1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Please Help! Tons of Pop-Ups!

Discussion in 'Virus & Other Malware Removal' started by ka_cheng22, Jul 12, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. ka_cheng22

    ka_cheng22 Thread Starter

    Joined:
    Jul 12, 2007
    Messages:
    6
    Hi. Pop-ups come up every time I open my browser. I've scanned my computer with Symantec, Ad-Aware, and Spybot. Symantec and Ad-Aware don't find anything, but Spybot says I have Smitfraud-C, which they cannot remove. I also think I have Netster ads.

    Please help! Here's my hijack this log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:23:30 PM, on 7/12/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\brsvc01a.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\Brmfrmps.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\stsystra.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Dell\QuickSet\Quickset.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files\Brother\ControlCenter2\brctrcen.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\NetWaiting\netWaiting.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    C:\Program Files\Microsoft Encarta\Encarta Reference Library 2004\EDICT.EXE
    C:\Program Files\Intel\Wireless\bin\iFrmewrk.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Wei C. Yuet\Desktop\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchwithmaroon5.prodege.org/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll (file missing)
    O2 - BHO: (no name) - {3CED9EBD-B5CF-4F7E-8DC9-878C9AEA5B22} - \
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
    O2 - BHO: (no name) - {ab4b7f7e-4752-4a36-b41f-d5e349a9bcb3} - C:\WINDOWS\system32\mcislib.dll (file missing)
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O2 - BHO: (no name) - {C21EFD72-664E-437D-A6CD-02A8902127DB} - C:\WINDOWS\system32\geedd.dll (file missing)
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
    O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
    O4 - Startup: .protected
    O4 - Global Startup: .protected
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Bluetooth Manager.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
    O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: (no name) - {A4F64D63-3576-4754-8DD5-4D0A49345FD5} - (no file) (HKCU)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
    O16 - DPF: {4E77DBA6-3506-46EC-93C0-AB1E0DBD7E4A} (ZtServiceManager Class) - http://fugumce.stream.aol.com/mce_vod/servicemgr/ServiceMgr.CAB
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {BE6A7ED0-B2FF-409D-930C-79422B899802} - http://cdn.digitalcity.com/video/kdx.cab
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    --
    End of file - 13437 bytes
     
  2. jwbirdsong

    jwbirdsong

    Joined:
    Nov 6, 2002
    Messages:
    710
    Download Combofix to your desktop.
    Doubleclick combofix.exe
    Follow the prompts.
    Don't click on the window while the fix is running, because that will cause your system to hang.

    When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
    Post this log in your next reply .
     
  3. ka_cheng22

    ka_cheng22 Thread Starter

    Joined:
    Jul 12, 2007
    Messages:
    6
    Thanks, jwbirdsong. Here is the combofix log:

    "Wei C. Yuet" - 2007-07-12 19:34:29 - ComboFix 07-07-13 - Service Pack 2

    ADS removed - system32: deleted 70570 bytes in 1 streams.

    (((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\system32\adcybndv.exe
    C:\WINDOWS\system32\iqjscvyc.exe
    C:\WINDOWS\system32\jpyeewrt.exe
    C:\WINDOWS\system32\kdkwqvuc.exe
    C:\WINDOWS\system32\lmaaakro.exe
    C:\WINDOWS\system32\mqioukve.exe
    C:\WINDOWS\system32\qhryjiic.exe
    C:\WINDOWS\system32\skbkhvld.exe


    * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\.protected
    C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup.\.protected
    C:\DOCUME~1\WEIC~1.YUE\STARTM~1\Programs\Startup.\.protected
    C:\Program Files\TTC.dll
    C:\temp\0b9
    C:\temp\0b9\tmpTF.log
    C:\temp\iee
    C:\temp\iee\tmpZTF.log
    C:\temp\tn3
    C:\WINDOWS\.protected
    C:\WINDOWS\b122.exe
    C:\WINDOWS\system32\drivers\core.cache.dsk
    C:\WINDOWS\system32\drivers\core.sys
    C:\WINDOWS\system32\drivers\etc\.protected
    C:\WINDOWS\system32\o02PrEz
    C:\WINDOWS\system32\o02PrEz\o02PrEz1065.exe
    C:\WINDOWS\system32\win
    C:\WINDOWS\system32\X2
    C:\WINDOWS\system32\X2\mwspasrt83122.exe
    C:\WINDOWS\system32\X3
    C:\WINDOWS\system32\X4
    C:\WINDOWS\system32\X4\wen22.exe
    C:\WINDOWS\system32\X9
    C:\WINDOWS\wr.txt


    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


    -------\LEGACY_CORE
    -------\core


    ((((((((((((((((((((((((( Files Created from 2007-06-13 to 2007-07-13 )))))))))))))))))))))))))))))))


    2007-07-12 19:33 51,200 --a------ C:\WINDOWS\nircmd.exe
    2007-07-12 14:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir PersonalEdition Classic
    2007-07-10 10:52 <DIR> d-------- C:\VundoFix Backups
    2007-06-29 21:31 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll
    2007-06-29 21:31 <DIR> d-------- C:\Program Files\DAP
    2007-06-29 14:45 <DIR> d-------- C:\DOCUME~1\WEIC~1.YUE\APPLIC~1\AOL
    2007-06-18 16:20 <DIR> d-------- C:\DOCUME~1\WEIC~1.YUE\APPLIC~1\Snapfish


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-07-12 21:21:06 -------- d-----w C:\Program Files\BitTorrent
    2007-07-10 20:33:53 -------- d-----w C:\DOCUME~1\WEIC~1.YUE\APPLIC~1\Ruckus Network
    2007-07-06 22:06:18 3,584 ----a-w C:\WINDOWS\mozver.dat
    2007-07-06 00:59:21 21,275 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
    2007-06-26 00:37:42 -------- d-----w C:\DOCUME~1\WEIC~1.YUE\APPLIC~1\BitTorrent
    2007-05-28 22:14:22 -------- d-----w C:\DOCUME~1\WEIC~1.YUE\APPLIC~1\AVSMedia
    2007-05-25 21:17:38 -------- d-----w C:\Program Files\Apple Software Update
    2007-05-25 21:13:13 -------- d-----w C:\DOCUME~1\WEIC~1.YUE\APPLIC~1\CyberLink
    2007-05-25 20:47:28 -------- d-----w C:\Program Files\Common Files\AVSMedia
    2007-05-25 20:46:44 -------- d-----w C:\Program Files\AVSMedia
    2007-05-25 03:26:32 -------- d-----w C:\DOCUME~1\WEIC~1.YUE\APPLIC~1\Move Networks
    2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
    2007-05-13 22:04:20 -------- d-----w C:\Program Files\Photo Story 3 for Windows
    2007-05-13 01:41:48 -------- d-----w C:\Program Files\America Online 9.0
    2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
    2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
    2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
    2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
    2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
    2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
    2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
    2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
    2006-08-12 01:09:00 104 --sh--r C:\WINDOWS\system32\068BB2BEF2.sys
    2006-08-11 03:38:17 88 --sh--r C:\WINDOWS\system32\F2BEB28B06.sys
    2006-08-12 01:09:00 8,456 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    2006-12-18 04:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F}]
    C:\Program Files\Outerinfo\Outerinfo.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CED9EBD-B5CF-4F7E-8DC9-878C9AEA5B22}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
    2005-05-31 02:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
    2004-12-06 01:05 118842 --a------ C:\WINDOWS\system32\dla\tfswshx.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
    2007-01-20 00:55 2403392 -ra------ c:\program files\google\googletoolbar5.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ab4b7f7e-4752-4a36-b41f-d5e349a9bcb3}]
    C:\WINDOWS\system32\mcislib.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
    2007-06-20 15:58 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C21EFD72-664E-437D-A6CD-02A8902127DB}]
    C:\WINDOWS\system32\geedd.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
    2006-02-22 12:00 94208 --a------ c:\Program Files\BAE\BAE.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 11:55]
    "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 11:56]
    "SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 14:35 C:\WINDOWS\stsystra.exe]
    "Dell QuickSet"="C:\Program Files\Dell\QuickSet\Quickset.exe" [2006-04-06 14:58]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 11:56]
    "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 20:29]
    "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44]
    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44]
    "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-10-18 23:03]
    "SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22]
    "PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 14:46]
    "IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 15:04]
    "SetDefPrt"="C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 09:16]
    "ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 09:34]
    "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 17:40]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
    "MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 20:26]
    "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 21:33]
    "avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 02:24]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-08-22 10:52]
    "msi"="" []
    "tbon"="" []
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 15:58]
    "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices]
    "UMGR32.EXE"=

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
    AutoRun\command- E:\setup.exe


    Contents of the 'Scheduled Tasks' folder
    2006-12-31 16:20:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    2007-01-22 22:10:56 C:\WINDOWS\tasks\Uniblue SpyEraser.job

    **************************************************************************

    catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-07-12 19:39:14
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    **************************************************************************

    Completion time: 2007-07-12 19:42:26 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 2007-07-12 19:41

    --- E O F ---
     
  4. jwbirdsong

    jwbirdsong

    Joined:
    Nov 6, 2002
    Messages:
    710
    It appears you have two Anti-Virus programs installed (Norton and AntiVir) ..While one is a MUST HAVE; more than one is a guarantee of trouble. They will fight for control of your system's resources and can cause many, many problems. Choose one and uninstall the other.

    You need to print this out or save a copy to Notepad for reading because you can NOT have IE/FF or any browser open while doing the fix.

    Open HijackThis and click on Do a system scan only. Place a check mark next to the following:



    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll (file missing)
    O2 - BHO: (no name) - {3CED9EBD-B5CF-4F7E-8DC9-878C9AEA5B22} - \
    O2 - BHO: (no name) - {ab4b7f7e-4752-4a36-b41f-d5e349a9bcb3} - C:\WINDOWS\system32\mcislib.dll (file missing)
    O2 - BHO: (no name) - {C21EFD72-664E-437D-A6CD-02A8902127DB} - C:\WINDOWS\system32\geedd.dll (file missing)


    Close ALL other open windows and programs and click Fix checked

    Clean your Cache and Cookies in IE:
    Go to Control Panel > Internet Options > General tab.
    Click the "Delete Cookies" button and then the "Delete Files" button next to it.
    When prompted, place a check in: "Delete all offline content",
    (You will have to re-enter passwords at websites that require them.)
    Click OK

    Clean other Temporary files + Recycle bin:
    Go to start > run and type: cleanmgr and click ok.
    Let it scan your system for files to remove.
    Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
    Press OK to remove them.

    Updating Java and Clearing Cache
    • Go to Start > Control Panel double-click on the Software icon > Add/Remove Programs.
    • Search in the list for all previous installed versions of Java. (J2RE Runtime Environment.... )
      It should have next icon next to it: [​IMG]
      Select it and click Remove.
      1. Now please install the Java Runtime Environment (JRE) 6.0 Update 1 manually..
      2. Note to reboot the computer after updating:
      3. After the reboot, go back into the Control Panel and double-click the Java Icon.
      4. Under Temporary Internet Files, click the Delete Files button.
      5. There are three options in the window to clear the cache - Leave ALL 3 Checked
        • Downloaded Applets
          Downloaded Applications
          Other Files
      6. Click OK on Delete Temporary Files Window
        Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
      7. Click OK to leave the Java Control Panel.

    Please go HERE to run Panda's ActiveScan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report and a fresh HijackThis log.
     
  5. ka_cheng22

    ka_cheng22 Thread Starter

    Joined:
    Jul 12, 2007
    Messages:
    6
    I deleted my Symantec Anti-Virus program and left the AntiVir program. I also did the steps below, but I could not download the Panda ActiveScan. I allowed the Active X component to download, and I kept on getting 'Error.' :( Is there something preventing me from using the ActiveScan?
     
  6. jwbirdsong

    jwbirdsong

    Joined:
    Nov 6, 2002
    Messages:
    710
    Let's find out...see if you can run this one instead.

    Please do an online scan with Kaspersky WebScanner

    Click on Kaspersky Online Scanner

    You will be promted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
      • Scan Options:
      • Scan Archives
        Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      • Select My Computer
    • This will program will start and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Now click on the Save as Text button:
    • Save the file to your desktop.
    • Copy and paste that information in your next post.
    When done post the Kaspersky log and a fresh HijackThis log.
     
  7. ka_cheng22

    ka_cheng22 Thread Starter

    Joined:
    Jul 12, 2007
    Messages:
    6
    Here is my log from the Kaspersky Online Scan. I will post the HijackThis log separately.

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Thursday, July 19, 2007 4:02:44 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.93.0
    Kaspersky Anti-Virus database last update: 19/07/2007
    Kaspersky Anti-Virus database records: 365300
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    C:\
    D:\
    E:\

    Scan Statistics:
    Total number of scanned objects: 72392
    Number of viruses found: 11
    Number of infected objects: 29
    Number of suspicious objects: 0
    Duration of the scan process: 02:19:58

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\b9dafea9efe0\dbc2e.ht1 Object is locked skipped
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\b9dafea9efe0\dbdam Object is locked skipped
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\b9dafea9efe0\dbdao Object is locked skipped
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\b9dafea9efe0\dbeam Object is locked skipped
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\b9dafea9efe0\dbeao Object is locked skipped
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\b9dafea9efe0\dbm Object is locked skipped
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\b9dafea9efe0\dbu2d.ht1 Object is locked skipped
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\b9dafea9efe0\dbvm.cf1 Object is locked skipped
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\b9dafea9efe0\dbvmh.ht1 Object is locked skipped
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\b9dafea9efe0\fii.cf1 Object is locked skipped
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\b9dafea9efe0\fiih.ht1 Object is locked skipped
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\b9dafea9efe0\hp Object is locked skipped
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\b9dafea9efe0\hpt2i.ht1 Object is locked skipped
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\b9dafea9efe0\rpm.cf1 Object is locked skipped
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\b9dafea9efe0\rpm1m.cf1 Object is locked skipped
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\b9dafea9efe0\rpm1mh.ht1 Object is locked skipped
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\b9dafea9efe0\rpmh.ht1 Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\Wei C. Yuet\Application Data\BitTorrent\bittorrent.log Object is locked skipped
    C:\Documents and Settings\Wei C. Yuet\Application Data\BitTorrent\incomplete\375006c0-913d Object is locked skipped
    C:\Documents and Settings\Wei C. Yuet\Application Data\BitTorrent\incomplete\ef1afd8b-25f8\Beowulf.&.Grendel[2005]DvDrip[Eng]-aXXo.avi Object is locked skipped
    C:\Documents and Settings\Wei C. Yuet\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Wei C. Yuet\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Wei C. Yuet\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Wei C. Yuet\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Wei C. Yuet\Local Settings\History\History.IE5\MSHist012007071920070720\index.dat Object is locked skipped
    C:\Documents and Settings\Wei C. Yuet\Local Settings\Temp\~DFFC4.tmp Object is locked skipped
    C:\Documents and Settings\Wei C. Yuet\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Wei C. Yuet\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\Wei C. Yuet\ntuser.dat.LOG Object is locked skipped
    C:\QooBox\Quarantine\C\Program Files\TTC.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.c skipped
    C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir/stream/data0002 Infected: not-a-virus:AdWare.Win32.Rond.b skipped
    C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
    C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
    C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir NSIS: infected - 3 skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\adcybndv.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\iqjscvyc.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\jpyeewrt.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\kdkwqvuc.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\lmaaakro.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\mqioukve.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\o02PrEz\o02PrEz1065.exe.vir Infected: Trojan-Downloader.Win32.VB.awj skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\qhryjiic.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\skbkhvld.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\X2\mwspasrt83122.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\X2\mwspasrt83122.exe.vir NSIS: infected - 1 skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\X4\wen22.exe.vir Infected: Trojan-Dropper.Win32.Agent.bfr skipped
    C:\QooBox\Quarantine\catchme2007-07-12_193913.43.zip/core.sys Infected: Rootkit.Win32.Agent.eq skipped
    C:\QooBox\Quarantine\catchme2007-07-12_193913.43.zip ZIP: infected - 1 skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP242\A0049254.exe Infected: not-a-virus:AdWare.Win32.Rond.a skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP242\A0049255.exe Object is locked skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP243\A0049439.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP243\A0049548.dll Object is locked skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP245\A0049946.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP246\A0050108.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP249\A0051314.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP249\A0051314.exe NSIS: infected - 1 skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP259\change.log Object is locked skipped
    C:\VundoFix Backups\geedd.dll.bad Infected: Trojan-Downloader.Win32.Agent.bxq skipped
    C:\VundoFix Backups\jkkkkkh.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
    C:\VundoFix Backups\pmnkjgd.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
    C:\VundoFix Backups\rqrropq.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
    C:\WINDOWS\CSC\00000001 Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\ModemLog_Conexant HDA D110 MDC V.92 Modem.txt Object is locked skipped
    C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{45353D31-01C8-442D-AA57-D8AD8A82D25A}.crmlog Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\EventCache\{89C76949-3DD3-4E07-9F0F-414B31CA8A32}.bin Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

    Scan process completed.
     
  8. ka_cheng22

    ka_cheng22 Thread Starter

    Joined:
    Jul 12, 2007
    Messages:
    6
    Here is my HijackThis log from after the scan.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:04:13 PM, on 7/19/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\WINDOWS\system32\brsvc01a.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Dell\QuickSet\Quickset.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files\Brother\ControlCenter2\brctrcen.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    C:\Program Files\Microsoft Encarta\Encarta Reference Library 2004\EDICT.EXE
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\Brmfrmps.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\Program Files\BitTorrent\bittorrent.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Intel\Wireless\bin\iFrmewrk.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Wei C. Yuet\Desktop\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchwithmaroon5.prodege.org/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
    O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Bluetooth Manager.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
    O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: (no name) - {A4F64D63-3576-4754-8DD5-4D0A49345FD5} - (no file) (HKCU)
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
    O16 - DPF: {4E77DBA6-3506-46EC-93C0-AB1E0DBD7E4A} (ZtServiceManager Class) - http://fugumce.stream.aol.com/mce_vod/servicemgr/ServiceMgr.CAB
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {BE6A7ED0-B2FF-409D-930C-79422B899802} - http://cdn.digitalcity.com/video/kdx.cab
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    --
    End of file - 11536 bytes
     
  9. jwbirdsong

    jwbirdsong

    Joined:
    Nov 6, 2002
    Messages:
    710
    Looks great. You may still have one registry entry left over that the HJT log didn't/couldn't take care of. Would you run and post one final (?) Combofix log and I think we can wrap this up.

    Also just curiuous did you set this/want this as your Start page? --> http://searchwithmaroon5.prodege.org/
     
  10. ka_cheng22

    ka_cheng22 Thread Starter

    Joined:
    Jul 12, 2007
    Messages:
    6
    Ok. Here is my ComboFix log. And Yes, I set that as my start page on purpose. It's a temporary promotion thing. :)

    Thanks again for all of your help. It's greatly appreciated!


    "Wei C. Yuet" - 2007-07-20 15:52:59 - ComboFix 07-07-13 - Service Pack 2


    ((((((((((((((((((((((((( Files Created from 2007-06-20 to 2007-07-20 )))))))))))))))))))))))))))))))


    2007-07-19 13:23 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2007-07-19 13:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
    2007-07-16 15:39 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
    2007-07-12 19:33 51,200 --a------ C:\WINDOWS\nircmd.exe
    2007-07-12 14:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir PersonalEdition Classic
    2007-07-10 10:52 <DIR> d-------- C:\VundoFix Backups
    2007-06-29 21:31 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll
    2007-06-29 21:31 <DIR> d-------- C:\Program Files\DAP
    2007-06-29 14:45 <DIR> d-------- C:\DOCUME~1\WEIC~1.YUE\APPLIC~1\AOL


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-07-20 00:14:34 -------- d-----w C:\DOCUME~1\WEIC~1.YUE\APPLIC~1\BitTorrent
    2007-07-16 19:36:29 -------- d-----w C:\Program Files\Common Files\Symantec Shared
    2007-07-16 19:36:26 -------- d-----w C:\Program Files\Symantec
    2007-07-16 00:30:53 -------- d-----w C:\Program Files\BitTorrent
    2007-07-10 20:33:53 -------- d-----w C:\DOCUME~1\WEIC~1.YUE\APPLIC~1\Ruckus Network
    2007-07-06 22:06:18 3,584 ----a-w C:\WINDOWS\mozver.dat
    2007-07-06 00:59:21 21,275 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
    2007-06-18 21:20:31 -------- d-----w C:\DOCUME~1\WEIC~1.YUE\APPLIC~1\Snapfish
    2007-05-28 22:14:22 -------- d-----w C:\DOCUME~1\WEIC~1.YUE\APPLIC~1\AVSMedia
    2007-05-25 21:17:38 -------- d-----w C:\Program Files\Apple Software Update
    2007-05-25 21:13:13 -------- d-----w C:\DOCUME~1\WEIC~1.YUE\APPLIC~1\CyberLink
    2007-05-25 20:47:28 -------- d-----w C:\Program Files\Common Files\AVSMedia
    2007-05-25 20:46:44 -------- d-----w C:\Program Files\AVSMedia
    2007-05-25 03:26:32 -------- d-----w C:\DOCUME~1\WEIC~1.YUE\APPLIC~1\Move Networks
    2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
    2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
    2006-08-12 01:09:00 104 --sh--r C:\WINDOWS\system32\068BB2BEF2.sys
    2006-08-11 03:38:17 88 --sh--r C:\WINDOWS\system32\F2BEB28B06.sys
    2006-08-12 01:09:00 8,456 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    2006-12-18 04:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
    2005-05-31 02:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
    2004-12-06 01:05 118842 --a------ C:\WINDOWS\system32\dla\tfswshx.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    2007-07-12 04:00 501136 --a------ C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
    2007-01-20 00:55 2403392 -ra------ c:\program files\google\googletoolbar5.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
    2007-06-20 15:58 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
    2006-02-22 12:00 94208 --a------ c:\Program Files\BAE\BAE.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 11:55]
    "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 11:56]
    "SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 14:35 C:\WINDOWS\stsystra.exe]
    "Dell QuickSet"="C:\Program Files\Dell\QuickSet\Quickset.exe" [2006-04-06 14:58]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 11:56]
    "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 20:29]
    "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44]
    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44]
    "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-10-18 23:03]
    "SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22]
    "PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 14:46]
    "IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 15:04]
    "SetDefPrt"="C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 09:16]
    "ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 09:34]
    "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 17:40]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
    "MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16]
    "avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 02:24]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-08-22 10:52]
    "msi"="" []
    "tbon"="" []
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 15:58]
    "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices]
    "UMGR32.EXE"=

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
    AutoRun\command- E:\setup.exe


    Contents of the 'Scheduled Tasks' folder
    2006-12-31 16:20:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    2007-01-22 22:10:56 C:\WINDOWS\tasks\Uniblue SpyEraser.job

    **************************************************************************

    catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-07-20 15:55:47
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-07-20 15:56:32
    C:\ComboFix-quarantined-files.txt ... 2007-07-20 15:56
    C:\ComboFix2.txt ... 2007-07-12 19:42

    --- E O F ---
     
  11. jwbirdsong

    jwbirdsong

    Joined:
    Nov 6, 2002
    Messages:
    710
    Nothing wrong with that page/site...I was just curious; as it is not the norm I was just making sure.

    Open Notepad and copy/paste following the text, that is in the quotebox below, into it:

    Save this as ComboFix-Do.txt

    Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

    The Kaspersky scan looks good so you should be good to go after we verify that those reg entries were removed.
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/595054

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice