revsci[2].txt
c:\documents and settings\bryan\cookies\bryan@serving-sys[1].txt
c:\documents and settings\bryan\cookies\bryan@statcounter[1].txt
c:\documents and settings\bryan\cookies\bryan@statse.webtrendslive[2].txt
c:\documents and settings\bryan\cookies\bryan@tribalfusion[1].txt
c:\documents and settings\bryan\cookies\bryan@zedo[2].txt
dvk01's Avatar
dvk01   (Derek) dvk01 is offline dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 45,749 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
15-Apr-2008, 04:15 PM #7
we can sort out mcafee left overs quite easily


I think Counterspy found & fixed a few problems

download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.







This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting

Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
wishbear's Avatar
wishbear wishbear is offline
Junior Member with 13 posts.
THREAD STARTER
 
Join Date: Apr 2008
Location: Philippines
Experience: Beginner
16-Apr-2008, 12:24 AM #8
I don't know if you need to know this but just in case: When I first dragged the *.txt file to ComboFix, an error message popped up saying that it failed to copy or something so I tried dragging it the 2nd time and this time it worked. ComboFix started, it rebooted my computer then after the message "log file will be located at c:\combofix.txt, all the files in my desktop including the taskbar disappeared. I thought this was normal so I left it as is. After 30mins of no response and no new window created containing the logfile, I ended the task then rebooted and started everything once again (downloading *.txt and dragging it to combofix etc), no hanging occurred this time and it was all finished after less than 10mins. I checked the startup files and no mcafee products are starting and there's no mcafee folders present in the Program files already But I couldn't get my Counterspy to start anymore. Error occurs when I do saying: "The Service Controller returned No Service. You may be running a scheduled update" but there is no scheduled update at this time that's running. I've restarted the computer a couple of times and Counterspy will still not open.

Anyway, here are the ComboFix and HiJackThis log files you requested:

ComboFix 08-04-11.8 - Brian 2008-04-16 12:04:10.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.191 [GMT 8:00]
Running from: C:\Documents and Settings\Brian\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Brian\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Brian\Local Settings\Temporary Internet Files\CSC2.5U-EN-779-F.sbr.sgn
c:\program files\mcafee.com
c:\program files\mcafee.com\Agent\Mcdetect.exe
c:\program files\mcafee.com\Agent\Mcdetect.inf
c:\program files\mcafee.com\Agent\McTskshd.exe
c:\program files\mcafee.com\Agent\McTskshd.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MCDETECT.EXE
-------\Legacy_MCTSKSHD.EXE
-------\Legacy_MCUPDMGR.EXE
-------\Service_McDetect.exe
-------\Service_McTskshd.exe
-------\Service_mcupdmgr.exe


((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 )))))))))))))))))))))))))))))))
.

2008-04-14 13:49 . 2008-04-14 13:49 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-04-14 13:49 . 2008-04-14 13:49 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-04-14 13:44 . 2008-04-14 13:44 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2008-04-14 13:43 . 2008-04-14 13:43 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\Sunbelt Software
2008-04-14 13:43 . 2008-04-14 13:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-04-14 13:42 . 2008-04-14 13:42 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-04-12 10:56 . 2008-04-12 11:01 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-04-10 14:59 . 2008-04-10 14:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-09 19:44 . 2008-04-09 19:44 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\TrojanHunter
2008-04-04 11:08 . 2008-04-04 11:08 10 -r------- C:\WINDOWS\PSTUDIO.SN
2008-04-04 11:03 . 2008-04-04 11:03 572 --a------ C:\WINDOWS\maxlink.ini
2008-04-04 11:03 . 2008-04-04 11:03 0 --a------ C:\WINDOWS\OP70.INI
2008-04-04 11:02 . 2008-04-04 11:02 <DIR> d-------- C:\WINDOWS\Pixtran
2008-04-04 11:02 . 2008-04-04 11:03 <DIR> d-------- C:\Program Files\Common Files\Caere
2008-04-04 11:02 . 1998-10-12 18:08 299,520 --a------ C:\WINDOWS\Uninsop9.exe
2008-04-04 11:02 . 1998-10-12 18:13 97,280 --a------ C:\WINDOWS\system32\opshel32.dll
2008-04-04 11:02 . 1998-10-16 09:45 44,032 --a------ C:\WINDOWS\OP9Deins.exe
2008-04-04 11:01 . 2008-04-04 11:01 <DIR> d-------- C:\Program Files\Caere
2008-04-04 10:58 . 1997-04-08 20:08 299,520 --a------ C:\WINDOWS\uninst.exe
2008-04-04 10:57 . 2008-04-04 10:57 <DIR> d-------- C:\Program Files\ArcSoft
2008-04-04 10:57 . 2008-04-04 10:57 <DIR> d-------- C:\Documents and Settings\Brian\WINDOWS
2008-04-04 10:57 . 1995-07-31 13:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2008-04-04 10:57 . 2008-04-04 11:16 1,079 --a------ C:\WINDOWS\pstudio.ini
2008-04-04 10:57 . 2008-04-04 11:16 28 --a------ C:\WINDOWS\album.ini
2008-04-04 10:57 . 1998-07-21 20:29 21 --a------ C:\WINDOWS\Ps_setup.ini
2008-04-02 11:33 . 2008-04-02 11:33 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-03-27 14:34 . 2008-03-27 17:12 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\Gamelab
2008-03-27 14:34 . 2008-03-27 14:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-16 02:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-04-14 02:56 --------- d-----w C:\Program Files\Java
2008-04-14 02:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-04-11 09:11 --------- d-----w C:\Documents and Settings\Brian\Application Data\AVG7
2008-04-05 06:56 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-04 03:16 --------- d-----w C:\Documents and Settings\Brian\Application Data\Canon
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-11 23:42 --------- d-----w C:\Program Files\LimeWire
2008-03-08 23:44 --------- d-----w C:\Program Files\Incomplete
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-21 20:30 --------- d-----w C:\Program Files\QuickTime
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-01-20 20:04 77824 C:\WINDOWS\SOUNDMAN.EXE]
"RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [2004-10-11 14:54 589824]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-11 06:21 188416]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-27 02:38 866816]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-26 13:11 579072]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 21:24 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-12-21 15:30 698864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 15:15 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-12-23 03:02:57 113664]
TV Remote Control.lnk - C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe [2007-05-03 13:53:58 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cleanup]
c:\program files\mcafee.com\shared\mcappins.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-09-26 05:54 229952 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-14 00:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 21:24 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-05-28 05:58 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uninstall_CToolbar]
C:\DOCUME~1\Brian\LOCALS~1\Temp\CUninst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\FreeStyle Online\\FreeStyle.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"56589:TCP"= 56589:TCP:Pando P2P TCP Listening Port
"56589:UDP"= 56589:UDP:Pando P2P UDP Listening Port

R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-04-14 13:44]
R3 Cap713x;Philips Cap713x Video Capture;C:\WINDOWS\system32\DRIVERS\Cap713x.sys [2005-04-04 09:55]
S2 713xTVCard;SAA7131 TV Card;C:\WINDOWS\system32\DRIVERS\SAA713x.sys [2005-03-16 03:00]
S3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{2f26c92a-dbd6-11da-9a0c-00142a57057f}]
\Shell\AutoRun\command - G:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-17 20:40:43 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-16 12:06:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-16 12:06:45
ComboFix-quarantined-files.txt 2008-04-16 04:06:28
ComboFix2.txt 2008-04-12 16:04:03
Pre-Run: 35,218,182,144 bytes free
Post-Run: 35,202,125,824 bytes free
.
2008-04-12 08:42:36 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:07:27 PM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TV Remote Control.lnk = C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Y!mLite - {9B04D939-D9D1-45e0-9FBF-5A31AAF7A68A} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

--
End of file - 5580 bytes
wishbear's Avatar
wishbear wishbear is offline
Junior Member with 13 posts.
THREAD STARTER
 
Join Date: Apr 2008
Location: Philippines
Experience: Beginner
16-Apr-2008, 11:20 PM #9
Counterspy is working again, uninstalled and reinstalled it and did a system scan. Here's the log, just in case:

Scan History Details
Start Date: 4/16/2008 6:21:15 AM
End Date: 4/16/2008 7:07:17 AM
Total Time: 46 Min 2 Sec
Detected security risks

BrilliantDigital Adware (General) more information...
Details: Brilliant Digital Entertainment (BDE) provides the ability for advertising and other content to be displayed using rich multimedia.
Status: Quarantined

Files detected
F:\System Volume Information\_restore{CD8420D9-5815-41FE-9E3A-D58ABCFACA89}\RP16\A0003155.dll


DownloadWare Adware (General) more information...
Details: DownloadWare is a process that runs on Windows startup. If a network connection is available it will connect to its servers, which can direct it to download and install software from advertisers. It may be installed through an ActiveX control.
Status: Deleted

Files detected
F:\System Volume Information\_restore{CD8420D9-5815-41FE-9E3A-D58ABCFACA89}\RP16\A0003156.exe
F:\System Volume Information\_restore{CD8420D9-5815-41FE-9E3A-D58ABCFACA89}\RP16\A0003157.exe


KaZaA P2P Program more information...
Details: KaZaA is a peer-to-peer (P2P) application that allows its users to join together in a network via the Internet and share files from each other's hard drives.
Status: Ignored

Registry entries detected
HKEY_USERS\S-1-5-21-1708537768-790525478-725345543-1005\SOFTWARE\KAZAA
HKEY_USERS\S-1-5-21-1708537768-790525478-725345543-1005\SOFTWARE\KAZAA\LocalContent


MyWebSearch Toolbar Potentially Unwanted Program more information...
Details: MyWebSearch Toolbar is a customizable Internet Explorer search toolbar with various other tools.
Status: Ignored

Files detected
F:\Program Files\Uninstall My Web Search.dll


My Search Bar Potentially Unwanted Program more information...
Details: My Search Bar and the variants "My Way Speedbar" and "My Way Search Assistant", are browser helper objects that allows you to search on multiple search engines.
Status: Ignored

Registry entries detected
HKEY_LOCAL_MACHINE\Software\Classes\IMSIDE1EGATE.APPLICATION.1
HKEY_LOCAL_MACHINE\Software\Classes\IMSIDE1EGATE.APPLICATION.1
HKEY_LOCAL_MACHINE\Software\Classes\IMSIDE1EGATE.APPLICATION.1\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\IMSIDE1EGATE.APPLICATION.1\CLSID


FunWebProducts Potentially Unwanted Program more information...
Details: Fun Web Products bundles adware software in its products.
Status: Ignored

Files detected
F:\System Volume Information\_restore{CD8420D9-5815-41FE-9E3A-D58ABCFACA89}\RP1\A0000007.scr


Netwebsearch/Adblaster Toolbar more information...
Status: Deleted

Files detected
F:\System Volume Information\_restore{CD8420D9-5815-41FE-9E3A-D58ABCFACA89}\RP16\A0003158.ocx


Bifrost Backdoor more information...
Details: Bifrost is an advanced remote administration tool that allows users to remotely control computers that are behind firewalls and routers.
Status: Deleted

Registry entries detected
HKEY_USERS\S-1-5-21-1708537768-790525478-725345543-1005\SOFTWARE\WGET


AntiVirus Gold Rogue Security Program more information...
Details: AntiVirus Gold is a is a purported anti-spyware and antivirus application to scan for and remove malware from users' computers.
Status: Quarantined

Files detected
F:\System Volume Information\_restore{CD8420D9-5815-41FE-9E3A-D58ABCFACA89}\RP16\A0003159.exe


Dialer.Creazione Porn Dialer more information...
Status: Deleted

Files detected
F:\System Volume Information\_restore{CD8420D9-5815-41FE-9E3A-D58ABCFACA89}\RP16\A0003160.INF


Cookie: Tracking Cookies Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\brian\cookies\brian@ad.yieldmanager[2].txt
c:\documents and settings\brian\cookies\brian@atdmt[2].txt
c:\documents and settings\brian\cookies\brian@doubleclick[1].txt
c:\documents and settings\brian\cookies\brian@statse.webtrendslive[2].txt


Adware.Rebates Adware (General) more information...
Status: Deleted

Files detected
F:\WINDOWS\TEMP\webr.exe
dvk01's Avatar
dvk01   (Derek) dvk01 is offline dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 45,749 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
18-Apr-2008, 12:57 PM #10
that looks a lot better

everything now is in system restore so we will clear that out as part of the final fix

delete any cfscript. txt files on desktop & then

*Follow these steps to uninstall Combofix and tools used in the removal of malware*
* Click *START* then *RUN*
* Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.
[img] http://i189.photobucket.com/albums/z...CF_Cleanup.png [/img]


then
Turn off system restore by following instructions here
for XP http://www.thespykiller.co.uk/index.php?page=8
or for Vista http://www.bleepingcomputer.com/tuto...torial143.html

That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable system restore & create a new restore point. Now Empty Recycle bin on desktop

go here http://www.thespykiller.co.uk/index.php?page=3 for info on how to tighten your security settings and how to help prevent future attacks.

and scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place
wishbear's Avatar
wishbear wishbear is offline
Junior Member with 13 posts.
THREAD STARTER
 
Join Date: Apr 2008
Location: Philippines
Experience: Beginner
18-Apr-2008, 10:50 PM #11
Done. So as of my last log, all known malware and viruses have already been detected and removed?
dvk01's Avatar
dvk01   (Derek) dvk01 is offline dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 45,749 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
19-Apr-2008, 06:08 PM #12
I can't guarantee no more viruses & malware but nothing obvious left there
wishbear's Avatar
wishbear wishbear is offline
Junior Member with 13 posts.
THREAD STARTER
 
Join Date: Apr 2008
Location: Philippines
Experience: Beginner
20-Apr-2008, 11:17 PM #13
Yay! Thanks so much Derek!!
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑