1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Help! Please :(

Discussion in 'Virus & Other Malware Removal' started by Elsy, Jan 31, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Elsy

    Elsy Thread Starter

    Joined:
    Dec 8, 2006
    Messages:
    107
    Hi.
    Yesterday I put my hijackthis log, Smitfraudfix log and AVG antivirus Result.
    But noone has replied me yet. My PC runs so slow. :(
    PLEASE HELP !!!!!!!!!!!! :confused: :( :(
     
  2. Elsy

    Elsy Thread Starter

    Joined:
    Dec 8, 2006
    Messages:
    107
    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 0:19:02 07.01.31

    + Scan result:



    :mozilla.41:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
    :mozilla.42:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
    :mozilla.43:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
    :mozilla.55:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
    :mozilla.33:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\cookies.txt -> TrackingCookie.Com : Cleaned.
    :mozilla.17:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
    :mozilla.49:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
    :mozilla.50:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
    :mozilla.51:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
    :mozilla.53:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
    :mozilla.54:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.


    ::Report end
     
  3. Elsy

    Elsy Thread Starter

    Joined:
    Dec 8, 2006
    Messages:
    107
    SmitFraudFix v2.137

    Scan done at 22:32:39,70, 07.01.30
    Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  4. Elsy

    Elsy Thread Starter

    Joined:
    Dec 8, 2006
    Messages:
    107
    Logfile of HijackThis v1.99.1
    Scan saved at 15:29:43, on 07.01.31
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)


    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Q-Type Pro\OSD.EXE
    C:\Program Files\Q-Type Pro\MulMouse.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Logitech\Video\AlbumDB2.exe
    C:\Program Files\Logitech\Video\FxSvr2.exe
    C:\WINDOWS\system32\LVComsX.exe
    C:\Documents and Settings\Administrator\My Documents\My eBooks\works\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.oops.mn/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\system32\rmctrl.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
    O4 - HKLM\..\Run: [dll] c:\system32\rose.exe
    O4 - HKLM\..\Run: [ISS_SIP] C:\Program Files\Anti Keylogger Elite\AKE.exe
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Q-Type Pro.lnk = C:\Program Files\Q-Type Pro\MagicKey.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169621498343
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: svchosts (srvTaskManager) - Unknown owner - C:\WINDOWS\system32\TaskManager.exe
     
  5. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, You have at least two trojan/ worms.

    Rats.....

    TSG site is doing it's daily backup right now, probably you are seeing that message, too. It will be working again in just a few minutes. I have to go for tonite- it's pretty late here in NY (3:55AM).

    Try an online scanner:

    • Please go HERE and click Kaspersky Online Scanner
    • Read and Accept the Agreement
    • You will be promted to install an ActiveX component from Kaspersky, Click Yes.
    • If you see a Windows dialog asking if you want to install this software, click the Install button.
    • The program will launch and then begin downloading the latest definition files,
    • When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
    • Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
    • Under "Please select a target to scan:", click My Computer to start the scan.
    • When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
    • Copy and Paste the contents of the on line scanner results into a Reply here in your thread, along with a new HJT log and log from any other scans you run.


    If Kaspersky won't run, try this one:

    HERE to run Panda's ActiveScan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report


    For either, follow the directions, and try to do as little as possible during the scan. There is no need to be surfing around, or to read more posts here tonite.

    We will have to continue tomorrow...but you can scan
    with your installed programs, update them....

    I am enclosing directions for you to set AVG Antispyware and run a scan in Safe Mode. Please do that after the virus scan.

    run AVG Anti-Spyware and update the definition files.
    [*]On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button. The update will start and a progress bar will show the updates being installed.
    • Once the update has completed, select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    • Note: If you cannot access the internet with the infected PC, or you are having problems updating, you can download the signatures file from here.
    Once you have installed AVG A-S, double click avgas-signatures-full-current.exe to update it.
    [*]Close
    Settings to scan with AVG Anti-Spyware: :
    1. Launch AVG Anti-Spyware, click on the "Scanner" button and choose the "Settings" tab.
    • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
    • Under "How to Scan?" check all (default).
    • Under "Possibly unwanted software" check all (default).
    • Under "What to Scan?" make sure "Scan every file" is selected (default).
    • Under "Reports" select "Automatically generate report after every scan" and
      UNcheck "Only if threats were found".
    2. Click the "Scan" tab to return to scanning options.
    3.If you were scanning now, you would Click "Complete System Scan" to start.
    4. When the scan finished you'd be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.

    IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button?

    5. Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format like>: Report-Scan-20070126-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
    6. The steps below this pertain to the actual Scan, which is done after you start up in Safe Mode.
    [/list]
    _ _ _ _ _
    .
    1. Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

      IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process:
    2. Launch AVG Anti-Spyware by double clicking the icon on your desktop.
    3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    4. AVG will now begin the scanning process. Please be patient as this may take a little time.
      Once the scan is complete, do the following:
    5. If you have any infections you will be prompted. Then select "Apply all actions."
    6. Next select the "Reports" icon at the top.
    7. Select the "Save report as" button in the lower left- hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important).
    8. .Exit AVG Anti-Spyware when done, reboot normally and submit the log report in your next response.


    Paste the virus scan result log, the AVG log, and a new Hijackthis log. SmitFraudFix did not find anything, don't need a new log from that.

    I will not be around very early but I will check this thread as soon as I can.
     
  6. Elsy

    Elsy Thread Starter

    Joined:
    Dec 8, 2006
    Messages:
    107
    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Wednesday, January 31, 2007 7:45:45 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.83.0
    Kaspersky Anti-Virus database last update: 31/01/2007
    Kaspersky Anti-Virus database records: 263687
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    C:\
    D:\
    E:\
    F:\
    G:\
    H:\

    Scan Statistics:
    Total number of scanned objects: 61709
    Number of viruses found: 1
    Number of infected objects: 1 / 0
    Number of suspicious objects: 0
    Duration of the scan process: 00:58:11

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\cert8.db Object is locked skipped
    C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\formhistory.dat Object is locked skipped
    C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\history.dat Object is locked skipped
    C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\key3.db Object is locked skipped
    C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\parent.lock Object is locked skipped
    C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\search.sqlite Object is locked skipped
    C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\urlclassifier2.sqlite Object is locked skipped
    C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\Cache\_CACHE_001_ Object is locked skipped
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\Cache\_CACHE_002_ Object is locked skipped
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\Cache\_CACHE_003_ Object is locked skipped
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\Cache\_CACHE_MAP_ Object is locked skipped
    C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Administrator\ntuser.dat Object is locked skipped
    C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\00b9_File_Monitoring_eventlog.rpt Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\00bb_Web_Monitoring_eventlog.rpt Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\00be_pdm_eventcritlog.rpt Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\00be_pdm_eventlog.rpt Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\00ca_Scan_My_Computer_eventcritlog.rpt Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\00ca_Scan_My_Computer_eventlog.rpt Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\detected.idx Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\detected.rpt Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\eventlog.rpt Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\report.rpt Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{FD5EDBD5-5FC1-491C-86BA-B3D071B3E19A}\RP55\change.log Object is locked skipped
    C:\WINDOWS\CSC\00000001 Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\EventCache\{AD518641-4169-480E-BEDF-F4D5260AF8E6}.bin Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
    C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
    C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
    C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
    C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    D:\System Volume Information\_restore{FD5EDBD5-5FC1-491C-86BA-B3D071B3E19A}\RP55\change.log Object is locked skipped
    E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    E:\System Volume Information\_restore{FD5EDBD5-5FC1-491C-86BA-B3D071B3E19A}\RP55\change.log Object is locked skipped
    F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    F:\System Volume Information\_restore{FD5EDBD5-5FC1-491C-86BA-B3D071B3E19A}\RP55\change.log Object is locked skipped

    Scan process completed.
     
  7. Elsy

    Elsy Thread Starter

    Joined:
    Dec 8, 2006
    Messages:
    107
    Panda Scanner Report


    Incident Status Location

    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Process.exe
    Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
     
  8. Elsy

    Elsy Thread Starter

    Joined:
    Dec 8, 2006
    Messages:
    107
    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 22:59:45 07.01.31

    + Scan result:



    Nothing found.


    ::Report end
     
  9. Elsy

    Elsy Thread Starter

    Joined:
    Dec 8, 2006
    Messages:
    107
    Logfile of HijackThis v1.99.1
    Scan saved at 0:35:43, on 07.02.01
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\rmctrl.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\system32\LVCOMSX.EXE
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\TaskManager.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    C:\Program Files\Logitech\Video\FxSvr2.exe
    C:\Documents and Settings\Administrator\My Documents\My eBooks\works\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\system32\rmctrl.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
    O4 - HKLM\..\Run: [dll] c:\system32\rose.exe
    O4 - HKLM\..\Run: [ISS_SIP] C:\Program Files\Anti Keylogger Elite\AKE.exe
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Q-Type Pro.lnk = C:\Program Files\Q-Type Pro\MagicKey.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169621498343
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
    O23 - Service: svchosts (srvTaskManager) - Unknown owner - C:\WINDOWS\system32\TaskManager.exe
     
  10. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Use this one file at a time scan online, you just use the "Browse" button at either site below, navigate in the window that comes up to the file below in C:\WINDOWS\system32 and when you get to TaskManager.exe highlight it with mouse and the path will show in the Submit or Upload space, submit the file and wait just some seconds for scan results.




    C:\WINDOWS\system32\TaskManager.exe <<this is the file you want to upload for scanning.

    Copy the results here in a reply please.

    Here is the sites to use: http://virusscan.jotti.org/

    Or > http://www.kaspersky.com/scanforvirus
     
  11. Elsy

    Elsy Thread Starter

    Joined:
    Dec 8, 2006
    Messages:
    107
    Scan taken on 01 Feb 2007 09:09:03 (GMT)
    AntiVir
    Found nothing
    ArcaVir
    Found nothing
    Avast
    Found nothing
    AVG Antivirus
    Found nothing
    BitDefender
    Found nothing
    ClamAV
    Found nothing
    Dr.Web
    Found nothing
    F-Prot Antivirus
    Found nothing
    F-Secure Anti-Virus
    Found nothing
    Fortinet
    Found nothing
    Kaspersky Anti-Virus
    Found nothing
    NOD32
    Found nothing
    Norman Virus Control
    Found nothing
    VirusBuster
    Found nothing
    VBA32
    Found nothing
     
  12. Elsy

    Elsy Thread Starter

    Joined:
    Dec 8, 2006
    Messages:
    107
    Scanned file: TaskManager.exe

    Statistics:
    Known viruses: 263878 Updated: 01-02-2007
    File size (Kb): 350 Virus bodies: 0
    Files: 1 Warnings: 0
    Archives: 0 Suspicious: 0
     
  13. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Update AVG Antispyware to latest detection files.
    Make sure Kaspersky antivirus is updated.
    Next: Copy and paste the steps into a Notepad text file and save them as steps.tx (or whatever.txt) to your Desktop so you can refer to them while in Safe Mode.

    Download ComboFix to your Desktop.
    Don't do anything with it yet, at all, we will later.

    * Restart your computer into safe mode now.To get into the Windows 2000 / XP Safe mode, as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu"
    Use your arrow keys to move to "Safe Mode" and press your Enter key.

    Next:

    Run Hijackthis again, put a check next to the entry in your scan window, then, close all other windows including this browser window and click "Fix Checked" in Hijackthis.


    O4 - HKLM\..\Run: [dll] c:\system32\rose.exe


    Next, make sure you can see all files, this way:

    Because XP will not always show you hidden files and folders by default, Go to Start > Search>Files and Folders>> and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"


    Open Windows Explorer and find the file at the end of this line

    c:\system32\rose.exe <<<delete rose.exe


    ****Run scans with Kaspersky antivirus and/or AVG Antispyware (in Safe Mode).


    Still in Safe Mode

    Restart your computer and begin tapping the F8 key on your keyboard just before Windows starts to load. If done properly a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

    Run ComboFix:

    Note: Do not mouseclick combofix's window while it's running as that may cause it to stall


    Perform the following actions in Safe Mode.
    • Double click combofix.exe and follow the prompts.
    • When finished, it will produce a log for you. Post that log and a new HijackThis log in your next reply

    Note: Do not mouseclick combofix's window while it's running as that may cause it to stall

    _ _ _ _ _

    This is info about what I am pretty sure you have had:

    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SETROX.A&VSect=Sn

    Note that the exact same entry appeared in your Hijackthis log

    ((O4 - HKLM\..\Run: [dll] c:\system32\rose.exe))

    You do not need to do the things they have at that page.


    I still think the other file is bad, but wait on fixing it as I want to see those logs first.

    OK, get those things done and post the HJT log, Combo Fix log, and any others that detect anything.
     
  14. Elsy

    Elsy Thread Starter

    Joined:
    Dec 8, 2006
    Messages:
    107
    AVG Anti Spyware LOG.

    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 12:11:51 07.02.04

    + Scan result:



    :mozilla.66:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
    :mozilla.67:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
    :mozilla.68:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
    :mozilla.69:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
    :mozilla.70:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
    :mozilla.65:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
    :mozilla.51:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
    :mozilla.52:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
    :mozilla.53:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
    :mozilla.54:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
    :mozilla.80:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.
    :mozilla.46:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
    :mozilla.47:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bau9wpz3.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned.


    ::Report end
     
  15. Elsy

    Elsy Thread Starter

    Joined:
    Dec 8, 2006
    Messages:
    107
    COMBOFIX :)

    "Administrator" - 07-02-04 12:14:57 Service Pack 2
    ComboFix 07.02.04 - Running from: "C:\Documents and Settings\Administrator\Desktop"

    ((((((((((((((((((((((((((((((( Files Created from 2007-01-04 to 2007-02-04 ))))))))))))))))))))))))))))))))))


    2007-02-03 16:02 <DIR> d-------- C:\Temp
    2007-02-02 20:04 <DIR> d-------- C:\My Music
    2007-02-02 19:40 587,264 --a------ C:\WINDOWS\system32\Bold 440Hz Screen Saver.scr
    2007-02-02 19:40 283,648 --a------ C:\WINDOWS\system32\uninstall.exe
    2007-01-31 19:56 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
    2007-01-31 17:25 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2007-01-30 22:51 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
    2007-01-30 22:51 <DIR> d-------- C:\Program Files\Grisoft
    2007-01-30 22:32 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
    2007-01-30 22:32 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2007-01-30 22:32 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2007-01-30 22:32 40,960 --a------ C:\WINDOWS\system32\swsc.exe
    2007-01-30 22:32 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2007-01-30 22:32 135,168 --a------ C:\WINDOWS\system32\swreg.exe
    2007-01-30 18:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Kaspersky Lab
    2007-01-30 16:29 <DIR> d-------- C:\Program Files\Spyware Doctor
    2007-01-30 16:29 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\PC Tools
    2007-01-30 01:34 10,027 --a------ C:\WINDOWS\system32\mspriv32.dll
    2007-01-30 00:48 <DIR> d--hs---- C:\WINDOWS\CSC
    2007-01-29 00:08 <DIR> d-------- C:\KAV
    2007-01-28 20:01 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Lavasoft
    2007-01-24 16:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Adobe
    2007-01-24 11:43 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
    2007-01-23 22:55 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
    2007-01-22 22:55 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Help
    2007-01-22 15:52 <DIR> d-------- C:\WINDOWS\WBEM
    2007-01-22 15:52 <DIR> d-------- C:\WINDOWS\system32\en-US
    2007-01-22 15:50 <DIR> d--h-c--- C:\WINDOWS\ie7
    2007-01-22 15:46 121,856 --------- C:\WINDOWS\system32\xmllite.dll
    2007-01-22 15:44 <DIR> d-------- C:\WINDOWS\network diagnostic
    2007-01-21 22:14 <DIR> d-------- C:\admtf
    2007-01-20 17:43 397,312 --a------ C:\WINDOWS\system32\win32sys.dll
    2007-01-20 17:43 357,728 --a------ C:\WINDOWS\system32\TaskManager.exe
    2007-01-19 16:24 109,568 --------- C:\WINDOWS\system32\pxinsi64.exe
    2007-01-19 16:24 108,544 --------- C:\WINDOWS\system32\pxcpyi64.exe
    2007-01-19 15:47 200,768 --a------ C:\WINDOWS\system32\klogon.dll
    2007-01-08 00:03 <DIR> d-------- C:\Program Files\Windows Media Connect 2
    2007-01-08 00:00 <DIR> d-------- C:\WINDOWS\system32\LogFiles
    2007-01-08 00:00 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
    2007-01-07 13:55 <DIR> d-------- C:\MediaUnInst
    2007-01-04 07:57 140 -r-hs---- C:\WINDOWS\system32\run.reg


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-02-04 10:26 -------- d-------- C:\Program Files\mozilla firefox
    2007-02-04 10:23 -------- d-------- C:\Program Files\microsoft antispyware
    2007-01-31 23:04 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\adobeum
    2007-01-31 20:59 -------- d-------- C:\Program Files\q-type pro
    2007-01-31 19:19 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\adobe
    2007-01-30 22:32 2964 --a------ C:\WINDOWS\system32\tmp.reg
    2007-01-30 18:19 -------- d-------- C:\Program Files\kaspersky lab
    2007-01-23 20:32 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\macromedia
    2007-01-22 23:48 -------- d-------- C:\Program Files\google
    2007-01-22 21:02 -------- d--h----- C:\Program Files\installshield installation information
    2007-01-22 14:52 -------- d---s---- C:\DOCUME~1\ADMINI~1\Application Data\microsoft
    2006-12-28 00:09 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\google
    2006-12-24 22:12 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\yahoo!
    2006-12-24 20:47 -------- d-------- C:\Program Files\yahoo!
    2006-12-11 15:36 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\cyberlink
    2006-12-10 00:20 -------- d-------- C:\Program Files\messenger
    2006-12-09 18:50 -------- d-------- C:\Program Files\java
    2006-12-09 18:48 -------- d-------- C:\Program Files\Common Files\java
    2006-12-09 15:03 -------- d--h----- C:\Program Files\zero g registry
    2006-12-09 14:59 -------- d-------- C:\Program Files\logitech
    2006-11-07 21:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
    2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll
    2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
    2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll
    2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
    2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
    2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll
    2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
    2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
    2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
    2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
    2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
    2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
    2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
    2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
    2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
    2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
    2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries & legit default entries are not shown

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
    "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
    "LogitechSoftwareUpdate"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
    "Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
    "updateMgr"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_9"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
    "HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
    "SoundMan"="SOUNDMAN.EXE"
    "NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
    "RemoteControl"="C:\\WINDOWS\\system32\\rmctrl.exe"
    "gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
    "kav"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe\""
    "LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
    "LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
    "LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
    "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
    "ISS_SIP"="C:\\Program Files\\Anti Keylogger Elite\\AKE.exe"
    "AVP"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe\""
    "!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
    "Installed"="1"


    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{9EF34FF2-3396-4527-9D27-04C8C1C67806}"="Microsoft AntiSpyware Service Hook"
    "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
    "WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
    "isamini.exe"="C:\\Program Files\\Video ActiveX Object\\isamonitor.exe"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
    HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
    LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService REG_MULTI_SZ DnsCache\0\0
    DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
    rpcss REG_MULTI_SZ RpcSs\0\0
    imgsvc REG_MULTI_SZ StiSvc\0\0
    termsvcs REG_MULTI_SZ TermService\0\0
    WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
    Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL rose.exe

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
    Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL rose.exe

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
    Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL rose.exe

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{08de79c5-6b96-11db-8f59-00e04c771968}]
    Shell\AutoRun\command l;kgj.exe

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{27d73f53-185c-11db-b8f4-00e04c771968}]
    Shell\1\Command .\RECYCLER\RECYCLER\autorun.exe
    Shell\2\Command .\RECYCLER\RECYCLER\autorun.exe
    Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{330969b8-8e25-11db-a960-00e04c771968}]
    Shell\Auto\command I:\RavMon.exe e
    Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMon.exe e

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{490c6315-34af-11db-8c49-00e04c771968}]
    Shell\AutoRun\command reper.exe

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{83b5a666-182e-11db-94b1-00e04c771968}]
    Shell\AutoRun\command R.exe

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8f615fdc-517f-11db-8f25-00e04c771968}]
    Shell\AutoRun\command I:\
    Shell\explore\Command WScript.exe .\autorun.vbs
    Shell\open\Command WScript.exe .\autorun.vbs

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ba9d1740-184c-11db-bd91-806d6172696f}]
    Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL rose.exe

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ba9d1741-184c-11db-bd91-806d6172696f}]
    Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL rose.exe

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c041139c-183c-11db-bd0f-00e04c771968}]
    Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL rose.exe

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f50b9e62-887b-11db-a94d-00e04c771968}]
    Shell\AutoRun\command I:\WD_Windows_Tools\setup.exe


    ********************************************************************

    catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
    http://www.gmer.net

    scanning hidden processes ...

    scanning hidden services ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0

    ********************************************************************

    Completion time: 07-02-04 12:16:55
    C:\ComboFix2.txt ... 07-01-31 16:58
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/539855

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice