1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Need help, pop-ups, Ad-aware, and CA anti virus/anti-spyware can't remove it.

Discussion in 'Virus & Other Malware Removal' started by Sazabi02, Sep 17, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Sazabi02

    Sazabi02 Thread Starter

    Joined:
    Sep 17, 2007
    Messages:
    20
    I need some help with recent problems I've been having with my PC. There're pop-ups that keep coming back, and I don't know how to remove it. I've tried scanning with Ad-aware 2007, and I even used my CA anti-spyware and anti-virus but to no avail. So I tried manually removing it. I searched my PC for suspicious files. So I tried removing a bunch of files that may be malicious software like winctl.exe, and boat32. I found the instructions on removing them in this forums after searching for it in google. So I did that, but the pop-ups keep coming back. I tried using hijackthis, but I'm not sure which files to delete. I've tried fixing some files that I think are harmful, but it doesn't seem to help. Can you show me what to fix in my hijackthis log? The pop-ups are an advertisement on CiD something.

    Oh, and I don't know why, but I when I check my task manager it says I have 2 iexplore.exe running when I don't coz I usually use firefox. When I end the processes they just come back. Can you help me? Thanks.

    HJT log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:59:55 PM, on 9/17/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    D:\WINDOWS\Explorer.EXE
    D:\WINDOWS\system32\spoolsv.exe
    d:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
    D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\carpserv.exe
    D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    D:\Program Files\Common Files\Real\Update_OB\realsched.exe
    D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    D:\Program Files\DAEMON Tools\daemon.exe
    D:\Program Files\CyberLink\Shared files\RichVideo.exe
    D:\Program Files\PowerISO\PWRISOVM.EXE
    D:\Program Files\Winamp\winampa.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Logitech\QuickCam10\QuickCam10.exe
    D:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
    D:\Program Files\QuickTime\QTTask.exe
    D:\WINDOWS\svcswin.exe
    D:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
    D:\WINDOWS\system32\ctfmon.exe
    D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
    D:\Program Files\uTorrent\utorrent.exe
    D:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    D:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    D:\Program Files\Mozilla Firefox\firefox.exe
    D:\Program Files\Internet Explorer\iexplore.exe
    D:\Program Files\Internet Explorer\iexplore.exe
    D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O1 - Hosts: 66.98.148.65 auto.search.msn.com
    O1 - Hosts: 66.98.148.65 auto.search.msn.es
    O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - D:\Program Files\Orbitdownloader\orbitcth.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: IE PopUp-Killer - {49E0E0F0-5C30-11D4-945D-000000000003} - D:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: (no name) - {C8517996-D2B4-4BE4-9A61-CEA983B69E6b} - D:\WINDOWS\system32\qvbrpkfk.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [PWRISOVM.EXE] "D:\Program Files\PowerISO\PWRISOVM.EXE"
    O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "D:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
    O4 - HKLM\..\Run: [LVCOMSX] "D:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [LanguageShortcut] "D:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [Microsoft Device Manager] D:\WINDOWS\svcswin.exe
    O4 - HKLM\..\Run: [AAWTray] D:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
    O4 - HKLM\..\Run: [New army itch mpeg] D:\Documents and Settings\All Users.WINDOWS\Application Data\tool ace new army\Software View.exe
    O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [µTorrent] "D:\Program Files\uTorrent\utorrent.exe"
    O4 - HKCU\..\Run: [uTorrent] "D:\Program Files\uTorrent\utorrent.exe"
    O4 - HKCU\..\Run: [Bore Bash] D:\DOCUME~1\CAROLM~1\APPLIC~1\PLAYPL~1\NurbGlueEnc.exe
    O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Orbit.lnk = D:\Program Files\Orbitdownloader\orbitdm.exe
    O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm
    O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
    O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm
    O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
    O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
    O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
    O8 - Extra context menu item: Down&load all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
    O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37380.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0290BC1B-AAAF-4896-91D9-8C7FED5C0041}: NameServer = 192.168.10.9
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2F5624E1-E495-465C-9083-4EA3FD3C3953}: NameServer = 208.67.222.222 208.67.220.220
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0290BC1B-AAAF-4896-91D9-8C7FED5C0041}: NameServer = 192.168.10.9
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O18 - Filter hijack: text/html - (no CLSID) - (no file)
    O20 - Winlogon Notify: khfgh - D:\WINDOWS\
    O20 - Winlogon Notify: pmnollj - pmnollj.dll (file missing)
    O20 - Winlogon Notify: ssqnopq - ssqnopq.dll (file missing)
    O20 - Winlogon Notify: tusts - D:\WINDOWS\
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: CaCCProvSP - CA, Inc. - D:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - d:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
    O23 - Service: LVSrvLauncher - Logitech Inc. - D:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - d:\program files\mcafee.com\agent\mcdetect.exe (file missing)
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - d:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - D:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
    O23 - Service: PPCtlPriv - Unknown owner - D:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe (file missing)
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - D:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: SpywareCleanerService - Unknown owner - D:\Program Files\Spyware Cleaner\SCService.exe (file missing)

    --
    End of file - 10621 bytes
     
  2. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Download the Trial version of Superantispyware Pro (SAS):
    http://www.superantispyware.com/superantispyware.html?rid=3132


    Install it and double-click the icon on your desktop to run it.
    · It will ask if you want to update the program definitions, click Yes.
    · Under Configuration and Preferences, click the Preferences button.
    · Click the Scanning Control tab.
    · Under Scanner Options make sure the following are checked:
    o Close browsers before scanning
    o Scan for tracking cookies
    o Terminate memory threats before quarantining.
    o Please leave the others unchecked.
    o Click the Close button to leave the control center screen.
    · On the main screen, under Scan for Harmful Software click Scan your computer.
    · On the left check C:\Fixed Drive.
    · On the right, under Complete Scan, choose Perform Complete Scan.
    · Click Next to start the scan. Please be patient while it scans your computer.
    · After the scan is complete a summary box will appear. Click OK.
    · Make sure everything in the white box has a check next to it, then click Next.
    · It will quarantine what it found and if it asks if you want to reboot, click Yes.
    · To retrieve the removal information for me please do the following:
    o After reboot, double-click the SUPERAntispyware icon on your desktop.
    o Click Preferences. Click the Statistics/Logs tab.
    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o It will open in your default text editor (such as Notepad/Wordpad).
    o Please highlight everything in the notepad, then right-click and choose copy.
    · Click close and close again to exit the program.
    · Please paste that information here for me with a new Hijack This log.
     
  3. Sazabi02

    Sazabi02 Thread Starter

    Joined:
    Sep 17, 2007
    Messages:
    20
    I haven't been able to finish scanning yet. There were a series of blackouts in my city the past few days. Will be posting tomorrow
     
  4. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
  5. Sazabi02

    Sazabi02 Thread Starter

    Joined:
    Sep 17, 2007
    Messages:
    20
    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 09/22/2007 at 08:59 AM

    Application Version : 3.9.1008

    Core Rules Database Version : 3259
    Trace Rules Database Version: 1270

    Scan type : Complete Scan
    Total Scan Time : 07:31:43

    Memory items scanned : 378
    Memory threats detected : 0
    Registry items scanned : 6669
    Registry threats detected : 21
    File items scanned : 219093
    File threats detected : 60

    Unclassified.Unknown Origin
    HKLM\Software\Classes\CLSID\{4D1C4E89-A32A-416b-BCDB-33B3EF3617D3}
    HKCR\CLSID\{4D1C4E89-A32A-416B-BCDB-33B3EF3617D3}
    HKCR\CLSID\{4D1C4E89-A32A-416B-BCDB-33B3EF3617D3}
    HKCR\CLSID\{4D1C4E89-A32A-416B-BCDB-33B3EF3617D3}\InprocServer32
    HKCR\CLSID\{4D1C4E89-A32A-416B-BCDB-33B3EF3617D3}\InprocServer32#ThreadingModel
    HKCR\CLSID\{4D1C4E89-A32A-416B-BCDB-33B3EF3617D3}\Programmable
    HKCR\CLSID\{4D1C4E89-A32A-416B-BCDB-33B3EF3617D3}\TypeLib
    BLANK

    Trojan.Downloader-CREW
    HKLM\Software\Classes\CLSID\{C8517996-D2B4-4BE4-9A61-CEA983B69E6b}
    HKCR\CLSID\{C8517996-D2B4-4BE4-9A61-CEA983B69E6B}
    HKCR\CLSID\{C8517996-D2B4-4BE4-9A61-CEA983B69E6B}\InprocServer32
    HKCR\CLSID\{C8517996-D2B4-4BE4-9A61-CEA983B69E6B}\InprocServer32#ThreadingModel
    D:\WINDOWS\SYSTEM32\QVBRPKFK.DLL
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C8517996-D2B4-4BE4-9A61-CEA983B69E6b}

    Adware.Vundo Variant
    HKLM\Software\Classes\CLSID\{CD3447D4-CA39-4377-8084-30E86331D74C}
    HKCR\CLSID\{CD3447D4-CA39-4377-8084-30E86331D74C}
    HKCR\CLSID\{CD3447D4-CA39-4377-8084-30E86331D74C}\InprocServer32
    HKCR\CLSID\{CD3447D4-CA39-4377-8084-30E86331D74C}\InprocServer32#ThreadingModel
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{B71FA585-B351-4E48-8DA8-22F6F705EC73}
    HKCR\CLSID\{CD3447D4-CA39-4377-8084-30E86331D74C}

    Adware.Tracking Cookie
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][2].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][1].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][2].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][2].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][2].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][2].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][1].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][1].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][2].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][2].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][2].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][2].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][2].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][2].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][1].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][2].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][1].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][2].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][2].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][2].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][2].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][2].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][2].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][3].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][1].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][1].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][1].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][2].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][1].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol m[email protected][2].txt
    C:\WINDOWS\Cookies\[email protected][2].txt
    C:\WINDOWS\Cookies\[email protected][2].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][1].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][1].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][1].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][2].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][2].txt
    D:\Documents and Settings\Carol Medalla\Cookies\carol [email protected][1].txt
    D:\Documents and Settings\Medalla1\Cookies\[email protected][1].txt

    Registry Cleaner Trial
    HKU\S-1-5-21-117609710-492894223-1343024091-1003\Software\Registry Cleaner
    D:\Documents and Settings\Carol Medalla\Application Data\Registry Cleaner\Backups\2005-08-12,20-50 32 512.zip
    D:\Documents and Settings\Carol Medalla\Application Data\Registry Cleaner\Backups
    D:\Documents and Settings\Carol Medalla\Application Data\Registry Cleaner\RegClean.ini
    D:\Documents and Settings\Carol Medalla\Application Data\Registry Cleaner

    Adware.IST/ISTBar (Slotch Bar)
    HKU\S-1-5-21-117609710-492894223-1343024091-1003\Software\Microsoft\Internet Explorer\Main#BandRest [ ]
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Main#BandRest [ ]

    Adware.WhenU
    C:\ZIPPED\WHSE_SB.DAEMON1-DTLSAP1INST.EXE

    Trojan.Downloader-Gen/Inst2
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E05BBBDA-05D8-4EFF-9C81-0F128F8A5EF8}\RP195\A0363364.EXE

    Adware.Lop-Gen
    D:\SYSTEM VOLUME INFORMATION\_RESTORE{E05BBBDA-05D8-4EFF-9C81-0F128F8A5EF8}\RP196\A0365498.EXE
    D:\SYSTEM VOLUME INFORMATION\_RESTORE{E05BBBDA-05D8-4EFF-9C81-0F128F8A5EF8}\RP196\A0365503.EXE
    D:\SYSTEM VOLUME INFORMATION\_RESTORE{E05BBBDA-05D8-4EFF-9C81-0F128F8A5EF8}\RP196\A0365583.EXE
    D:\SYSTEM VOLUME INFORMATION\_RESTORE{E05BBBDA-05D8-4EFF-9C81-0F128F8A5EF8}\RP196\A0365584.EXE

    Trojan.Downloader-Gen/Blah
    D:\SYSTEM VOLUME INFORMATION\_RESTORE{E05BBBDA-05D8-4EFF-9C81-0F128F8A5EF8}\RP198\A0385202.DLL

    Trojan.Downloader-SpyTool
    D:\SYSTEM VOLUME INFORMATION\_RESTORE{E05BBBDA-05D8-4EFF-9C81-0F128F8A5EF8}\RP198\A0385219.DLL

    Worm.Alcra Variant
    D:\WINDOWS\SYSTEM32\CMD.COM
    D:\WINDOWS\SYSTEM32\NETSTAT.COM
    D:\WINDOWS\SYSTEM32\PING.COM
    D:\WINDOWS\SYSTEM32\TASKKILL.COM
    D:\WINDOWS\SYSTEM32\TASKLIST.COM
    D:\WINDOWS\SYSTEM32\TRACERT.COM

    Trojan.Downloader-Gen/Win
    D:\WINDOWS\SYSTEM32\UNSVCHOSTS.LZMA
     
  6. Sazabi02

    Sazabi02 Thread Starter

    Joined:
    Sep 17, 2007
    Messages:
    20
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:19:12 AM, on 9/22/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    D:\WINDOWS\Explorer.EXE
    D:\WINDOWS\system32\spoolsv.exe
    d:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
    D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\WINDOWS\carpserv.exe
    D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    D:\Program Files\Common Files\Real\Update_OB\realsched.exe
    D:\Program Files\DAEMON Tools\daemon.exe
    D:\Program Files\PowerISO\PWRISOVM.EXE
    D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    D:\Program Files\Winamp\winampa.exe
    D:\Program Files\CyberLink\Shared files\RichVideo.exe
    D:\Program Files\Logitech\QuickCam10\QuickCam10.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
    D:\Program Files\QuickTime\QTTask.exe
    D:\WINDOWS\svcswin.exe
    D:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
    D:\WINDOWS\system32\ctfmon.exe
    D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
    D:\Program Files\Internet Explorer\iexplore.exe
    D:\Program Files\uTorrent\utorrent.exe
    D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    D:\Program Files\Internet Explorer\iexplore.exe
    D:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    D:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    D:\WINDOWS\system32\NOTEPAD.EXE
    D:\Program Files\Mozilla Firefox\firefox.exe
    D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O1 - Hosts: 66.98.148.65 auto.search.msn.com
    O1 - Hosts: 66.98.148.65 auto.search.msn.es
    O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - D:\Program Files\Orbitdownloader\orbitcth.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: IE PopUp-Killer - {49E0E0F0-5C30-11D4-945D-000000000003} - D:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [PWRISOVM.EXE] "D:\Program Files\PowerISO\PWRISOVM.EXE"
    O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "D:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
    O4 - HKLM\..\Run: [LVCOMSX] "D:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [LanguageShortcut] "D:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [Microsoft Device Manager] D:\WINDOWS\svcswin.exe
    O4 - HKLM\..\Run: [AAWTray] D:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
    O4 - HKLM\..\Run: [New army itch mpeg] D:\Documents and Settings\All Users.WINDOWS\Application Data\tool ace new army\Software View.exe
    O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [µTorrent] "D:\Program Files\uTorrent\utorrent.exe"
    O4 - HKCU\..\Run: [uTorrent] "D:\Program Files\uTorrent\utorrent.exe"
    O4 - HKCU\..\Run: [Bore Bash] D:\DOCUME~1\CAROLM~1\APPLIC~1\PLAYPL~1\NurbGlueEnc.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Orbit.lnk = D:\Program Files\Orbitdownloader\orbitdm.exe
    O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm
    O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
    O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm
    O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
    O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
    O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
    O8 - Extra context menu item: Down&load all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
    O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37380.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0290BC1B-AAAF-4896-91D9-8C7FED5C0041}: NameServer = 192.168.10.9
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2F5624E1-E495-465C-9083-4EA3FD3C3953}: NameServer = 208.67.222.222 208.67.220.220
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0290BC1B-AAAF-4896-91D9-8C7FED5C0041}: NameServer = 192.168.10.9
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O18 - Filter hijack: text/html - (no CLSID) - (no file)
    O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: khfgh - D:\WINDOWS\
    O20 - Winlogon Notify: pmnollj - pmnollj.dll (file missing)
    O20 - Winlogon Notify: ssqnopq - ssqnopq.dll (file missing)
    O20 - Winlogon Notify: tusts - D:\WINDOWS\
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: CaCCProvSP - CA, Inc. - D:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - d:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
    O23 - Service: LVSrvLauncher - Logitech Inc. - D:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - d:\program files\mcafee.com\agent\mcdetect.exe (file missing)
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - d:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - D:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
    O23 - Service: PPCtlPriv - Unknown owner - D:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe (file missing)
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - D:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: SpywareCleanerService - Unknown owner - D:\Program Files\Spyware Cleaner\SCService.exe (file missing)

    --
    End of file - 10737 bytes
     
  7. Sazabi02

    Sazabi02 Thread Starter

    Joined:
    Sep 17, 2007
    Messages:
    20
    81 infected files. >.<
    Weird, my Ad-aware and CA anti-spyware didn't detect even half as much.
     
  8. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Download ComboFix to your Desktop.

    Reboot to Safe mode:

    Restart your computer and begin tapping the F8 key on your keyboard just before Windows starts to load. If done properly a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

    Perform the following actions in Safe Mode.
    • Double click combofix.exe and follow the prompts.
    • When finished, it will produce a log for you. Post that log and a new HijackThis log in your next reply
    Note: Do not mouseclick combofix's window while it's running as that may cause it to stall
     
  9. Sazabi02

    Sazabi02 Thread Starter

    Joined:
    Sep 17, 2007
    Messages:
    20
    ComboFix 07-09-21.2 - "Administrator" 2007-09-22 12:05:26.1 - NTFSx86 MINIMAL
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.117 [GMT 8:00]
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    D:\DOCUME~1\CAROLM~1\APPLIC~1\macromedia\Flash Player\#SharedObjects\TBSHY2XR\www.broadcaster.com
    D:\DOCUME~1\CAROLM~1\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
    D:\DOCUME~1\CAROLM~1\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
    D:\Program Files\Common Files\{905E7~1
    D:\Program Files\inetget2
    D:\Program Files\msmovies
    D:\WINDOWS\cookies.ini
    D:\WINDOWS\install.exe
    D:\WINDOWS\retadpu2000400.exe
    D:\WINDOWS\retadpu682.exe
    D:\WINDOWS\system32\btxapcpt.ini
    D:\WINDOWS\system32\hgfhk.bak1
    D:\WINDOWS\system32\hgfhk.ini
    D:\WINDOWS\system32\j0201837.dll
    D:\WINDOWS\system32\tpcpaxtb.dll
    D:\WINDOWS\system32\wchkekys.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


    -------\nm


    ((((((((((((((((((((((((( Files Created from 2007-08-22 to 2007-09-22 )))))))))))))))))))))))))))))))
    .

    2007-09-22 12:04 51,200 --a------ D:\WINDOWS\NirCmd.exe
    2007-09-18 22:39 <DIR> d-------- D:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\SUPERAntiSpyware.com
    2007-09-18 22:38 <DIR> d-------- D:\Program Files\SUPERAntiSpyware
    2007-09-18 22:38 <DIR> d-------- D:\DOCUME~1\CAROLM~1\APPLIC~1\SUPERAntiSpyware.com
    2007-09-17 08:40 <DIR> d-------- D:\Program Files\RapidTyping
    2007-09-17 08:39 270,336 --a------ D:\WINDOWS\UnInstall01.exe
    2007-09-17 08:39 <DIR> d-------- D:\Program Files\Learning Series
    2007-09-17 08:34 <DIR> d-------- D:\Program Files\Kiran's Typing Tutor
    2007-09-17 08:27 <DIR> d-------- D:\Program Files\TypingTutorial
    2007-09-17 08:21 <DIR> d-------- D:\Program Files\TypeFaster
    2007-09-15 10:10 <DIR> d-------- D:\Program Files\Trend Micro
    2007-09-14 07:58 <DIR> d-------- D:\Program Files\Playplatformdownload
    2007-09-05 21:26 <DIR> d-------- D:\C3BLIM
    2007-09-05 21:26 <DIR> d-------- D:\ASM
    2007-09-04 21:58 <DIR> d-------- D:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Lavasoft
    2007-09-04 21:55 <DIR> d-------- D:\Program Files\Common Files\Wise Installation Wizard
    2007-09-04 21:07 <DIR> d-------- D:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\tool ace new army
    2007-09-04 21:06 <DIR> d-------- D:\DOCUME~1\CAROLM~1\APPLIC~1\Playplatformdownload
    2007-09-03 20:41 848,384 ---h----- D:\WINDOWS\svcswin.exe
    2007-08-24 20:45 <DIR> d-------- D:\Program Files\FLV to AVI
    2007-08-24 09:29 411,248 --a------ D:\Program Files\FLV PlayerRCSetup.exe
    2007-08-24 09:29 <DIR> d-------- D:\WINDOWS\FLV Player
    2007-08-24 09:29 <DIR> d-------- D:\Program Files\FLV Player
    2007-08-24 09:29 <DIR> d-------- D:\DOCUME~1\CAROLM~1\APPLIC~1\GetRightToGo

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-09-22 12:14 --------- d-------- D:\DOCUME~1\CAROLM~1\APPLIC~1\Orbit
    2007-09-22 11:59 --------- d-------- D:\DOCUME~1\CAROLM~1\APPLIC~1\uTorrent
    2007-09-10 21:44 --------- d-------- D:\Program Files\Orbitdownloader
    2007-09-04 21:58 --------- d-------- D:\Program Files\Lavasoft
    2007-08-31 21:25 --------- d-------- D:\Program Files\CA
    2007-08-31 21:25 --------- d-------- D:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\CA
    2007-08-28 12:26 --------- d-------- D:\DOCUME~1\CAROLM~1\APPLIC~1\Skype
    2007-08-24 20:44 --------- d-a------ D:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\TEMP
    2007-08-16 17:30 --------- d-------- D:\Program Files\Buddy Spy
    2007-08-16 17:20 --------- d-------- D:\Program Files\QuickTime
    2007-08-07 13:58 8320 --a------ D:\WINDOWS\system32\drivers\AWRTRD.sys
    2007-08-07 13:56 9344 --a------ D:\WINDOWS\system32\drivers\NSDriver.sys
    2007-07-30 11:52 --------- d-------- D:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Warn Soap Open Fork
    2006-10-03 20:52 45 --a------ D:\DOCUME~1\CAROLM~1\test.bat
    2005-11-04 07:29 72832 -ra------ D:\WINDOWS\inf\CamAvb.sys
    2004-07-30 09:56 90112 --a------ D:\Program Files\Common Files\PCSBclean.exe
    2004-07-26 15:30 291840 --a------ D:\Program Files\Common Files\PCSBoff.exe
    2003-06-13 12:27 271 ---hs---- D:\Program Files\desktop.ini
    2003-06-13 12:27 21952 --ah----- D:\Program Files\folder.htt
    2004-08-04 07:56:49 454,656 --sh--r D:\WINDOWS\system32\boat32.exe
    2000-06-08 09:00:00 1,638,400 --sh--r D:\WINDOWS\system32\winctl.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .

    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
    "SpeedTouch USB Diagnostics"="D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38]
    "SiSUSBRG"="D:\WINDOWS\SiSUSBrg.exe" [2002-07-12 18:15]
    "Cmaudio"="cmicnfg.cpl" []
    "CARPService"="carpserv.exe" []
    "RegistryMechanic"="" []
    "NeroCheck"="D:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
    "RemoteControl"="D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57]
    "NWEReboot"="" []
    "NeroFilterCheck"="D:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
    "TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-12-04 19:55]
    "DAEMON Tools"="D:\Program Files\DAEMON Tools\daemon.exe" [2006-09-15 04:09]
    "PWRISOVM.EXE"="D:\Program Files\PowerISO\PWRISOVM.EXE" [2007-04-09 20:23]
    "WinampAgent"="D:\Program Files\Winamp\winampa.exe" [2007-05-15 06:22]
    "LogitechQuickCamRibbon"="D:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 01:13]
    "LVCOMSX"="D:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe" [2007-02-06 17:43]
    "LanguageShortcut"="D:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 11:09]
    "QuickTime Task"="D:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
    "Microsoft Device Manager"="D:\WINDOWS\svcswin.exe" [2007-09-03 20:40]
    "AAWTray"="D:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]
    "New army itch mpeg"="D:\Documents and Settings\All Users.WINDOWS\Application Data\tool ace new army\Software View.exe" [2007-09-22 12:13]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:56]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-03 15:18]
    "µTorrent"="D:\Program Files\uTorrent\utorrent.exe" [2007-08-16 11:44]
    "uTorrent"="D:\Program Files\uTorrent\utorrent.exe" [2007-08-16 11:44]
    "Bore Bash"="D:\DOCUME~1\CAROLM~1\APPLIC~1\PLAYPL~1\NurbGlueEnc.exe" [2007-09-14 07:57]
    "SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    D:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfgh]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnollj]
    pmnollj.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqnopq]
    ssqnopq.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tusts]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HotSync Manager.lnk]
    backup=D:\WINDOWS\pss\HotSync Manager.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
    backup=D:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cctray]
    "D:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\j0201837]
    rundll32 D:\WINDOWS\system32\j0201837.dll sook

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{42456e70-46df-11da-80b5-000e50049343}]
    AutoRun\command- D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe FS6519.dll.vbs

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{825534b2-e245-11db-92a6-000e50049343}]
    AutoRun\command- D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe FS6519.dll.vbs

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{91c3a4e7-421b-11db-85b1-000e50049343}]
    AutoRun\command- K:\autorun.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{945132d6-cea4-11db-9268-000e50049343}]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d76e8b01-9960-11db-914c-000e50049343}]
    - D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe FS6519.dll.vbs

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dfdc8d80-4249-11db-85b2-000e50049343}]
    - H:\Setup.exe -auto

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e18fa270-a304-11db-9192-000e50049343}]
    - AdobeR.exe e
    - D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL AdobeR.exe e

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f91d5230-149c-11dc-933a-98bce7a7d562}]

    .
    Contents of the 'Scheduled Tasks' folder
    "2007-09-22 04:00:15 D:\WINDOWS\Tasks\A0E864A2918FE006.job"
    - d:\docume~1\carolm~1\applic~1\playpl~1\Armyoptiontitle.exe
    "2007-09-13 08:15:00 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    .
    **************************************************************************

    catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-09-22 12:13:27
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-09-22 12:17:30 - machine was rebooted
    D:\ComboFix-quarantined-files.txt ... 2007-09-22 12:17
    .
    --- E O F ---
     
  10. Sazabi02

    Sazabi02 Thread Starter

    Joined:
    Sep 17, 2007
    Messages:
    20
    Is it ok to ask what combofix did? Uhmmm... for future reference? XD

    I'm currently taking up Computer Science in college, and it'd be great to know a bit of how this works in the future.
     
  11. Sazabi02

    Sazabi02 Thread Starter

    Joined:
    Sep 17, 2007
    Messages:
    20
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:34, on 2007-09-22
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    D:\WINDOWS\Explorer.EXE
    D:\WINDOWS\system32\spoolsv.exe
    d:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
    D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    D:\Program Files\CyberLink\Shared files\RichVideo.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\WINDOWS\carpserv.exe
    D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    D:\Program Files\Common Files\Real\Update_OB\realsched.exe
    D:\Program Files\DAEMON Tools\daemon.exe
    D:\Program Files\PowerISO\PWRISOVM.EXE
    D:\Program Files\Winamp\winampa.exe
    D:\Program Files\Logitech\QuickCam10\QuickCam10.exe
    D:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
    D:\Program Files\QuickTime\QTTask.exe
    D:\WINDOWS\svcswin.exe
    D:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
    D:\WINDOWS\system32\ctfmon.exe
    D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
    D:\Program Files\uTorrent\utorrent.exe
    D:\Program Files\Internet Explorer\iexplore.exe
    D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    D:\Program Files\Internet Explorer\iexplore.exe
    D:\WINDOWS\system32\wscntfy.exe
    D:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    D:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - D:\Program Files\Orbitdownloader\orbitcth.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: IE PopUp-Killer - {49E0E0F0-5C30-11D4-945D-000000000003} - D:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [PWRISOVM.EXE] "D:\Program Files\PowerISO\PWRISOVM.EXE"
    O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "D:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
    O4 - HKLM\..\Run: [LVCOMSX] "D:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "D:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [Microsoft Device Manager] D:\WINDOWS\svcswin.exe
    O4 - HKLM\..\Run: [AAWTray] D:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
    O4 - HKLM\..\Run: [New army itch mpeg] D:\Documents and Settings\All Users.WINDOWS\Application Data\tool ace new army\Software View.exe
    O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [µTorrent] "D:\Program Files\uTorrent\utorrent.exe"
    O4 - HKCU\..\Run: [uTorrent] "D:\Program Files\uTorrent\utorrent.exe"
    O4 - HKCU\..\Run: [Bore Bash] D:\DOCUME~1\CAROLM~1\APPLIC~1\PLAYPL~1\NurbGlueEnc.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Orbit.lnk = D:\Program Files\Orbitdownloader\orbitdm.exe
    O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm
    O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
    O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm
    O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
    O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
    O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
    O8 - Extra context menu item: Down&load all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
    O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37380.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0290BC1B-AAAF-4896-91D9-8C7FED5C0041}: NameServer = 192.168.10.9
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2F5624E1-E495-465C-9083-4EA3FD3C3953}: NameServer = 208.67.222.222 208.67.220.220
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0290BC1B-AAAF-4896-91D9-8C7FED5C0041}: NameServer = 192.168.10.9
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: khfgh - D:\WINDOWS\
    O20 - Winlogon Notify: pmnollj - pmnollj.dll (file missing)
    O20 - Winlogon Notify: ssqnopq - ssqnopq.dll (file missing)
    O20 - Winlogon Notify: tusts - D:\WINDOWS\
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: CaCCProvSP - CA, Inc. - D:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - d:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
    O23 - Service: LVSrvLauncher - Logitech Inc. - D:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - d:\program files\mcafee.com\agent\mcdetect.exe (file missing)
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - d:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - D:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
    O23 - Service: PPCtlPriv - Unknown owner - D:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe (file missing)
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - D:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: SpywareCleanerService - Unknown owner - D:\Program Files\Spyware Cleaner\SCService.exe (file missing)

    --
    End of file - 10466 bytes
     
  12. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    1. Please download The Avenger by Swandog46 to your Desktop.
    • Click on Avenger.zip to open the file
    • Extract avenger.exe to your desktop

    2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


    3. Now, start The Avenger program by clicking on its icon on your desktop.
    • Under "Script file to execute" choose "Input Script Manually".
    • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    • Click Done
    • Now click on the Green Light to begin execution of the script
    • Answer "Yes" twice when prompted.
    4. The Avenger will automatically do the following:
    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
    5. Please copy/paste the content of c:\avenger.txt into your reply.

    And post a new Hijack This log.
     
  13. Sazabi02

    Sazabi02 Thread Starter

    Joined:
    Sep 17, 2007
    Messages:
    20
    Logfile of The Avenger version 1, by Swandog46
    Running from registry key:
    \Registry\Machine\System\CurrentControlSet\Services\iglvfyqv

    *******************

    Script file located at: \??\D:\drsgyhml.txt
    Script file opened successfully.

    Script file read successfully

    Backups directory opened successfully at D:\Avenger

    *******************

    Beginning to process script file:

    File D:\WINDOWS\svcswin.exe deleted successfully.
    File D:\WINDOWS\system32\boat32.exe deleted successfully.
    File D:\WINDOWS\system32\winctl.exe deleted successfully.


    File D:\WINDOWS\system32\j0201837.dll not found!
    Deletion of file D:\WINDOWS\system32\j0201837.dll failed!

    Could not process line:
    D:\WINDOWS\system32\j0201837.dll
    Status: 0xc0000034



    File D:\WINDOWS\system32\pmnollj.dll not found!
    Deletion of file D:\WINDOWS\system32\pmnollj.dll failed!

    Could not process line:
    D:\WINDOWS\system32\pmnollj.dll
    Status: 0xc0000034



    File D:\WINDOWS\system32\ssqnopq.dll not found!
    Deletion of file D:\WINDOWS\system32\ssqnopq.dll failed!

    Could not process line:
    D:\WINDOWS\system32\ssqnopq.dll
    Status: 0xc0000034

    Folder D:\Documents and Settings\All Users.WINDOWS\Application Data\tool ace new army deleted successfully.
    Folder D:\Program Files\uTorrent deleted successfully.
    Folder d:\docume~1\carolm~1\applic~1\playpl~1 deleted successfully.

    Completed script processing.

    *******************

    Finished! Terminate.
     
  14. Sazabi02

    Sazabi02 Thread Starter

    Joined:
    Sep 17, 2007
    Messages:
    20
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 13:57, on 2007-09-23
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    D:\WINDOWS\Explorer.EXE
    D:\WINDOWS\system32\spoolsv.exe
    d:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
    D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    D:\Program Files\CyberLink\Shared files\RichVideo.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\WINDOWS\carpserv.exe
    D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    D:\Program Files\Common Files\Real\Update_OB\realsched.exe
    D:\Program Files\DAEMON Tools\daemon.exe
    D:\Program Files\PowerISO\PWRISOVM.EXE
    D:\Program Files\Winamp\winampa.exe
    D:\Program Files\Logitech\QuickCam10\QuickCam10.exe
    D:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
    D:\Program Files\QuickTime\QTTask.exe
    D:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
    D:\WINDOWS\system32\ctfmon.exe
    D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
    D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    D:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    D:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    D:\WINDOWS\system32\wuauclt.exe
    D:\WINDOWS\system32\wscntfy.exe
    D:\WINDOWS\system32\wuauclt.exe
    D:\Program Files\Mozilla Firefox\firefox.exe
    D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - D:\Program Files\Orbitdownloader\orbitcth.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: IE PopUp-Killer - {49E0E0F0-5C30-11D4-945D-000000000003} - D:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [PWRISOVM.EXE] "D:\Program Files\PowerISO\PWRISOVM.EXE"
    O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "D:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
    O4 - HKLM\..\Run: [LVCOMSX] "D:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "D:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [Microsoft Device Manager] D:\WINDOWS\svcswin.exe
    O4 - HKLM\..\Run: [AAWTray] D:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
    O4 - HKLM\..\Run: [New army itch mpeg] D:\Documents and Settings\All Users.WINDOWS\Application Data\tool ace new army\Software View.exe
    O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [µTorrent] "D:\Program Files\uTorrent\utorrent.exe"
    O4 - HKCU\..\Run: [uTorrent] "D:\Program Files\uTorrent\utorrent.exe"
    O4 - HKCU\..\Run: [Bore Bash] D:\DOCUME~1\CAROLM~1\APPLIC~1\PLAYPL~1\NurbGlueEnc.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Orbit.lnk = D:\Program Files\Orbitdownloader\orbitdm.exe
    O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm
    O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
    O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm
    O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
    O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
    O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
    O8 - Extra context menu item: Down&load all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
    O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37380.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0290BC1B-AAAF-4896-91D9-8C7FED5C0041}: NameServer = 192.168.10.9
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2F5624E1-E495-465C-9083-4EA3FD3C3953}: NameServer = 208.67.222.222 208.67.220.220
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0290BC1B-AAAF-4896-91D9-8C7FED5C0041}: NameServer = 192.168.10.9
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: khfgh - D:\WINDOWS\
    O20 - Winlogon Notify: pmnollj - pmnollj.dll (file missing)
    O20 - Winlogon Notify: ssqnopq - ssqnopq.dll (file missing)
    O20 - Winlogon Notify: tusts - D:\WINDOWS\
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: CaCCProvSP - CA, Inc. - D:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - d:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
    O23 - Service: LVSrvLauncher - Logitech Inc. - D:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - d:\program files\mcafee.com\agent\mcdetect.exe (file missing)
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - d:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - D:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
    O23 - Service: PPCtlPriv - Unknown owner - D:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe (file missing)
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - D:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: SpywareCleanerService - Unknown owner - D:\Program Files\Spyware Cleaner\SCService.exe (file missing)

    --
    End of file - 10473 bytes
     
  15. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Rescan with Hijack This.
    Close all browser windows except Hijack This.
    Put a check mark beside these entries and click "Fix Checked".

    O4 - HKLM\..\Run: [Microsoft Device Manager] D:\WINDOWS\svcswin.exe

    O4 - HKLM\..\Run: [New army itch mpeg] D:\Documents and Settings\All Users.WINDOWS\Application Data\tool ace new army\Software View.exe

    O4 - HKCU\..\Run: [µTorrent] "D:\Program Files\uTorrent\utorrent.exe"

    O4 - HKCU\..\Run: [uTorrent] "D:\Program Files\uTorrent\utorrent.exe"

    O4 - HKCU\..\Run: [Bore Bash] D:\DOCUME~1\CAROLM~1\APPLIC~1\PLAYPL~1\NurbGlueEnc.exe

    O20 - Winlogon Notify: khfgh - D:\WINDOWS\

    O20 - Winlogon Notify: pmnollj - pmnollj.dll (file missing)

    O20 - Winlogon Notify: ssqnopq - ssqnopq.dll (file missing)

    O20 - Winlogon Notify: tusts - D:\WINDOWS\

    O23 - Service: SpywareCleanerService - Unknown owner - D:\Program Files\Spyware Cleaner\SCService.exe (file missing)


    Reboot, post a new log.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/625174

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice