Tech Support Forum - View Single Post - cannot install any spyware removing software

j1477 · 05-16-2007, 02:41 AM

Hey Sempurna

I couldn't install avs in safe mode, it says "The windows installer service could not be accessed. This can occur if you're running windows in safe mode, or if the windows installer is not correctly installed" :( . So right now, I have no antivirus in my pc. By the way, I like avg since all other virus guards slow down my pc, since I only have 128M RAM. Should I reinstall AVG?

Combofix log:

"Laura" - 2007-05-16 14:08:26 Service Pack 2
ComboFix 07-05.08.3.V - Running from: "C:\Documents and Settings\Laura\Desktop\"

((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-16 ))))))))))))))))))))))))))))))))))

2007-05-16 13:48 26,112 --a------ C:\WINDOWS\system32\nircmd.exe
2007-05-16 13:47 <DIR> drahs---- C:\autorun.inf
2007-05-16 02:20 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-05-16 02:20 2,848 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-05-16 00:40 <DIR> d--hs---- C:\FOUND.002
2007-05-16 00:37 <DIR> d-------- C:\WINDOWS\system\msvcp71.dll
2007-05-12 22:28 <DIR> d-------- C:\DOCUME~1\Laura\DoctorWeb
2007-05-11 14:49 <DIR> d--hs---- C:\FOUND.001
2007-05-09 20:58 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-05 23:28 <DIR> d--hs---- C:\FOUND.000
2007-05-05 22:56 <DIR> d-------- C:\WINDOWS\Prefetch
2007-05-05 22:18 20,992 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys
2007-05-05 22:16 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-05-05 22:16 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-05-05 19:07 <DIR> d-------- C:\DOCUME~1\Asraf\APPLIC~1\SUPERAntiSpyware.com
2007-05-05 16:58 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-05-05 16:58 <DIR> d-------- C:\DOCUME~1\Laura\APPLIC~1\SUPERAntiSpyware.com
2007-05-05 16:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-05 15:57 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-04-30 09:46 414,272 --a------ C:\WINDOWS\system32\DivXc32f.dll
2007-04-30 09:46 414,272 --a------ C:\WINDOWS\system32\DivXc32.dll
2007-04-30 09:46 <DIR> d-------- C:\temp\DivX_311alpha
2007-04-28 20:11 <DIR> d-------- C:\WINDOWS\exefld
2007-04-19 21:57 <DIR> d-------- C:\download
2007-04-19 21:57 <DIR> d-------- C:\DOCUME~1\Laura\APPLIC~1\Offline Explorer
2007-04-19 21:55 <DIR> d-------- C:\Program Files\Offline Explorer Pro
2007-04-16 02:21 <DIR> d-------- C:\mysqldriver

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-05 15:23:04 22,748 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-04-13 12:49:36 -------- d-----w C:\Program Files\Canon
2007-04-13 05:53:08 -------- d-----w C:\Program Files\MSECache
2007-04-08 11:15:26 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-04-08 10:41:30 -------- d-----w C:\Program Files\Microsoft ActiveSync
2007-04-06 17:43:32 -------- d-----w C:\Program Files\NimoCodec Pack
2007-04-06 07:16:46 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-04-06 06:39:08 -------- d-----w C:\Program Files\Cheetah Burner
2007-04-05 16:18:02 -------- d-----w C:\Program Files\Hero3000
2007-04-05 13:01:32 -------- d-----w C:\DOCUME~1\Laura\APPLIC~1\Help
2007-04-05 06:15:04 -------- d-----w C:\Program Files\BanglaSoftwareGroup
2007-04-03 13:09:14 -------- d-----w C:\Program Files\Emule Speed Booster
2007-04-03 06:08:54 -------- d-----w C:\Program Files\Webshots
2007-04-03 06:08:54 -------- d-----w C:\DOCUME~1\Laura\APPLIC~1\Webshots
2007-04-03 03:16:52 -------- d-----w C:\DOCUME~1\Laura\APPLIC~1\vlc
2007-04-03 03:09:58 -------- d-----w C:\Program Files\VideoLAN
2007-04-02 19:59:28 -------- d-----w C:\Program Files\TuneUp Utilities 2006
2007-04-02 19:59:28 -------- d-----w C:\DOCUME~1\Laura\APPLIC~1\TuneUp Software
2007-04-02 19:58:30 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-03-30 17:12:46 0 ----a-w C:\CONFIG.SYS
2007-03-30 17:12:46 0 ----a-w C:\AUTOEXEC.BAT
2007-03-29 19:30:40 -------- d-----w C:\Program Files\Proxifier
2007-03-29 15:41:22 -------- d-----w C:\Program Files\eMule
2007-03-29 11:12:20 -------- d-----w C:\Program Files\eMule.de
2007-03-29 11:08:44 -------- d-----w C:\DOCUME~1\Laura\APPLIC~1\Google
2007-03-28 14:00:54 -------- d-----w C:\Program Files\WordWeb
2007-03-27 16:48:56 -------- d-----w C:\Program Files\Google
2007-03-26 16:28:08 -------- d--h--r C:\DOCUME~1\Laura\APPLIC~1\yahoo!
2007-03-25 20:53:56 -------- d-----w C:\Program Files\Yahoo!
2007-03-25 19:45:04 -------- d-----w C:\Program Files\DAP
2007-03-24 20:46:26 -------- d-----w C:\Program Files\directx
2007-03-24 20:45:22 -------- d-----w C:\Program Files\Multimedia V3.08
2007-03-24 18:43:24 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-03-24 18:43:00 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-03-23 09:34:12 65,536 --sh--w C:\VIDEOROM.BIN
2007-03-23 09:23:46 1,663 --sh--r C:\MSDOS.SYS
2007-03-19 04:20:08 -------- d-----w C:\DOCUME~1\Laura\APPLIC~1\AdobeUM
2007-03-19 04:02:38 -------- d-----w C:\Program Files\Winamp
2007-03-19 04:00:36 -------- d-----w C:\Program Files\Creative
2007-03-19 03:56:58 -------- d-----w C:\Program Files\TC PowerPack
2007-03-18 05

20 -------- d-----w C:\Program Files\microsoft frontpage
2007-03-18 05:03:10 -------- d--h--w C:\Program Files\WindowsUpdate
2007-03-18 05:01:54 -------- d-----w C:\Program Files\Common Files\MSSoap
2007-03-18 05:01:40 -------- d-----w C:\Program Files\Movie Maker
2007-03-18 04:59:46 -------- d-----w C:\Program Files\Online Services
2007-03-18 04:59:34 -------- d-----w C:\Program Files\Messenger
2007-03-18 04:59:30 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-03-18 04:58:42 -------- d-----w C:\Program Files\Windows NT
2007-03-18 04:49:16 -------- d-----w C:\Program Files\Common Files\ODBC
2007-03-18 04:49:12 -------- d-----w C:\Program Files\Common Files\SpeechEngines
2007-03-06 08:50:54 1,101,824 ----a-w C:\WINDOWS\system32\NMSDVDXU.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{0096CC0A-623C-4829-AD9C-19AF0DC9D8FE}"="C:\Program Files\DAP\DAPIEBar.dll"
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SiS Tray"="C:\\WINDOWS\\system32\\sistray.exe"
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\\Program Files\\Google\\Gmail Notifier\\gnotify.exe"
"D066UUtility"="C:\\WINDOWS\\TWAIN_32\\D66U\\D066UUTY.EXE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"avp6_post_uninstall"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"D066UUtility"="C:\\WINDOWS\\TWAIN_32\\D66U\\D066UUTY.EXE"
"ECS CLOCK"="C:\\WINDOWS\\system32\\ecsclock.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-16 14:10:36
Windows 5.1.2600 Service Pack 2 FAT

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 2007-05-16 14:10:44
C:\ComboFix-quarantined-files.txt ... 2007-05-16 14:10
C:\ComboFix3.txt ... 2007-05-15 21:55
C:\ComboFix2.txt ... 2007-05-16 01:17

++++++++++++++++++++++++++++++++++++++++++++++++++++++

HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:35:29 PM, on 5/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TC PowerPack\totalcmd.exe
E:\CD\software\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.20:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Pro\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Pro\Add_AllO.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

05-16-2007, 02:41 AM	#23 (permalink)
j1477 Registered User Join Date: May 2007 Posts: 27 OS: win XP	Re: cannot install any spyware removing software Hey Sempurna I couldn't install avs in safe mode, it says "The windows installer service could not be accessed. This can occur if you're running windows in safe mode, or if the windows installer is not correctly installed" :( . So right now, I have no antivirus in my pc. By the way, I like avg since all other virus guards slow down my pc, since I only have 128M RAM. Should I reinstall AVG? Combofix log: "Laura" - 2007-05-16 14:08:26 Service Pack 2 ComboFix 07-05.08.3.V - Running from: "C:\Documents and Settings\Laura\Desktop\" ((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-16 )))))))))))))))))))))))))))))))))) 2007-05-16 13:48 26,112 --a------ C:\WINDOWS\system32\nircmd.exe 2007-05-16 13:47 <DIR> drahs---- C:\autorun.inf 2007-05-16 02:20 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-05-16 02:20 2,848 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2007-05-16 00:40 <DIR> d--hs---- C:\FOUND.002 2007-05-16 00:37 <DIR> d-------- C:\WINDOWS\system\msvcp71.dll 2007-05-12 22:28 <DIR> d-------- C:\DOCUME~1\Laura\DoctorWeb 2007-05-11 14:49 <DIR> d--hs---- C:\FOUND.001 2007-05-09 20:58 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-05-05 23:28 <DIR> d--hs---- C:\FOUND.000 2007-05-05 22:56 <DIR> d-------- C:\WINDOWS\Prefetch 2007-05-05 22:18 20,992 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys 2007-05-05 22:16 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll 2007-05-05 22:16 13,312 --a------ C:\WINDOWS\system32\irclass.dll 2007-05-05 19:07 <DIR> d-------- C:\DOCUME~1\Asraf\APPLIC~1\SUPERAntiSpyware.com 2007-05-05 16:58 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2007-05-05 16:58 <DIR> d-------- C:\DOCUME~1\Laura\APPLIC~1\SUPERAntiSpyware.com 2007-05-05 16:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com 2007-05-05 15:57 <DIR> d-------- C:\WINDOWS\system32\appmgmt 2007-04-30 09:46 414,272 --a------ C:\WINDOWS\system32\DivXc32f.dll 2007-04-30 09:46 414,272 --a------ C:\WINDOWS\system32\DivXc32.dll 2007-04-30 09:46 <DIR> d-------- C:\temp\DivX_311alpha 2007-04-28 20:11 <DIR> d-------- C:\WINDOWS\exefld 2007-04-19 21:57 <DIR> d-------- C:\download 2007-04-19 21:57 <DIR> d-------- C:\DOCUME~1\Laura\APPLIC~1\Offline Explorer 2007-04-19 21:55 <DIR> d-------- C:\Program Files\Offline Explorer Pro 2007-04-16 02:21 <DIR> d-------- C:\mysqldriver (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-05 15:23:04 22,748 ----a-w C:\WINDOWS\system32\emptyregdb.dat 2007-04-13 12:49:36 -------- d-----w C:\Program Files\Canon 2007-04-13 05:53:08 -------- d-----w C:\Program Files\MSECache 2007-04-08 11:15:26 -------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-04-08 10:41:30 -------- d-----w C:\Program Files\Microsoft ActiveSync 2007-04-06 17:43:32 -------- d-----w C:\Program Files\NimoCodec Pack 2007-04-06 07:16:46 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat 2007-04-06 06:39:08 -------- d-----w C:\Program Files\Cheetah Burner 2007-04-05 16:18:02 -------- d-----w C:\Program Files\Hero3000 2007-04-05 13:01:32 -------- d-----w C:\DOCUME~1\Laura\APPLIC~1\Help 2007-04-05 06:15:04 -------- d-----w C:\Program Files\BanglaSoftwareGroup 2007-04-03 13:09:14 -------- d-----w C:\Program Files\Emule Speed Booster 2007-04-03 06:08:54 -------- d-----w C:\Program Files\Webshots 2007-04-03 06:08:54 -------- d-----w C:\DOCUME~1\Laura\APPLIC~1\Webshots 2007-04-03 03:16:52 -------- d-----w C:\DOCUME~1\Laura\APPLIC~1\vlc 2007-04-03 03:09:58 -------- d-----w C:\Program Files\VideoLAN 2007-04-02 19:59:28 -------- d-----w C:\Program Files\TuneUp Utilities 2006 2007-04-02 19:59:28 -------- d-----w C:\DOCUME~1\Laura\APPLIC~1\TuneUp Software 2007-04-02 19:58:30 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-03-30 17:12:46 0 ----a-w C:\CONFIG.SYS 2007-03-30 17:12:46 0 ----a-w C:\AUTOEXEC.BAT 2007-03-29 19:30:40 -------- d-----w C:\Program Files\Proxifier 2007-03-29 15:41:22 -------- d-----w C:\Program Files\eMule 2007-03-29 11:12:20 -------- d-----w C:\Program Files\eMule.de 2007-03-29 11:08:44 -------- d-----w C:\DOCUME~1\Laura\APPLIC~1\Google 2007-03-28 14:00:54 -------- d-----w C:\Program Files\WordWeb 2007-03-27 16:48:56 -------- d-----w C:\Program Files\Google 2007-03-26 16:28:08 -------- d--h--r C:\DOCUME~1\Laura\APPLIC~1\yahoo! 2007-03-25 20:53:56 -------- d-----w C:\Program Files\Yahoo! 2007-03-25 19:45:04 -------- d-----w C:\Program Files\DAP 2007-03-24 20:46:26 -------- d-----w C:\Program Files\directx 2007-03-24 20:45:22 -------- d-----w C:\Program Files\Multimedia V3.08 2007-03-24 18:43:24 -------- d--h--w C:\Program Files\InstallShield Installation Information 2007-03-24 18:43:00 -------- d-----w C:\Program Files\Common Files\InstallShield 2007-03-23 09:34:12 65,536 --sh--w C:\VIDEOROM.BIN 2007-03-23 09:23:46 1,663 --sh--r C:\MSDOS.SYS 2007-03-19 04:20:08 -------- d-----w C:\DOCUME~1\Laura\APPLIC~1\AdobeUM 2007-03-19 04:02:38 -------- d-----w C:\Program Files\Winamp 2007-03-19 04:00:36 -------- d-----w C:\Program Files\Creative 2007-03-19 03:56:58 -------- d-----w C:\Program Files\TC PowerPack 2007-03-18 0520 -------- d-----w C:\Program Files\microsoft frontpage 2007-03-18 05:03:10 -------- d--h--w C:\Program Files\WindowsUpdate 2007-03-18 05:01:54 -------- d-----w C:\Program Files\Common Files\MSSoap 2007-03-18 05:01:40 -------- d-----w C:\Program Files\Movie Maker 2007-03-18 04:59:46 -------- d-----w C:\Program Files\Online Services 2007-03-18 04:59:34 -------- d-----w C:\Program Files\Messenger 2007-03-18 04:59:30 -------- d-----w C:\Program Files\MSN Gaming Zone 2007-03-18 04:58:42 -------- d-----w C:\Program Files\Windows NT 2007-03-18 04:49:16 -------- d-----w C:\Program Files\Common Files\ODBC 2007-03-18 04:49:12 -------- d-----w C:\Program Files\Common Files\SpeechEngines 2007-03-06 08:50:54 1,101,824 ----a-w C:\WINDOWS\system32\NMSDVDXU.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] "{0096CC0A-623C-4829-AD9C-19AF0DC9D8FE}"="C:\Program Files\DAP\DAPIEBar.dll" "{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "SiS Tray"="C:\\WINDOWS\\system32\\sistray.exe" "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\\Program Files\\Google\\Gmail Notifier\\gnotify.exe" "D066UUtility"="C:\\WINDOWS\\TWAIN_32\\D66U\\D066UUTY.EXE" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet" "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce] "avp6_post_uninstall"="" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages msv1_0\0\0 Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages scecli\0\0 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "D066UUtility"="C:\\WINDOWS\\TWAIN_32\\D66U\\D066UUTY.EXE" "ECS CLOCK"="C:\\WINDOWS\\system32\\ecsclock.exe" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\"" "Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter HTTPFilter\0\0 LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService DnsCache\0\0 DcomLaunch DcomLaunch\0TermService\0\0 rpcss RpcSs\0\0 imgsvc StiSvc\0\0 termsvcs TermService\0\0 HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\1-Click Maintenance.job ****************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-16 14:10:36 Windows 5.1.2600 Service Pack 2 FAT scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ****************************************************************** Completion time: 2007-05-16 14:10:44 C:\ComboFix-quarantined-files.txt ... 2007-05-16 14:10 C:\ComboFix3.txt ... 2007-05-15 21:55 C:\ComboFix2.txt ... 2007-05-16 01:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ HijackThis log: Logfile of HijackThis v1.99.1 Scan saved at 2:35:29 PM, on 5/16/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TC PowerPack\totalcmd.exe E:\CD\software\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.20:3128 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local> O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.exe O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Pro\Add_UrlO.htm O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Pro\Add_AllO.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe