1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: 6 Trojan Infections in Windows XP

Discussion in 'Virus & Other Malware Removal' started by wishbear, Apr 10, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. wishbear

    wishbear Thread Starter

    Joined:
    Apr 10, 2008
    Messages:
    13
    Hi there!

    Last Friday, I had a few pictures developed in the nearby developing center. When I got my flash disk back, the AVG in my laptop detected this threat: Trojan Horse psw.onlinegames.z and asked me to heal it, which I did. Apparently, it still wasn't because when I inserted another flash disk in the USB drive to copy some files to another computer (desktop), the AVG installed there reported the same Trojan.(n) I downloaded Spyware Terminator and TrojanHunter 5.0 for both computers and 2 Trojans were found and fixed in the hard drive and there were no reported Trojans found in the flash disk I used to copy files from the laptop to the desktop but then again, maybe it was because I reformatted the flash disk after AVG asked me to heal the trojan.

    I still wasn't convinced that everything is fixed though so I checked my AVG Virus Vault in the desktop (still haven't done that in the laptop because I found so many infections in the desktop so I want to fix it one computer at a time). I found the following infections with their corresponding details:(:

    attribute name: value
    object name: uulaqvl.cmd
    object path: g:\
    discovery: Trojan Horse psw.onlinegames.aq
    date of detection: 4/10/2008 1:55:23PM
    file size: 145.72kb
    healable: no
    source: backup copy
    status: infected

    attribute name: value
    object name: uulaqvl.cmd
    object path: g:\
    discovery: Trojan Horse psw.onlinegames.aq
    date of detection: 4/09/2008 11:29:10AM
    file size: 145.72kb
    healable: no
    source: backup copy
    status: infected

    attribute name: value
    object name: dxdlg.dll
    object path: c:\windows\system32\
    discovery: Trojan Horse psw.generic.qcp
    date of detection: 5/29/2007 11:35:08AM
    file size: 94kb
    healable: no
    source: backup copy
    status: infected

    attribute name: value
    object name: uulaqvl.cmd
    object path: g:\
    discovery: Trojan Horse psw.onlinegames.aq
    date of detection: 4/07/2008 03:10:17PM
    file size: 145.72kb
    healable: no
    source: backup copy
    status: infected

    attribute name: value
    object name: NDNUninstall4_50.exe
    object path: f:\windows\
    discovery: Trojan Horse dialer.23.aw
    date of detection: 5/29/2007 11:35:097PM
    file size: 53kb
    healable: no
    source: backup copy
    status: infected

    attribute name: value
    object name: msdlupd.dll
    object path: f:\windows\system32
    discovery: Trojan Horse downloader.dyfica.3.N
    date of detection: 5/29/2007 11:35:097PM
    file size: 53kb
    healable: no
    source: backup copy
    status: infected

    C:\ and F:\ are both hard drives, with the latter being a back-up of my previous files in another computer. G:\ is the USB Drive I used when I inserted the flash disk.

    Thing is, when I searched for the object names, I didn't find the files so I couldn't manually delete them. I didn't even know that my desktop had this much infection until I got hit with the psw.onlinegames.z trojan which I could not find because it seemed to have evolved into psw.onlinegames.aq.

    Another thing I noticed after the infection is that when I double-click the USB drive to access it, a new window pops up asking me what program I want to use to open the flash disk. This problem was "solved" when I reformatted the disk but is now back again because of the trojan found by AVG (but when I ran TrojanHunter to check the flash disk, there were no trojans found). The only way to access the disk is to either reformat the disk or type the drive directly in the address bar.

    Help please.

    I downloaded and ran HijackThis and this is the log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:00:10 PM, on 4/10/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\Explorer.EXE
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
    c:\program files\mcafee.com\vso\mcvsshld.exe
    c:\program files\mcafee.com\agent\mcagent.exe
    C:\Program Files\Spyware Terminator\sp_rsser.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\VIA\RAID\raid_tool.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\TrojanHunter 5.0\THGuard.exe
    C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\PROGRA~1\Grisoft\AVG7\avgvv.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - {06663B56-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Pando Search Assistant BHO - {06663B51-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Pando Toolbar BHO - {E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: Pando Toolbar - {E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
    O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: TV Remote Control.lnk = C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Y!mLite - {9B04D939-D9D1-45e0-9FBF-5A31AAF7A68A} - C:\Program Files\Y!mLite\ymlite.exe (file missing)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

    --
    End of file - 7849 bytes

    Sorry if there are so many infections and thanks in advance :)

    p.s. Before I posted this, I searched and found a thread here that was diagnosed to have a flash drive infected. I downloaded and installed the 3 files (elindirfix_2.zip, regfix.zip and flash_disinfector.exe) I saw there but I don't think my infections have been solved nor is the problem with accessing the usb drive in windows explorer. The hijacthis scan was done after all the 3 files have been installed.
     
  2. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,831
    Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix: especially follow the advice about installing the recovery console

    Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply

    Make sure the USB drives are plugged in so we can disinfect them at the same time
     
  3. wishbear

    wishbear Thread Starter

    Joined:
    Apr 10, 2008
    Messages:
    13
    Hello Derek, here are the logs that you requested:

    ComboFix 08-04-11.8 - Brian 2008-04-12 23:33:17.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.126 [GMT 8:00]
    Running from: C:\Documents and Settings\Brian\Desktop\ComboFix.exe
    * Resident AV is active

    .

    ((((((((((((((((((((((((( Files Created from 2008-03-12 to 2008-04-12 )))))))))))))))))))))))))))))))
    .

    2008-04-12 10:56 . 2008-04-12 11:01 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
    2008-04-10 14:59 . 2008-04-10 14:59 <DIR> d-------- C:\Program Files\Trend Micro
    2008-04-10 12:30 . 2008-04-10 12:30 <DIR> d-------- C:\Program Files\WinClamAVShield
    2008-04-10 11:49 . 2008-04-10 12:01 <DIR> d-------- C:\Program Files\Crawler
    2008-04-10 11:49 . 2008-04-12 11:00 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\Spyware Terminator
    2008-04-10 11:49 . 2008-04-12 11:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
    2008-04-10 11:49 . 2008-04-10 11:49 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
    2008-04-10 11:48 . 2008-04-12 11:38 <DIR> d-------- C:\Program Files\Spyware Terminator
    2008-04-10 10:59 . 2008-04-10 12:49 <DIR> d-------- C:\Program Files\TweakNow RegCleaner Std
    2008-04-09 19:44 . 2008-04-09 19:44 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\TrojanHunter
    2008-04-09 17:52 . 2008-04-10 12:51 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
    2008-04-04 11:08 . 2008-04-04 11:08 10 -r------- C:\WINDOWS\PSTUDIO.SN
    2008-04-04 11:03 . 2008-04-04 11:03 572 --a------ C:\WINDOWS\maxlink.ini
    2008-04-04 11:03 . 2008-04-04 11:03 0 --a------ C:\WINDOWS\OP70.INI
    2008-04-04 11:02 . 2008-04-04 11:02 <DIR> d-------- C:\WINDOWS\Pixtran
    2008-04-04 11:02 . 2008-04-04 11:03 <DIR> d-------- C:\Program Files\Common Files\Caere
    2008-04-04 11:02 . 1998-10-12 18:08 299,520 --a------ C:\WINDOWS\Uninsop9.exe
    2008-04-04 11:02 . 1998-10-12 18:13 97,280 --a------ C:\WINDOWS\system32\opshel32.dll
    2008-04-04 11:02 . 1998-10-16 09:45 44,032 --a------ C:\WINDOWS\OP9Deins.exe
    2008-04-04 11:01 . 2008-04-04 11:01 <DIR> d-------- C:\Program Files\Caere
    2008-04-04 10:58 . 1997-04-08 20:08 299,520 --a------ C:\WINDOWS\uninst.exe
    2008-04-04 10:57 . 2008-04-04 10:57 <DIR> d-------- C:\Program Files\ArcSoft
    2008-04-04 10:57 . 2008-04-04 10:57 <DIR> d-------- C:\Documents and Settings\Brian\WINDOWS
    2008-04-04 10:57 . 1995-07-31 13:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
    2008-04-04 10:57 . 2008-04-04 11:16 1,079 --a------ C:\WINDOWS\pstudio.ini
    2008-04-04 10:57 . 2008-04-04 11:16 28 --a------ C:\WINDOWS\album.ini
    2008-04-04 10:57 . 1998-07-21 20:29 21 --a------ C:\WINDOWS\Ps_setup.ini
    2008-04-03 13:00 . 2008-04-03 13:00 <DIR> d-------- C:\Program Files\BFG
    2008-04-02 11:33 . 2008-04-02 11:33 <DIR> d--hs---- C:\WINDOWS\ftpcache
    2008-03-27 14:34 . 2008-03-27 17:12 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\Gamelab
    2008-03-27 14:34 . 2008-03-27 14:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-12 02:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
    2008-04-11 09:11 --------- d-----w C:\Documents and Settings\Brian\Application Data\AVG7
    2008-04-05 06:56 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-04-04 03:16 --------- d-----w C:\Documents and Settings\Brian\Application Data\Canon
    2008-04-04 02:56 --------- d-----w C:\Program Files\Java
    2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
    2008-03-11 23:42 --------- d-----w C:\Program Files\LimeWire
    2008-03-08 23:44 --------- d-----w C:\Program Files\Incomplete
    2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
    2008-02-21 20:30 --------- d-----w C:\Program Files\QuickTime
    2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
    2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{E3EA4FD9-CADE-4AE5-84F7-086EEE888BE4}"= "C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL" [2008-01-31 12:00 266240]

    [HKEY_CLASSES_ROOT\clsid\{e3ea4fd9-cade-4ae5-84f7-086eee888be4}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
    "{E3EA4FD9-CADE-4AE5-84F7-086EEE888BE4}"= C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL [2008-01-31 12:00 266240]

    [HKEY_CLASSES_ROOT\clsid\{e3ea4fd9-cade-4ae5-84f7-086eee888be4}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMan"="SOUNDMAN.EXE" [2005-01-20 20:04 77824 C:\WINDOWS\SOUNDMAN.EXE]
    "RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [2004-10-11 14:54 589824]
    "VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-09 09:18 151552]
    "VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-11 03:49 163840]
    "MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-23 10:29 303104]
    "MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-12 04:05 212992]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
    "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-11 06:21 188416]
    "OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 13:02 53248]
    "SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-27 02:38 866816]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-26 13:11 579072]
    "THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2007-09-09 09:31 1046688]
    "SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-04-10 11:49 2957824]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 15:15 219136]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2006-09-26 05:54 229952 C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --------- 2004-10-14 00:24 1694208 C:\Program Files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2007-06-29 21:24 286720 C:\Program Files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    --a------ 2007-05-28 05:58 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uninstall_CToolbar]
    --a------ 2008-02-19 23:23 1978320 C:\DOCUME~1\Brian\LOCALS~1\Temp\CUninst.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "C:\\Program Files\\LimeWire\\LimeWire.exe"=
    "C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "C:\\Program Files\\FreeStyle Online\\FreeStyle.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
    "C:\\Program Files\\Pando Networks\\Pando\\pando.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "56589:TCP"= 56589:TCP:pando P2P TCP Listening Port
    "56589:UDP"= 56589:UDP:pando P2P UDP Listening Port

    R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-04-10 11:49]
    R3 Cap713x;Philips Cap713x Video Capture;C:\WINDOWS\system32\DRIVERS\Cap713x.sys [2005-04-04 09:55]
    S2 713xTVCard;SAA7131 TV Card;C:\WINDOWS\system32\DRIVERS\SAA713x.sys [2005-03-16 03:00]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f26c92a-dbd6-11da-9a0c-00142a57057f}]
    \Shell\AutoRun\command - G:\LaunchU3.exe

    *Newly Created Service* - CATCHME
    .
    Contents of the 'Scheduled Tasks' folder
    "2007-09-17 20:40:43 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************

    catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-12 23:35:04
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-04-13 0:04:02
    ComboFix-quarantined-files.txt 2008-04-12 16:03:54
    Pre-Run: 31,770,972,160 bytes free
    Post-Run: 31,909,224,448 bytes free
    .
    2008-04-12 08:42:36 --- E O F ---

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:07:21 AM, on 4/13/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    C:\Program Files\Spyware Terminator\sp_rsser.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\VIA\RAID\raid_tool.exe
    C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\McAfee.com\VSO\oasclnt.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - {06663B56-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Pando Search Assistant BHO - {06663B51-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Pando Toolbar BHO - {E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: Pando Toolbar - {E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
    O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: TV Remote Control.lnk = C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Y!mLite - {9B04D939-D9D1-45e0-9FBF-5A31AAF7A68A} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

    --
    End of file - 7606 bytes

    No, prevention of autorun of all CDs, floppies or USB devices are not a problem for me. Also, I plugged in the USB drives when I ran ComboFix.

    Another thing, I share this computer with my brother so there are 2 user profiles. He's the administrator and I'm not sure if all the stuff I've downloaded (Spyware Terminator, TrojanHunter, HijackThis, ComboFix, TweakNow Registry Cleaner and Free Registry Cleaner) in my profile after the AVG in this desktop discovered the Trojans affects all the files in the whole computer or just mine. I ran the ComboFix using my profile only. Just thought this information may be pertinent.

    Again, many thanks in advance for taking time to help! :)
     
  4. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,831
    most of the problems are due to, using P2P and teh pando toolbar is adware & causes ads to be displayed and that is a big part of the problems

    you have far too many antitrojans, antiviruses, antispyware installed to even start to eb able to fix anything as they will all interfere & clash

    uninstall everything antivirus & antispyware etc except your main antivirus

    which do you use mcafee or AVG as both are active & running

    then reboot & post a fresh HJT log so we can see

    once you have posted the HJT log with none of the multitude of antispywares that aren't always then best choice as teh ones you haev don't detect a great amount

    download Sunbelt Counterspy Free trial

    Save the install file to desktop and double click it to install counterspy

    Once it has installed, follow the set up wizard which will automatically start, allow it to update itself

    It will take a few minutes to update to the latest definitions file versions

    run a full scan & when it finishes a window will open with all items found

    They should all be marked as quarantine or delete by default so scroll down & check that nothing you know to be good or want to keep is detected. Just in case of an error select Quarantine for everything rather than delete.Then just press the take action button & follow any prompts ( set anything you want to keep as ignore)

    post back with it's report ( on the scan page, press view details & copy that report & paste it back here )
     
  5. wishbear

    wishbear Thread Starter

    Joined:
    Apr 10, 2008
    Messages:
    13
    Oh..I thought that having many AV and spyware would help protect the computer more. I've removed everything except for AVG and 2 McAfee files which refuse to be removed from the Programs folder (error always occurs saying that these files are write-protected or are currently being used but I've installed the whole McAfee in Add/Remove programs and the Startup programs in msconfig, what should I do? The files are: Mcdetect.exe and McTskshd.exe)

    Here is the new HJT log:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:33:55 AM, on 4/14/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\VIA\RAID\raid_tool.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: TV Remote Control.lnk = C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Y!mLite - {9B04D939-D9D1-45e0-9FBF-5A31AAF7A68A} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)

    --
    End of file - 5856 bytes

    Will download the Counterspy Free Trial next and keep you posted.
     
  6. wishbear

    wishbear Thread Starter

    Joined:
    Apr 10, 2008
    Messages:
    13
    Counterspy Scan results:

    Scan History Details
    Start Date: 4/14/2008 5:49:25 AM
    End Date: 4/14/2008 6:41:45 AM
    Total Time: 52 Min 20 Sec
    Detected security risks

    BrilliantDigital Adware (General) more information...
    Details: Brilliant Digital Entertainment (BDE) provides the ability for advertising and other content to be displayed using rich multimedia.
    Status: Quarantined

    Files detected
    F:\WINDOWS\BDE\b3dlogo\b3d.b3d
    F:\WINDOWS\BDE\Cache\b3d.b3d
    F:\WINDOWS\SYSTEM32\BDErastMMX3.dll


    ClearSearch Hijacker more information...
    Details: ClearSearch is an adware component that periodically contacts the search site, www.clrsch.com, for advertisement-tracking purposes.
    Status: Quarantined

    Files detected
    F:\WINDOWS\TEMP\ClrSch\FNuninstaller.EX_


    DownloadWare Adware (General) more information...
    Details: DownloadWare is a process that runs on Windows startup. If a network connection is available it will connect to its servers, which can direct it to download and install software from advertisers. It may be installed through an ActiveX control.
    Status: Quarantined

    Files detected
    F:\Program Files\MediaLoads Enhanced\install.exe
    F:\Program Files\Support Software\install.exe


    Claria.GAIN.CommonElements Adware (General) more information...
    Details: Claria's GAIN network consists of several applications inlcuding Gator eWallet, GotSmiley, ScreenSeenes, WebSecureAlert, DashBar, Weatherscope, Date Manager and Precision Time.
    Status: Quarantined

    Files detected
    F:\Program Files\Common Files\CMEII\store\core\appmgrgui.zip


    Hotbar Toolbar more information...
    Details: Hotbar Web Tools is a collection of browser and system enhancements. The primary application is the Hotbar toolbar, which is a "skinable" browser toolbar for Internet Explorer.
    Status: Quarantined

    Files detected
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\HostOI\static\1\progress.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\HostOI\static\2\progress.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\HostOL\static\1\progress.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\HostOL\static\2\progress.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_2000.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_3000.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar1.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar10.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar11.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar12.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar2.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar3.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar5.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar6.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar8.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar9.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_x.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_weather.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\1\icons2.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\1\progress.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\1\t2_bg.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\2\d_icons_buttons_2000.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\2\d_icons_buttons_3000.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\2\d_icons_buttons_bbar1.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\2\d_icons_buttons_bbar10.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\2\d_icons_buttons_bbar11.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\2\d_icons_buttons_bbar12.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\2\d_icons_buttons_bbar2.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\2\d_icons_buttons_bbar3.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\2\d_icons_buttons_bbar5.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\2\d_icons_buttons_bbar6.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\2\d_icons_buttons_bbar8.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\2\d_icons_buttons_bbar9.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\2\d_icons_buttons_x.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\2\d_icons_weather.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\2\icons2.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\2\progress.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\2\t2_bg.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\d_icons_buttons_2000.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\d_icons_buttons_3000.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_2000.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_3000.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar1.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar2.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar3.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar5.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_weather.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\progress.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\t2_bg.res
    F:\Documents and Settings\bev\Application Data\Hotbar\v3.0\Hotbar\static\progress.res


    KaZaA P2P Program more information...
    Details: KaZaA is a peer-to-peer (P2P) application that allows its users to join together in a network via the Internet and share files from each other's hard drives.
    Status: Ignored

    Registry entries detected
    HKEY_USERS\S-1-5-21-1708537768-790525478-725345543-1005\SOFTWARE\KAZAA
    HKEY_USERS\S-1-5-21-1708537768-790525478-725345543-1005\SOFTWARE\KAZAA\LocalContent


    C2.Lop Hijacker more information...
    Details: Lop is a group of spyware and hijacker programs that set your Internet Explorer start page and search features to use the site lop.com ('Live Online Portal') or one of its clone sites.
    Status: Quarantined

    Registry entries detected
    HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN
    HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/DOWNLOADED PROGRAM FILES/ISTACTIVEX.DLL
    HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/DOWNLOADED PROGRAM FILES/ISTACTIVEX.DLL
    HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/DOWNLOADED PROGRAM FILES/ISTACTIVEX.DLL


    MyWebSearch Toolbar Potentially Unwanted Program more information...
    Details: MyWebSearch Toolbar is a customizable Internet Explorer search toolbar with various other tools.
    Status: Ignored

    Files detected
    F:\Program Files\Uninstall My Web Search.dll


    iSearch.Toolbar Toolbar more information...
    Details: iSearch.Toolbar is a spyware/adware toolbar that is purported to deliver advanced toolbar functions to Internet Explorer, however, it changes your browser settings.
    Status: Quarantined

    Files detected
    F:\System Volume Information\_restore{CD8420D9-5815-41FE-9E3A-D58ABCFACA89}\RP1\A0000017.exe
    F:\System Volume Information\_restore{CD8420D9-5815-41FE-9E3A-D58ABCFACA89}\RP1\A0000020.exe


    180solutions.SearchAssistant Adware (General) more information...
    Details: 180search Assistant is an adware application that monitors users' search queries and web surfing in order to display targeted advertising.
    Status: Quarantined

    Registry entries detected
    HKEY_LOCAL_MACHINE\Software\Classes\APPID\ACTIVEX.DLL
    HKEY_LOCAL_MACHINE\Software\Classes\APPID\ACTIVEX.DLL
    HKEY_LOCAL_MACHINE\Software\Classes\APPID\{D28CD14C-50BE-4CFA-951E-B37F25DA3472}
    HKEY_LOCAL_MACHINE\Software\Classes\APPID\{D28CD14C-50BE-4CFA-951E-B37F25DA3472}


    IST.SideFind Browser Plug-in more information...
    Details: SideFind is a browser helper object (BHO) that add a side bar to Internet Explorer and displays alternate search results in the side bar.
    Status: Quarantined

    Registry entries detected
    HKEY_USERS\S-1-5-21-1708537768-790525478-725345543-1005\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EXTENSIONS\CMDMAPPING


    My Search Bar Potentially Unwanted Program more information...
    Details: My Search Bar and the variants "My Way Speedbar" and "My Way Search Assistant", are browser helper objects that allows you to search on multiple search engines.
    Status: Ignored

    Registry entries detected
    HKEY_LOCAL_MACHINE\Software\Classes\IMSIDE1EGATE.APPLICATION.1
    HKEY_LOCAL_MACHINE\Software\Classes\IMSIDE1EGATE.APPLICATION.1
    HKEY_LOCAL_MACHINE\Software\Classes\IMSIDE1EGATE.APPLICATION.1\CLSID
    HKEY_LOCAL_MACHINE\Software\Classes\IMSIDE1EGATE.APPLICATION.1\CLSID


    Zango.SearchAssistant Adware (General) more information...
    Details: Zango Search Assistant opens new browser windows showing websites based on the previous websites you visit.
    Status: Quarantined

    Registry entries detected
    HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{610E0E95-8F2F-4B71-966E-F91701D4DC2C}
    HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{610E0E95-8F2F-4B71-966E-F91701D4DC2C}
    HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{610E0E95-8F2F-4B71-966E-F91701D4DC2C}\ProxyStubClsid
    HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{610E0E95-8F2F-4B71-966E-F91701D4DC2C}\ProxyStubClsid
    HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{610E0E95-8F2F-4B71-966E-F91701D4DC2C}\ProxyStubClsid32
    HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{610E0E95-8F2F-4B71-966E-F91701D4DC2C}\ProxyStubClsid32
    HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{610E0E95-8F2F-4B71-966E-F91701D4DC2C}\TypeLib
    HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{610E0E95-8F2F-4B71-966E-F91701D4DC2C}\TypeLib
    HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{610E0E95-8F2F-4B71-966E-F91701D4DC2C}\TypeLib
    HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{91E523DB-2A1C-4231-BB06-9BE27C28739A}
    HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{91E523DB-2A1C-4231-BB06-9BE27C28739A}\1.0
    HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{91E523DB-2A1C-4231-BB06-9BE27C28739A}\1.0
    HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{91E523DB-2A1C-4231-BB06-9BE27C28739A}\1.0\0
    HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{91E523DB-2A1C-4231-BB06-9BE27C28739A}\1.0\0\win32
    HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{91E523DB-2A1C-4231-BB06-9BE27C28739A}\1.0\0\win32
    HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{91E523DB-2A1C-4231-BB06-9BE27C28739A}\1.0\FLAGS
    HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{91E523DB-2A1C-4231-BB06-9BE27C28739A}\1.0\FLAGS
    HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{91E523DB-2A1C-4231-BB06-9BE27C28739A}\1.0\HELPDIR
    HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{91E523DB-2A1C-4231-BB06-9BE27C28739A}\1.0\HELPDIR


    FunWebProducts Potentially Unwanted Program more information...
    Details: Fun Web Products bundles adware software in its products.
    Status: Ignored

    Files detected
    F:\System Volume Information\_restore{CD8420D9-5815-41FE-9E3A-D58ABCFACA89}\RP1\A0000007.scr


    Netwebsearch/Adblaster Toolbar more information...
    Status: Quarantined

    Files detected
    F:\WINDOWS\Downloaded Program Files\AdInstaller.ocx


    Bifrost Backdoor more information...
    Details: Bifrost is an advanced remote administration tool that allows users to remotely control computers that are behind firewalls and routers.
    Status: Quarantined

    Registry entries detected
    HKEY_USERS\S-1-5-21-1708537768-790525478-725345543-1005\SOFTWARE\WGET


    AntiVirus Gold Rogue Security Program more information...
    Details: AntiVirus Gold is a is a purported anti-spyware and antivirus application to scan for and remove malware from users' computers.
    Status: Quarantined

    Files detected
    F:\WINDOWS\TEMP\mhfo.exe


    WindUpdates.MediaGateway Adware (General) more information...
    Details: WindUpdates.MediaGateway is an adware application that displays advertising on the desktop, usually pop-ups.
    Status: Quarantined

    Registry entries detected
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{144B9C7E-235A-4316-9EB3-5E393714C77A}
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{144B9C7E-235A-4316-9EB3-5E393714C77A}
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{144B9C7E-235A-4316-9EB3-5E393714C77A}
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{144B9C7E-235A-4316-9EB3-5E393714C77A}\Implemented Categories
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{144B9C7E-235A-4316-9EB3-5E393714C77A}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{144B9C7E-235A-4316-9EB3-5E393714C77A}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{144B9C7E-235A-4316-9EB3-5E393714C77A}\ProgID
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{144B9C7E-235A-4316-9EB3-5E393714C77A}\ProgID
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{144B9C7E-235A-4316-9EB3-5E393714C77A}\Programmable
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{144B9C7E-235A-4316-9EB3-5E393714C77A}\TypeLib
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{144B9C7E-235A-4316-9EB3-5E393714C77A}\TypeLib
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{144B9C7E-235A-4316-9EB3-5E393714C77A}\VersionIndependentProgID
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{144B9C7E-235A-4316-9EB3-5E393714C77A}\VersionIndependentProgID
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D676F999-4608-4DC5-A135-4F51F4212739}
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D676F999-4608-4DC5-A135-4F51F4212739}
    HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{67A89831-6BC7-4CC0-A2C3-560F9A581E64}
    HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{67A89831-6BC7-4CC0-A2C3-560F9A581E64}
    HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{67A89831-6BC7-4CC0-A2C3-560F9A581E64}\ProxyStubClsid
    HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{67A89831-6BC7-4CC0-A2C3-560F9A581E64}\ProxyStubClsid
    HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{67A89831-6BC7-4CC0-A2C3-560F9A581E64}\ProxyStubClsid32
    HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{67A89831-6BC7-4CC0-A2C3-560F9A581E64}\ProxyStubClsid32
    HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{67A89831-6BC7-4CC0-A2C3-560F9A581E64}\TypeLib
    HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{67A89831-6BC7-4CC0-A2C3-560F9A581E64}\TypeLib
    HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{67A89831-6BC7-4CC0-A2C3-560F9A581E64}\TypeLib
    HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{DD469A88-316C-441D-B712-783D9B9A6707}
    HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{DD469A88-316C-441D-B712-783D9B9A6707}
    HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{DD469A88-316C-441D-B712-783D9B9A6707}\ProxyStubClsid
    HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{DD469A88-316C-441D-B712-783D9B9A6707}\ProxyStubClsid
    HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{DD469A88-316C-441D-B712-783D9B9A6707}\ProxyStubClsid32
    HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{DD469A88-316C-441D-B712-783D9B9A6707}\ProxyStubClsid32
    HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{DD469A88-316C-441D-B712-783D9B9A6707}\TypeLib
    HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{DD469A88-316C-441D-B712-783D9B9A6707}\TypeLib
    HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{DD469A88-316C-441D-B712-783D9B9A6707}\TypeLib
    HKEY_LOCAL_MACHINE\Software\Classes\MEDIAGATEWAY.INSTALLER.1
    HKEY_LOCAL_MACHINE\Software\Classes\MEDIAGATEWAY.INSTALLER.1
    HKEY_LOCAL_MACHINE\Software\Classes\MEDIAGATEWAY.INSTALLER.1\CLSID
    HKEY_LOCAL_MACHINE\Software\Classes\MEDIAGATEWAY.INSTALLER.1\CLSID
    HKEY_LOCAL_MACHINE\Software\Classes\MEDIAGATEWAY.LICENSEINSTALLER
    HKEY_LOCAL_MACHINE\Software\Classes\MEDIAGATEWAY.LICENSEINSTALLER
    HKEY_LOCAL_MACHINE\Software\Classes\MEDIAGATEWAY.LICENSEINSTALLER.1
    HKEY_LOCAL_MACHINE\Software\Classes\MEDIAGATEWAY.LICENSEINSTALLER.1
    HKEY_LOCAL_MACHINE\Software\Classes\MEDIAGATEWAY.LICENSEINSTALLER.1\CLSID
    HKEY_LOCAL_MACHINE\Software\Classes\MEDIAGATEWAY.LICENSEINSTALLER.1\CLSID
    HKEY_LOCAL_MACHINE\Software\Classes\MEDIAGATEWAY.LICENSEINSTALLER\CLSID
    HKEY_LOCAL_MACHINE\Software\Classes\MEDIAGATEWAY.LICENSEINSTALLER\CLSID
    HKEY_LOCAL_MACHINE\Software\Classes\MEDIAGATEWAY.LICENSEINSTALLER\CurVer
    HKEY_LOCAL_MACHINE\Software\Classes\MEDIAGATEWAY.LICENSEINSTALLER\CurVer
    HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/DOWNLOADED PROGRAM FILES/MEDIAGATEWAYX.DLL
    HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/DOWNLOADED PROGRAM FILES/MEDIAGATEWAYX.DLL
    HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/DOWNLOADED PROGRAM FILES/MEDIAGATEWAYX.DLL
    HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\MEDIAGATEWAY
    HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\MEDIAGATEWAY


    Trojan-Dropper.Multi.Gen Trojan Downloader more information...
    Status: Quarantined

    Files detected
    F:\System Volume Information\_restore{CD8420D9-5815-41FE-9E3A-D58ABCFACA89}\RP1\A0000009.exe
    F:\System Volume Information\_restore{CD8420D9-5815-41FE-9E3A-D58ABCFACA89}\RP1\A0000010.exe


    Dialer.Creazione Porn Dialer more information...
    Status: Quarantined

    Files detected
    F:\WINDOWS\Downloaded Program Files\internazionale_98_ver11.INF


    I-Spy (the_seed) Password Cracker/Stealer more information...
    Details: I-Spy (the_seed) is a kind of spyware program that captures passwords of dialup, cached, e-mail, network and Mozilla in a text file and uploads that file automatically to a predefined web address.
    Status: Quarantined

    Registry entries detected
    HKEY_USERS\S-1-5-21-1708537768-790525478-725345543-1005\SOFTWARE\NIRSOFT\MAILPASSVIEW
    HKEY_USERS\S-1-5-21-1708537768-790525478-725345543-1005\SOFTWARE\NIRSOFT\NETPASS


    Trojan.Flooder.Vb E-Mail Flooder more information...
    Status: Quarantined

    Files detected
    C:\Documents and Settings\bryan\Local Settings\Temp\ProphecyOfDistress\Prophecy Of Distress\Prophecy Of Distress.exe


    Cookie: Tracking Cookies Cookie (General) more information...
    Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
    Status: Deleted

    Cookies detected
    c:\documents and settings\brian\cookies\brian@247realmedia[1].txt
    c:\documents and settings\brian\cookies\[email protected][2].txt
    c:\documents and settings\brian\cookies\brian@adrevolver[2].txt
    c:\documents and settings\brian\cookies\[email protected][1].txt
    c:\documents and settings\brian\cookies\brian@atdmt[2].txt
    c:\documents and settings\brian\cookies\brian@belointeractive[1].txt
    c:\documents and settings\brian\cookies\[email protected][1].txt
    c:\documents and settings\brian\cookies\brian@casalemedia[2].txt
    c:\documents and settings\brian\cookies\[email protected][1].txt
    c:\documents and settings\brian\cookies\brian@doubleclick[1].txt
    c:\documents and settings\brian\cookies\brian@mysearch[1].txt
    c:\documents and settings\brian\cookies\brian@realmedia[2].txt
    c:\documents and settings\brian\cookies\[email protected][2].txt
    c:\documents and settings\brian\cookies\[email protected][3].txt
    c:\documents and settings\brian\cookies\brian@tradedoubler[2].txt
    c:\documents and settings\brian\cookies\[email protected][1].txt
    c:\documents and settings\brian\cookies\brian@xiti[1].txt
    c:\documents and settings\bryan\cookies\bryan@2o7[2].txt
    c:\documents and settings\bryan\cookies\[email protected][2].txt
    c:\documents and settings\bryan\cookies\bryan@adrevolver[2].txt
    c:\documents and settings\bryan\cookies\[email protected][2].txt
    c:\documents and settings\bryan\cookies\[email protected][1].txt
    c:\documents and settings\bryan\cookies\bryan@advertising[1].txt
    c:\documents and settings\bryan\cookies\bryan@amazon[2].txt
    c:\documents and settings\bryan\cookies\bryan@atdmt[2].txt
    c:\documents and settings\bryan\cookies\bryan@azjmp[1].txt
    c:\documents and settings\bryan\cookies\bryan@belnk[1].txt
    c:\documents and settings\bryan\cookies\bryan@bluestreak[1].txt
    c:\documents and settings\bryan\cookies\[email protected][2].txt
    c:\documents and settings\bryan\cookies\[email protected][2].txt
    c:\documents and settings\bryan\cookies\[email protected][2].txt
    c:\documents and settings\bryan\cookies\bryan@doubleclick[2].txt
    c:\documents and settings\bryan\cookies\bryan@fastclick[2].txt
    c:\documents and settings\bryan\cookies\bryan@hitbox[2].txt
    c:\documents and settings\bryan\cookies\bryan@mediaplex[1].txt
    c:\documents and settings\bryan\cookies\bryan@overture[1].txt
    c:\documents and settings\bryan\cookies\[email protected][2].txt
    c:\documents and settings\bryan\cookies\bryan@questionmarket[2].txt
    c:\documents and settings\bryan\cookies\bryan@realmedia[1].txt
    c:\documents and settings\bryan\cookies\bryan@revenue[1].txt
    c:\documents and settings\bryan\cookies\bryan@revsci[2].txt
    c:\documents and settings\bryan\cookies\bryan@serving-sys[1].txt
    c:\documents and settings\bryan\cookies\bryan@statcounter[1].txt
    c:\documents and settings\bryan\cookies\[email protected][2].txt
    c:\documents and settings\bryan\cookies\bryan@tribalfusion[1].txt
    c:\documents and settings\bryan\cookies\bryan@zedo[2].txt
     
  7. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,831
    we can sort out mcafee left overs quite easily


    I think Counterspy found & fixed a few problems

    download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)

    Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.



    [​IMG]



    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting

    Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.
     

    Attached Files:

  8. wishbear

    wishbear Thread Starter

    Joined:
    Apr 10, 2008
    Messages:
    13
    I don't know if you need to know this but just in case: When I first dragged the *.txt file to ComboFix, an error message popped up saying that it failed to copy or something so I tried dragging it the 2nd time and this time it worked. ComboFix started, it rebooted my computer then after the message "log file will be located at c:\combofix.txt, all the files in my desktop including the taskbar disappeared. I thought this was normal so I left it as is. After 30mins of no response and no new window created containing the logfile, I ended the task then rebooted and started everything once again (downloading *.txt and dragging it to combofix etc), no hanging occurred this time and it was all finished after less than 10mins. I checked the startup files and no mcafee products are starting and there's no mcafee folders present in the Program files already :) But I couldn't get my Counterspy to start anymore. Error occurs when I do saying: "The Service Controller returned No Service. You may be running a scheduled update" but there is no scheduled update at this time that's running. I've restarted the computer a couple of times and Counterspy will still not open.

    Anyway, here are the ComboFix and HiJackThis log files you requested:

    ComboFix 08-04-11.8 - Brian 2008-04-16 12:04:10.3 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.191 [GMT 8:00]
    Running from: C:\Documents and Settings\Brian\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Brian\Desktop\CFScript.txt
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    ---- Previous Run -------
    .
    C:\Documents and Settings\Brian\Local Settings\Temporary Internet Files\CSC2.5U-EN-779-F.sbr.sgn
    c:\program files\mcafee.com
    c:\program files\mcafee.com\Agent\Mcdetect.exe
    c:\program files\mcafee.com\Agent\Mcdetect.inf
    c:\program files\mcafee.com\Agent\McTskshd.exe
    c:\program files\mcafee.com\Agent\McTskshd.inf

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_MCDETECT.EXE
    -------\Legacy_MCTSKSHD.EXE
    -------\Legacy_MCUPDMGR.EXE
    -------\Service_McDetect.exe
    -------\Service_McTskshd.exe
    -------\Service_mcupdmgr.exe


    ((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 )))))))))))))))))))))))))))))))
    .

    2008-04-14 13:49 . 2008-04-14 13:49 0 --a------ C:\WINDOWS\system32\SBRC.dat
    2008-04-14 13:49 . 2008-04-14 13:49 0 --a------ C:\WINDOWS\system32\SBFC.dat
    2008-04-14 13:44 . 2008-04-14 13:44 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
    2008-04-14 13:43 . 2008-04-14 13:43 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\Sunbelt Software
    2008-04-14 13:43 . 2008-04-14 13:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
    2008-04-14 13:42 . 2008-04-14 13:42 <DIR> d-------- C:\Program Files\Sunbelt Software
    2008-04-12 10:56 . 2008-04-12 11:01 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
    2008-04-10 14:59 . 2008-04-10 14:59 <DIR> d-------- C:\Program Files\Trend Micro
    2008-04-09 19:44 . 2008-04-09 19:44 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\TrojanHunter
    2008-04-04 11:08 . 2008-04-04 11:08 10 -r------- C:\WINDOWS\PSTUDIO.SN
    2008-04-04 11:03 . 2008-04-04 11:03 572 --a------ C:\WINDOWS\maxlink.ini
    2008-04-04 11:03 . 2008-04-04 11:03 0 --a------ C:\WINDOWS\OP70.INI
    2008-04-04 11:02 . 2008-04-04 11:02 <DIR> d-------- C:\WINDOWS\Pixtran
    2008-04-04 11:02 . 2008-04-04 11:03 <DIR> d-------- C:\Program Files\Common Files\Caere
    2008-04-04 11:02 . 1998-10-12 18:08 299,520 --a------ C:\WINDOWS\Uninsop9.exe
    2008-04-04 11:02 . 1998-10-12 18:13 97,280 --a------ C:\WINDOWS\system32\opshel32.dll
    2008-04-04 11:02 . 1998-10-16 09:45 44,032 --a------ C:\WINDOWS\OP9Deins.exe
    2008-04-04 11:01 . 2008-04-04 11:01 <DIR> d-------- C:\Program Files\Caere
    2008-04-04 10:58 . 1997-04-08 20:08 299,520 --a------ C:\WINDOWS\uninst.exe
    2008-04-04 10:57 . 2008-04-04 10:57 <DIR> d-------- C:\Program Files\ArcSoft
    2008-04-04 10:57 . 2008-04-04 10:57 <DIR> d-------- C:\Documents and Settings\Brian\WINDOWS
    2008-04-04 10:57 . 1995-07-31 13:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
    2008-04-04 10:57 . 2008-04-04 11:16 1,079 --a------ C:\WINDOWS\pstudio.ini
    2008-04-04 10:57 . 2008-04-04 11:16 28 --a------ C:\WINDOWS\album.ini
    2008-04-04 10:57 . 1998-07-21 20:29 21 --a------ C:\WINDOWS\Ps_setup.ini
    2008-04-02 11:33 . 2008-04-02 11:33 <DIR> d--hs---- C:\WINDOWS\ftpcache
    2008-03-27 14:34 . 2008-03-27 17:12 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\Gamelab
    2008-03-27 14:34 . 2008-03-27 14:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-16 02:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
    2008-04-14 02:56 --------- d-----w C:\Program Files\Java
    2008-04-14 02:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
    2008-04-11 09:11 --------- d-----w C:\Documents and Settings\Brian\Application Data\AVG7
    2008-04-05 06:56 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-04-04 03:16 --------- d-----w C:\Documents and Settings\Brian\Application Data\Canon
    2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
    2008-03-11 23:42 --------- d-----w C:\Program Files\LimeWire
    2008-03-08 23:44 --------- d-----w C:\Program Files\Incomplete
    2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
    2008-02-21 20:30 --------- d-----w C:\Program Files\QuickTime
    2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
    2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMan"="SOUNDMAN.EXE" [2005-01-20 20:04 77824 C:\WINDOWS\SOUNDMAN.EXE]
    "RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [2004-10-11 14:54 589824]
    "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-11 06:21 188416]
    "SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-27 02:38 866816]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-26 13:11 579072]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 21:24 286720]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
    "SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-12-21 15:30 698864]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 15:15 219136]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-12-23 03:02:57 113664]
    TV Remote Control.lnk - C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe [2007-05-03 13:53:58 57344]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cleanup]
    c:\program files\mcafee.com\shared\mcappins.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2006-09-26 05:54 229952 C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
    c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --------- 2004-10-14 00:24 1694208 C:\Program Files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2007-06-29 21:24 286720 C:\Program Files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    --a------ 2007-05-28 05:58 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uninstall_CToolbar]
    C:\DOCUME~1\Brian\LOCALS~1\Temp\CUninst.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "C:\\Program Files\\LimeWire\\LimeWire.exe"=
    "C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "C:\\Program Files\\FreeStyle Online\\FreeStyle.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "56589:TCP"= 56589:TCP:pando P2P TCP Listening Port
    "56589:UDP"= 56589:UDP:pando P2P UDP Listening Port

    R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-04-14 13:44]
    R3 Cap713x;Philips Cap713x Video Capture;C:\WINDOWS\system32\DRIVERS\Cap713x.sys [2005-04-04 09:55]
    S2 713xTVCard;SAA7131 TV Card;C:\WINDOWS\system32\DRIVERS\SAA713x.sys [2005-03-16 03:00]
    S3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f26c92a-dbd6-11da-9a0c-00142a57057f}]
    \Shell\AutoRun\command - G:\LaunchU3.exe

    .
    Contents of the 'Scheduled Tasks' folder
    "2007-09-17 20:40:43 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************

    catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-16 12:06:02
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-04-16 12:06:45
    ComboFix-quarantined-files.txt 2008-04-16 04:06:28
    ComboFix2.txt 2008-04-12 16:04:03
    Pre-Run: 35,218,182,144 bytes free
    Post-Run: 35,202,125,824 bytes free
    .
    2008-04-12 08:42:36 --- E O F ---


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:07:27 PM, on 4/16/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\VIA\RAID\raid_tool.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: TV Remote Control.lnk = C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Y!mLite - {9B04D939-D9D1-45e0-9FBF-5A31AAF7A68A} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

    --
    End of file - 5580 bytes
     
  9. wishbear

    wishbear Thread Starter

    Joined:
    Apr 10, 2008
    Messages:
    13
    Counterspy is working again, uninstalled and reinstalled it and did a system scan. Here's the log, just in case:

    Scan History Details
    Start Date: 4/16/2008 6:21:15 AM
    End Date: 4/16/2008 7:07:17 AM
    Total Time: 46 Min 2 Sec
    Detected security risks

    BrilliantDigital Adware (General) more information...
    Details: Brilliant Digital Entertainment (BDE) provides the ability for advertising and other content to be displayed using rich multimedia.
    Status: Quarantined

    Files detected
    F:\System Volume Information\_restore{CD8420D9-5815-41FE-9E3A-D58ABCFACA89}\RP16\A0003155.dll


    DownloadWare Adware (General) more information...
    Details: DownloadWare is a process that runs on Windows startup. If a network connection is available it will connect to its servers, which can direct it to download and install software from advertisers. It may be installed through an ActiveX control.
    Status: Deleted

    Files detected
    F:\System Volume Information\_restore{CD8420D9-5815-41FE-9E3A-D58ABCFACA89}\RP16\A0003156.exe
    F:\System Volume Information\_restore{CD8420D9-5815-41FE-9E3A-D58ABCFACA89}\RP16\A0003157.exe


    KaZaA P2P Program more information...
    Details: KaZaA is a peer-to-peer (P2P) application that allows its users to join together in a network via the Internet and share files from each other's hard drives.
    Status: Ignored

    Registry entries detected
    HKEY_USERS\S-1-5-21-1708537768-790525478-725345543-1005\SOFTWARE\KAZAA
    HKEY_USERS\S-1-5-21-1708537768-790525478-725345543-1005\SOFTWARE\KAZAA\LocalContent


    MyWebSearch Toolbar Potentially Unwanted Program more information...
    Details: MyWebSearch Toolbar is a customizable Internet Explorer search toolbar with various other tools.
    Status: Ignored

    Files detected
    F:\Program Files\Uninstall My Web Search.dll


    My Search Bar Potentially Unwanted Program more information...
    Details: My Search Bar and the variants "My Way Speedbar" and "My Way Search Assistant", are browser helper objects that allows you to search on multiple search engines.
    Status: Ignored

    Registry entries detected
    HKEY_LOCAL_MACHINE\Software\Classes\IMSIDE1EGATE.APPLICATION.1
    HKEY_LOCAL_MACHINE\Software\Classes\IMSIDE1EGATE.APPLICATION.1
    HKEY_LOCAL_MACHINE\Software\Classes\IMSIDE1EGATE.APPLICATION.1\CLSID
    HKEY_LOCAL_MACHINE\Software\Classes\IMSIDE1EGATE.APPLICATION.1\CLSID


    FunWebProducts Potentially Unwanted Program more information...
    Details: Fun Web Products bundles adware software in its products.
    Status: Ignored

    Files detected
    F:\System Volume Information\_restore{CD8420D9-5815-41FE-9E3A-D58ABCFACA89}\RP1\A0000007.scr


    Netwebsearch/Adblaster Toolbar more information...
    Status: Deleted

    Files detected
    F:\System Volume Information\_restore{CD8420D9-5815-41FE-9E3A-D58ABCFACA89}\RP16\A0003158.ocx


    Bifrost Backdoor more information...
    Details: Bifrost is an advanced remote administration tool that allows users to remotely control computers that are behind firewalls and routers.
    Status: Deleted

    Registry entries detected
    HKEY_USERS\S-1-5-21-1708537768-790525478-725345543-1005\SOFTWARE\WGET


    AntiVirus Gold Rogue Security Program more information...
    Details: AntiVirus Gold is a is a purported anti-spyware and antivirus application to scan for and remove malware from users' computers.
    Status: Quarantined

    Files detected
    F:\System Volume Information\_restore{CD8420D9-5815-41FE-9E3A-D58ABCFACA89}\RP16\A0003159.exe


    Dialer.Creazione Porn Dialer more information...
    Status: Deleted

    Files detected
    F:\System Volume Information\_restore{CD8420D9-5815-41FE-9E3A-D58ABCFACA89}\RP16\A0003160.INF


    Cookie: Tracking Cookies Cookie (General) more information...
    Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
    Status: Deleted

    Cookies detected
    c:\documents and settings\brian\cookies\[email protected][2].txt
    c:\documents and settings\brian\cookies\brian@atdmt[2].txt
    c:\documents and settings\brian\cookies\brian@doubleclick[1].txt
    c:\documents and settings\brian\cookies\[email protected][2].txt


    Adware.Rebates Adware (General) more information...
    Status: Deleted

    Files detected
    F:\WINDOWS\TEMP\webr.exe
     
  10. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,831
    that looks a lot better

    everything now is in system restore so we will clear that out as part of the final fix

    delete any cfscript. txt files on desktop & then

    *Follow these steps to uninstall Combofix and tools used in the removal of malware*
    * Click *START* then *RUN*
    * Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.
    [​IMG]


    then
    Turn off system restore by following instructions here
    for XP http://www.thespykiller.co.uk/index.php?page=8
    or for Vista http://www.bleepingcomputer.com/tutorials/tutorial143.html

    That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable system restore & create a new restore point. Now Empty Recycle bin on desktop

    go here http://www.thespykiller.co.uk/index.php?page=3 for info on how to tighten your security settings and how to help prevent future attacks.

    and scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

    Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place
     
  11. wishbear

    wishbear Thread Starter

    Joined:
    Apr 10, 2008
    Messages:
    13
    Done. So as of my last log, all known malware and viruses have already been detected and removed?
     
  12. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,831
    I can't guarantee no more viruses & malware but nothing obvious left there
     
  13. wishbear

    wishbear Thread Starter

    Joined:
    Apr 10, 2008
    Messages:
    13
    Yay! Thanks so much Derek!! :)
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/702271