1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: please help

Discussion in 'Virus & Other Malware Removal' started by tarzan4you, Jul 8, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. tarzan4you

    tarzan4you Thread Starter

    Joined:
    Jan 17, 2004
    Messages:
    249
    I have trying to post for 10 days with no response. most of tie time I cannot even access your site. cannnot open most sites. I ran super anti spyware again to see if it would help. mostle cookies but a root kit also appared
    Logfile of HijackThis v1.99.1
    Scan saved at 5:31:36 PM, on 7/8/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Citrix\ICA Client\ssonsvr.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Digital Media Reader\shwiconem.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\Program Files\Common Files\AOL\1116709970\ee\AOLSoftware.exe
    C:\WINDOWS\ALCFDRTM.EXE
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\Program Files\CursorXP\CursorXP.exe
    C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\SpywareGuard\sgmain.exe
    C:\SpywareGuard\sgbhp.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
    C:\Program Files\America Online 9.0a\waol.exe
    C:\Program Files\America Online 9.0a\shellmon.exe
    C:\Hijack this\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O2 - BHO: PopKiller Class - {9A23B8A4-C6C9-4A68-8FA6-5F905DC8FF80} - C:\Internet Eraser\pkext.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: AbsoluteShield - {EE9DD090-902D-4623-9360-FB7D8666202B} - C:\Internet Eraser\AbsoluteBar.dll
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1116709970\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [AlcFDMonitor] C:\WINDOWS\ALCFDRTM.EXE
    O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP.exe" -s
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Startup: SpywareGuard.lnk = C:\SpywareGuard\sgmain.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
    O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt4_x.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    • Click here to download AVG Anti Rootkit and save it to your desktop.
    • Double-click on avgarkt-setup-1.1.0.42.exe to install it.
    • Click "I Agree" to agree to the EULA.
    • By default it will install to "C:\Program Files\GRISOFT\AVG Anti-Rootkit".
    • Click "Next" to begin the installation then click "Install".
    • It will then ask you to reboot now to finish the installation.
    • Click "Finish" and your computer will reboot.
    • After it reboots, double-click on the AVG Anti-Rootkit shortcut that is now on your desktop.
    • Click on the Perform in-depth search button to begin the scan.
    • The scan will take a while so be patient and let it complete.
    • When the scan is finished, click the Save result to file button.
    • Save the scan results to your desktop then copy and paste them in your next reply to this thread.
     
  3. tarzan4you

    tarzan4you Thread Starter

    Joined:
    Jan 17, 2004
    Messages:
    249
    ran the anti root kit. it came back saying there are no rootkits on your computer
    here is the avg log I referred to:
    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 07/06/2007 at 05:05 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3259
    Trace Rules Database Version: 1270

    Scan type : Complete Scan
    Total Scan Time : 00:40:26

    Memory items scanned : 489
    Memory threats detected : 0
    Registry items scanned : 5530
    Registry threats detected : 0
    File items scanned : 40955
    File threats detected : 21

    Adware.Tracking Cookie
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\sue\Cookies\[email protected][2].txt
    C:\Documents and Settings\sue\Cookies\[email protected][1].txt
    C:\Documents and Settings\sue\Cookies\[email protected][1].txt
    C:\Documents and Settings\sue\Cookies\[email protected][1].txt
    C:\Documents and Settings\sue\Cookies\[email protected][2].txt

    Trojan.Rootkit-TnCore
    C:\WINDOWS\SYSTEM32\DRIVERS\CORE.SYS
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Download ComboFix from Here or Here to your Desktop.
    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
     
  5. tarzan4you

    tarzan4you Thread Starter

    Joined:
    Jan 17, 2004
    Messages:
    249
    winsecurity alert came up on rebooting asking if i wanted to block yahoo messenger
    i clicked ask me later as i did not know how to answer
    also spyware guard kept asking before reboot about changing home pagei tried to keep the old ones. hope i did not mess up

    "Owner" - 2007-07-09 17:39:41 - ComboFix 07-07-10.1 - Service Pack 2


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\65084521.exe
    C:\Program Files\deskalerts
    C:\Program Files\deskalerts\basis.xml
    C:\Program Files\deskalerts\cancel_button.gif
    C:\Program Files\deskalerts\deskbar.crc
    C:\Program Files\deskalerts\deskbar.inf
    C:\Program Files\deskalerts\history.html
    C:\Program Files\deskalerts\hs_delete.bmp
    C:\Program Files\deskalerts\hs_search.bmp
    C:\Program Files\deskalerts\icons.bmp
    C:\Program Files\deskalerts\mbclose.bmp
    C:\Program Files\deskalerts\mblogo.bmp
    C:\Program Files\deskalerts\notify.wav
    C:\Program Files\deskalerts\options.html
    C:\Program Files\deskalerts\save_button.gif
    C:\Program Files\deskalerts\title_back.gif
    C:\Program Files\deskalerts\version.txt
    C:\temp\tn3
    C:\WINDOWS\10504656.exe
    C:\WINDOWS\11705562.exe
    C:\WINDOWS\12906187.exe
    C:\WINDOWS\14106859.exe
    C:\WINDOWS\15307500.exe
    C:\WINDOWS\5712875.exe
    C:\WINDOWS\9298750.exe
    C:\WINDOWS\new_drv.sys
    C:\WINDOWS\system32\13681484.exe
    C:\WINDOWS\system32\bund1
    C:\WINDOWS\system32\bund1\ClientBundle1.exe
    C:\WINDOWS\system32\bund1\temp.txt
    C:\WINDOWS\system32\drivers\core.cache.dsk
    C:\WINDOWS\system32\info.txt
    C:\WINDOWS\system32\ldinfo.ldr
    C:\WINDOWS\system32\packet.dll
    C:\WINDOWS\system32\wpcap.dll


    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


    -------\LEGACY_CORE
    -------\LEGACY_NEW_DRV
    -------\core
    -------\new_drv


    ((((((((((((((((((((((((( Files Created from 2007-06-09 to 2007-07-09 )))))))))))))))))))))))))))))))


    2007-07-09 17:37 51,200 --a------ C:\WINDOWS\nircmd.exe
    2007-07-08 20:43 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
    2007-06-21 19:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-06-20 19:02 <DIR> d--h----- C:\WINDOWS\bdir


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-07-09 02:04:05 -------- d-----w C:\Program Files\SUPERAntiSpyware
    2007-06-30 00:08:22 -------- d-----w C:\Program Files\Common Files\Symantec Shared
    2007-06-21 23:58:23 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\SUPERAntiSpyware.com
    2007-06-08 20:36:16 27,186 ----a-w C:\WINDOWS\9129837.exe
    2007-05-18 00:57:29 -------- d-----w C:\Program Files\Common Files\AOL
    2007-05-12 22:03:08 163,712 ----a-w C:\WINDOWS\system32\drivers\vidstub.sys
    2007-05-12 21:51:20 -------- d-----w C:\Program Files\Common Files\Stardock
    2007-05-12 21:51:19 -------- d-----w C:\Program Files\Stardock
    2007-05-12 21:50:04 -------- d-----w C:\Program Files\BootSkin
    2007-05-12 21:44:30 -------- d-----w C:\Program Files\CursorXP
    2007-04-13 17:31:03 103,984 ----a-w C:\WINDOWS\system32\AOLDial.dll


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
    2006-10-26 11:28 440384 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    2006-12-18 05:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}]
    2003-08-02 23:24 192512 -ra------ C:\SpywareGuard\dlprotect.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
    2004-05-12 01:03 744960 --a------ C:\SPYBOT~1\SDHelper.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
    2006-10-31 16:29 198136 --a------ C:\Program Files\Yahoo!\Common\yiesrvc.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{724d43a9-0d85-11d4-9908-00400523e39a}]
    2005-07-17 15:53 3900416 --a------ C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A23B8A4-C6C9-4A68-8FA6-5F905DC8FF80}]
    2005-05-18 22:14 66048 --a------ C:\Internet Eraser\pkext.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
    2005-01-10 12:20 218736 --a------ C:\Program Files\Norton AntiVirus\NavShExt.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-03-23 15:34]
    "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 19:10 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
    "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 23:42]
    "SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-10-18 18:05]
    "@"="" []
    "SoundMan"="SOUNDMAN.EXE" [2004-09-24 00:27 C:\WINDOWS\SOUNDMAN.EXE]
    "AlcWzrd"="ALCWZRD.EXE" [2004-09-24 23:06 C:\WINDOWS\ALCWZRD.EXE]
    "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-05-21 14:38]
    "HostManager"="C:\Program Files\Common Files\AOL\1116709970\ee\AOLSoftware.exe" [2006-09-25 20:52]
    "AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50]
    "LFAgent"="" []
    "BootSkin Startup Jobs"="C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 16:21]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2005-07-17 15:53]
    "CursorXP"="C:\Program Files\CursorXP\CursorXP.exe" [2005-01-19 17:34]
    "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-01-19 13:49]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-07-06 16:24]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^BigFix.lnk]
    path=C:\DOCUME~1\ALLUSE~1\Start Menu\Programs\Startup\BigFix.lnk
    backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^Corel Registration.lnk]
    path=C:\DOCUME~1\ALLUSE~1\Start Menu\Programs\Startup\Corel Registration.lnk
    backup=C:\WINDOWS\pss\Corel Registration.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^CorelCENTRAL 9.LNK]
    path=C:\DOCUME~1\ALLUSE~1\Start Menu\Programs\Startup\CorelCENTRAL 9.LNK
    backup=C:\WINDOWS\pss\CorelCENTRAL 9.LNKCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^CorelCENTRAL Alarms.LNK]
    path=C:\DOCUME~1\ALLUSE~1\Start Menu\Programs\Startup\CorelCENTRAL Alarms.LNK
    backup=C:\WINDOWS\pss\CorelCENTRAL Alarms.LNKCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^Desktop Application Director 9.LNK]
    path=C:\DOCUME~1\ALLUSE~1\Start Menu\Programs\Startup\Desktop Application Director 9.LNK
    backup=C:\WINDOWS\pss\Desktop Application Director 9.LNKCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    ALCMTR.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANR]
    C:\XemiComputers\Audio Notes Recorder\ANR.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
    "C:\Program Files\America Online 9.0a\AOL.EXE" -b

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
    "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
    zHotkey.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    "C:\Program Files\Messenger\msmsgs.exe" /background

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Optimum Online]
    C:\Program Files\Optimum Online\Netsurf.exe -tray

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
    "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PVR]
    C:\Pocket Voice Recorder\PVR.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "C:\Program Files\QuickTime\qttask.exe" -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowWnd]
    ShowWnd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
    "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
    "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
    RpcxSs


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
    AutoRun\command- D:\Info.exe folder.htt 480 480

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d8b56f7-8cca-11d9-900f-806d6172696f}]
    AutoRun\command- D:\Info.exe folder.htt 480 480


    Contents of the 'Scheduled Tasks' folder
    2007-06-30 00:00:00 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Owner.job
    2007-07-09 20:08:22 C:\WINDOWS\tasks\Symantec NetDetect.job

    **************************************************************************

    catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-07-09 18:04:57
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-07-09 18:06:47 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 2007-07-09 18:06

    --- E O F ---
    Logfile of HijackThis v1.99.1
    Scan saved at 6:08:52 PM, on 7/9/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Citrix\ICA Client\ssonsvr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Digital Media Reader\shwiconem.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\Program Files\Common Files\AOL\1116709970\ee\AOLSoftware.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\Program Files\CursorXP\CursorXP.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\SpywareGuard\sgmain.exe
    C:\SpywareGuard\sgbhp.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\America Online 9.0a\waol.exe
    C:\Program Files\America Online 9.0a\shellmon.exe
    C:\Hijack this\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O2 - BHO: PopKiller Class - {9A23B8A4-C6C9-4A68-8FA6-5F905DC8FF80} - C:\Internet Eraser\pkext.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: AbsoluteShield - {EE9DD090-902D-4623-9360-FB7D8666202B} - C:\Internet Eraser\AbsoluteBar.dll
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1116709970\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP.exe" -s
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Startup: SpywareGuard.lnk = C:\SpywareGuard\sgmain.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
    O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt4_x.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
     
  6. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Please download the OTMoveIt by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt.exe to run it.
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

      C:\WINDOWS\9129837.exe


    • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
    • Click the red Moveit! button.
    • Close OTMoveIt
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


    How is it running now? Any problems?
     
  7. tarzan4you

    tarzan4you Thread Starter

    Joined:
    Jan 17, 2004
    Messages:
    249
    well the worst seems to have happened
    on boot up a screen pops supposodly from microsoft saying that someone else has activated my copy of windows and to reactivate my copy of windows i must provide credit card information which would not be charged. of course i did not fill this out but when i colse the screen windows shuts down. I tried this a few times with the same results so the computer cannot be used. However I can open the computer in safe mode. right now i am on my work computer
    also when i tried the task mgr to close that window it says it has been disabled.
    HELP!
     
  8. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    You did the right thing by not supplying your credit card number!!


    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


    Download this tool to your desktop:
    http://www.uploads.ejvindh.net/rootchk.exe
    Run the program. After a short time a logfile will turn up. Copy the contents of the log into the thread.

    Notice: Some security-programs prevent the creation of dummy drivers with certain names. This may cause false positives. If the log of rootchk contains a lot of hidden drivers, you may want to turn of your security programs while rootchk is scanning (you should then unhook your network connection as well)
     
  9. tarzan4you

    tarzan4you Thread Starter

    Joined:
    Jan 17, 2004
    Messages:
    249
    remember i cannot boot up in regular mode but only in safe mode. can i download sdfix in safe mode?
    also in the event i still cannotopen in reg mode can i run the uploads prog in safe mode?
     
  10. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    SDFix runs in safe mode. You can save the scan to a floppy or thumb drive if you can't use safe mode with networking.
     
  11. tarzan4you

    tarzan4you Thread Starter

    Joined:
    Jan 17, 2004
    Messages:
    249
    what a dilema. had to copy the fixes at another computer as you are right- cannot get networking in safe mode. ran sd in safe but on rebooting i rebooted in safe mode. it did not complete the fix. then ran it again but let the comp. reboot in regular mode. it did save a report but quickly the message from microsoft popped up. after that you cannot do anything. also ran the other progs and got the reports. tried to acces your site on my daughters comp but it would not let me log on to your site saying it was blocked. now at my work computer to send the results:

    Logfile of HijackThis v1.99.1
    Scan saved at 4:25:42 PM, on 7/14/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Citrix\ICA Client\ssonsvr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Hijack this\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O2 - BHO: PopKiller Class - {9A23B8A4-C6C9-4A68-8FA6-5F905DC8FF80} - C:\Internet Eraser\pkext.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: AbsoluteShield - {EE9DD090-902D-4623-9360-FB7D8666202B} - C:\Internet Eraser\AbsoluteBar.dll
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1116709970\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
    O4 - HKLM\..\Run: [soft2] C:\WINDOWS\468234.exe
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP.exe" -s
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Startup: SpywareGuard.lnk = C:\SpywareGuard\sgmain.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: Fortune Bingo by pogo - http://game1.pogo.com/applet-8.0.5.48/superbingo/superbingo-en_US.cab
    O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
    O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt4_x.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing)
     
  12. tarzan4you

    tarzan4you Thread Starter

    Joined:
    Jan 17, 2004
    Messages:
    249
    SDFix: Version 1.91

    Run by Owner on Sat 07/14/2007 at 04:07 PM

    Microsoft Windows XP [Version 5.1.2600]

    Running From: C:\SDFix

    Safe Mode:
    Checking Services:

    Name:
    new_drv

    ImagePath:




    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting...


    Normal Mode:
    Checking Files:

    Trojan Files Found:

    C:\WINDOWS\bdir\ffmiu\ExactPapers.com LPI 117-101 Exam Q and A v10-2004.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExactPapers.com LPI 117-102 Exam Q and A v10-2004.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExactPapers.com Microsoft 070-015 Exam Q and A v10-2004.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExactPapers.com Microsoft 070-016 Exam Q and A v10-2004.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExactPapers.com Microsoft 070-086 Exam Q and A v10-2004.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExactPapers.com Microsoft 070-152 Exam Q and A v10-2004.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExactPapers.com Microsoft 070-175 Exam Q and A v10-2004.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExactPapers.com Microsoft 070-227 Exam Study By Step Guide v10-2004.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExactPapers.com Microsoft 070-229 Study v10-2004.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExactPapers.com Microsoft 070-232 Study Guide v10-2004.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExactPapers.com Microsoft 070-234 Exam Study Guide v10-2004.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExactPapers.com Microsoft 070-244 Exam Study Guide v10-2004.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExactPapers.com Wireless PWO-100 Exam Q and A v10-2004.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\eXactSite v1.21 build 0071.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExactTrend eXactSite v1.21.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExactTrend Web Log Explorer v1.82 build 0118.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExactWord v5.2.5.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Exadel JSF Studio v1.2.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Exadel Struts Studio v6.2.1 Linux.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Exam Essentials v5.1.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Exam Essentials v5.5 Crack.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Exam Essentials v5.5 Keygen.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Exam Essentials v5.5 Release 4d.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Exam Essentials v6.x.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamDiff Pro v2.5d.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamDiff Pro v2.5e.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamDiff Pro v2.5f.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamDiff Pro v2.6 Crack.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamDiff Pro v2.6 Keygen.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamDiff Pro v2.6e.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamDiff Pro v2.6f.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamDiff Pro v2.6h.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamDiff Pro v2.7.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamDiff Pro v2.8.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamDiff Pro v3.0.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamDiff Pro v3.1.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamDiff Pro v3.2.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamDiff Pro v3.2x.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamDiff v2.7 Beta.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Examine32 Demo v3.03.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Examine32 v3.30c.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Examine32 v3.31.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Examine32 v4.12.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamXML v2.23.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamXML v2.52.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamXML v2.53.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamXML v2.54.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamXML v2.56.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamXML v2.67.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamXML v2.78.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamXML v2.81.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamXML v2.85 by Orion.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamXML v2.85.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamXML v2.9.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamXML v2.94.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamXML v2.97.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamXML v3.01.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamXML v3.10.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamXML v3.11 by Lucid.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamXML v3.11.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamXML v3.12.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamXML v3.16 by Chic.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamXML v3.16 by Lucid.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamXML v3.16.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamXML v3.17.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamXML v3.25.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamXML v3.x Generic 080104.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExamXML v3.x Generic.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Excel Compare v1.0 by Dynamite.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Excel Compare v1.0.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Excel Haushaltsbuch v1.1.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Excel Macro Processor v1.2.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Excel Password Recovery v1.0b.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Excel Password Recovery v1.0e by Revenge.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Excel Password Recovery v1.0e.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Excel Premium Solver Platform v5.5.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Excel to MySQL v1.5.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExcelDiff v1.0.47.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExcelDiff v1.1.52.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExcelDiff v1.1.57.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\EXCELerator 2.0.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExceleTel Teletools 3.52 Enterprise Updated.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExceleTel TeleTools CP 3.6 Enterprise.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExcelEverywhere HTML v2.3.11.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Excellence Killer v2.10.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Excellent Card Games 1.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Excellent Card Games 2.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Excellent Card Games 3.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Excellent Card Games 32-bit.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Excellent Card Games Pack 1.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Excellent Card Games v2.01.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Excellent Card Games.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExcelPipe v2.1.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExcelRecovery v2.2.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExcelRecovery v3.0 (silent update 3).zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExcelRecovery v3.0.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Excelsior Phase One.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Excelsior Phase Two.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExcelToHTML v2.0.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Exceptional Magic v1.65 for Delphi v3-4-5-6-7 and BCB v4-5-6.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Exchange Monitor 2003 v2.0.81.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Exchange of CD v1.0.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExchangeMonitor 2003 v1.0.71.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExchangeMonitor 2003 v2.0.87.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExchangeServerRecovery v2.7.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExCITEr v1.0.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Excosoft Docuview 3.0.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Exe Blocker 2003.11.26.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\EXE Blocker v2002.11.13.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Exe Icon Changer v3.6.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Exe Password 2004 v1.114.0.0 by ARTeam.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Exe Password 2004 v1.114.0.0 by Quartex.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Exe Password 2004 v1.114.0.0 by Virility.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Exe Password 2004 v1.114.0.0.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Exe Password 2k4 v1.111.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Exe Password Un****er v1.114.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\EXE Password v1.114.0.0.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Exe Password v1.114.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\EXE Passwort v1.114.0.0 German.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\EXE PROTECT.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\EXE Protector v1.21.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\EXE Protector v2.01a.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\EXE Stealth v2.4.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\EXE Stealth v2.73.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\EXE Stealth v2.74 by SND.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\EXE Stealth v2.74.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\EXE Stealth v2.75 by TSRH.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\EXE Stealth v2.75.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\EXE Stealth v2.75a.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\EXE-Blocker v1.00.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\EXE-Blocker v2001.04.0002.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\EXE-Blocker v2001.9.03.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Exe32Pack v1.42 by Lucid.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Exeblocker 2004 v1.27.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\ExeBlocker v2004.4.28 German.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Executable Explorer Basic Edition v6.00.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Executable File Icon Changer v2.90.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Executable File Icon Changer v3.70.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Executable File Icons Changer v2.0.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Executable File Icons Changer v2.30.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Executable File Icons Changer v2.70.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Executable File Icons Changer v3.8 by Explosion.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Executable File Icons Changer v3.8 by Lucid.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Executable Zip Creator v4.01.01.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Executable Zip Creator v4.01.0202.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Executable Zip Creator v4.01.0216.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Executable Zip Creator v4.01.0226.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Executable Zip Creator v4.01.0901 by Eminence.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Executable Zip Creator v4.01.0901 by ROR.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\Executable Zip Creator v4.02.zip - Deleted
    C:\WINDOWS\bdir\ffmiu\s.com LPI 117-201 Exam Q and A v10-2004.zip - Deleted
    C:\WINDOWS\new_drv.sys - Deleted
    C:\WINDOWS\system32\form.txt - Deleted


    Folder C:\WINDOWS\bdir - Removed

    Removing Temp Files...

    ADS Check:

    C:\WINDOWS
    No streams found.

    C:\WINDOWS\system32
    No streams found.

    C:\WINDOWS\system32\svchost.exe
    No streams found.

    C:\WINDOWS\system32\ntoskrnl.exe
    No streams found.



    Final Check:

    Remaining Services:
    ------------------



    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"

    Remaining Files:
    ---------------


    Files with Hidden Attributes:

    C:\Program Files\America Online 9.0\aolphx.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\Program Files\America Online 9.0\RBM.exe
    C:\Program Files\America Online 9.0a\AOLphx.exe
    C:\Program Files\America Online 9.0a\rbm.exe
    C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
    C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
    C:\WINDOWS\system32\config\default.tmp.LOG
    C:\WINDOWS\system32\config\SAM.tmp.LOG
    C:\WINDOWS\system32\config\SECURITY.tmp.LOG
    C:\WINDOWS\system32\config\software.tmp.LOG
    C:\WINDOWS\system32\config\system.tmp.LOG

    Finished
    ********************************* ROOTCHK-(08-07-07)-LOG, by ejvindh
    Sat 07/14/2007 16:29:46.46

    The rootkits that are detected by this tool were not found.

    ********************************* ROOTCHK-LOG-end


    catchme 0.3.914 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-07-14 16:29:46
    Windows 5.1.2600 Service Pack 2
    scanning hidden processes ...

    scanning hidden services ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    hidden processes: 0
    hidden services: 0
    hidden files: 0
     
  13. tarzan4you

    tarzan4you Thread Starter

    Joined:
    Jan 17, 2004
    Messages:
    249
    February 4, 2005 07:38 PM


    Scammers are taking advantage of recent news that Microsoft is asking users to verify that they have a legitimate copy of Windows, a security firm said Friday.
    According to Websense Security Labs, e-mails bearing the spoofed address of [email protected] and with the heading "Microsoft Windows Update" ask recipients to update and/or validate both the Windows' serial number and the customer's credit card information on a Web site.

    "If you do not comply with our policy, windows will ask you to reactivate your serial number, and it will become invalid," the e-mail reads, then goes on to state, "So you will lose any information on your computer. If you do not validate your serial number, your copy of windows will be labeled as piracy."

    The message claims that the credit card will not be charged, but is required to validate that Windows is legit. It's signed "Windows XP Activation Team."

    Not only does the phishing-style e-mail try to rip off consumers' credit card numbers, but the site linked in the message will try to install spyware on any PC used to surf to the URL, said Websense. Increasingly, phishers are adding spyware to their bag of dirty tricks, installing key loggers and other system monitors on compromised computers to watch for passwords and other account access information.

    Savvy users will know that Microsoft never sends unsolicited e-mails relating to security, and that there is no such thing as the Windows XP Activation Team.
     
  14. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Is there any real data on this machine? If so can you copy it, burn it, save it somehow and format/reload the system? That is what I would do.

    Please download the OTMoveIt by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt.exe to run it.
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

      C:\WINDOWS\468234.exe

    • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
    • Click the red Moveit! button.
    • Close OTMoveIt
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    Click here to download Dr.Web CureIt and save it to your desktop.
    • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
    • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
    • Once the short scan has finished, mark the drives that you want to scan.
    • Select all drives. A red dot shows which drives have been chosen.
    • Click the green arrow at the right, and the scan will start.
    • Click 'Yes to all' if it asks if you want to cure/move the file.
    • When the scan has finished, look if you can click next icon next to the files found: [​IMG]
    • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
      [​IMG]
      This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
    • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
    • Save the report to your desktop. The report will be called DrWeb.csv
    • Close Dr.Web Cureit.
    • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
    • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new Hijack This log.
     
  15. tarzan4you

    tarzan4you Thread Starter

    Joined:
    Jan 17, 2004
    Messages:
    249
    perhaps we saved me from a frontal lobotomaty. comp. booted up fine in reg mode. no sign of the microsoft message:
    468234.exe;c:\windows;Trojan.PWS.Banker.8976;Deleted.;
    keylog.dll;C:\Documents and Settings\Owner;Trojan.PWS.Banker.8977;Deleted.;
    keylog.dll;C:\Documents and Settings\sue;Trojan.PWS.Banker.8977;Deleted.;
    backup-20051207-225909-242.dll;C:\Hijack this\backups;Trojan.PWS.GoldSpy;Deleted.;
    GTDownAO_106.ocx;C:\Program Files\Common Files\AolCoach\en_en;Adware.Gdown;Incurable.Moved.;
    new_drv.sys.vir;C:\QooBox\Quarantine\C\WINDOWS;Trojan.NtRootKit.209;Deleted.;
    Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
    new_drv.sys;C:\SDFix\backups_old1;Trojan.NtRootKit.209;Deleted.;
    A0000021.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1;Trojan.NtRootKit.209;Deleted.;
    A0000038.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1;Trojan.NtRootKit.209;Deleted.;
    A0000572.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP10;Trojan.NtRootKit.239;Deleted.;
    A0001572.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP10;Trojan.NtRootKit.239;Deleted.;
    A0002572.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP10;Trojan.NtRootKit.239;Deleted.;
    A0003579.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP10;Trojan.NtRootKit.209;Deleted.;
    A0003601.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP10;Trojan.NtRootKit.239;Deleted.;
    A0003603.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP10;Trojan.NtRootKit.209;Deleted.;
    A0003641.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP11;Trojan.NtRootKit.209;Deleted.;
    A0003734.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP12;Trojan.NtRootKit.209;Deleted.;
    A0003745.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP12;Trojan.NtRootKit.209;Deleted.;
    A0003989.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP14;Trojan.NtRootKit.209;Deleted.;
    A0004096.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP15;Trojan.NtRootKit.209;Deleted.;
    A0004166.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP15;Trojan.PWS.Banker.8976;Deleted.;
    A0004167.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP15;Trojan.PWS.Banker.8977;Deleted.;
    A0004168.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP15;Trojan.PWS.Banker.8977;Deleted.;
    A0004169.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP15;Trojan.PWS.GoldSpy;Deleted.;
    A0004170.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP15;Trojan.NtRootKit.209;Deleted.;
    A0000095.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.NtRootKit.209;Deleted.;
    A0000200.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP4;Trojan.NtRootKit.209;Deleted.;
    A0000253.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP5;Trojan.NtRootKit.209;Deleted.;
    A0000325.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP6;Trojan.NtRootKit.209;Deleted.;
    A0000357.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP7;Trojan.NtRootKit.209;Deleted.;
    A0000375.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP7;Trojan.NtRootKit.209;Deleted.;
    A0000401.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP7;Trojan.NtRootKit.209;Deleted.;
    A0000457.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP8;Trojan.NtRootKit.209;Deleted.;
    A0000484.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP8;Trojan.NtRootKit.209;Deleted.;
    A0000525.sys;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP9;Trojan.NtRootKit.209;Deleted.;
    9129837.exe;C:\_OTMoveIt\MovedFiles\WINDOWS;Trojan.PWS.Haiuy;Deleted.;

    Logfile of HijackThis v1.99.1
    Scan saved at 1:18:38 AM, on 7/15/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Citrix\ICA Client\ssonsvr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Digital Media Reader\shwiconem.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\Program Files\Common Files\AOL\1116709970\ee\AOLSoftware.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\Program Files\CursorXP\CursorXP.exe
    C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\SpywareGuard\sgmain.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\SpywareGuard\sgbhp.exe
    C:\Program Files\America Online 9.0a\waol.exe
    C:\Program Files\America Online 9.0a\shellmon.exe
    C:\Program Files\Microsoft Office\Office\EXCEL.EXE
    C:\Hijack this\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O2 - BHO: PopKiller Class - {9A23B8A4-C6C9-4A68-8FA6-5F905DC8FF80} - C:\Internet Eraser\pkext.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: AbsoluteShield - {EE9DD090-902D-4623-9360-FB7D8666202B} - C:\Internet Eraser\AbsoluteBar.dll
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1116709970\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP.exe" -s
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
    O4 - Startup: SpywareGuard.lnk = C:\SpywareGuard\sgmain.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: Fortune Bingo by pogo - http://game1.pogo.com/applet-8.0.5.48/superbingo/superbingo-en_US.cab
    O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
    O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt4_x.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing)
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/593373

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice