Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Malware Removal

Join Tech Support Forum Today

 
 
Thread Tools Search this Thread
 
Old 12-08-2007, 11:31 AM   #1
Registered Member
 
Join Date: Dec 2007
Posts: 10
OS: xp


Malware Removal
I am infected with malware, my AVG Anti-spyware detected it, but I can't seem to remove it, everytime I scan I get more results, it seems to be spreading, what should I do?

__________________
ScarletRose is offline  
Old 12-08-2007, 12:54 PM   #2
Registered Member
 
Join Date: Dec 2007
Posts: 10
OS: xp


Re: Malware Removal
Is my problem unsolvable?

__________________
ScarletRose is offline  
Old 12-08-2007, 09:27 PM   #3
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 38,645
OS: WinXP Home, Vista, Windows 7 64bit


Re: Malware Removal
Hello ScarletRose and welcome to TSF,

We need a little more information than that to help you out.

Please follow the instructions in our sticky topic (Updated!) IMPORTANT - Read This Before Posting A Log and post the requested logs in your next reply.


**Please note this section of the forum is very busy, so please familiarize yourself with the Bumping Rules also found in Step 5 of our sticky topic mentioned above. One of our Analysts will review your log as soon as possible.
__________________
Member of ASAP since 2005
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 12-23-2007, 08:36 PM   #4
Registered Member
 
Join Date: Dec 2007
Posts: 10
OS: xp


Panda scan
Incident Status Location

Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\!KillBox\MyWebSearch\bar\3.bin\MWSBAR.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\!KillBox\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\ComboFix\nircmd.cfexe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\ComboFix\nircmd.exe
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Owner\Cookies\owner@bluestreak[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@casalemedia[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@doubleclick[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Owner\Desktop\ComboFix.exe[nircmd.exe]
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\jbaovutr.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\mfcxiugh.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\weehlkcw.dll.vir
Adware:Adware/WebSearch Not disinfected C:\VundoFix Backups\becsecdo.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\neqfcmrk.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\ocnjsdkh.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\ssqpq.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\wxhcupqc.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\yvmjaqhq.dll.bad
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
Adware:Adware/VirusProtectPro Not disinfected C:\WINDOWS\system32\rldyt.dll
__________________
ScarletRose is offline  
Old 12-23-2007, 08:54 PM   #5
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 38,645
OS: WinXP Home, Vista, Windows 7 64bit


Re: Malware Removal
Thank you for the Panda results, but you're missing the most important set of logs we need to work from.

As noted in our sticky topic (Updated!) IMPORTANT - Read This Before Posting A Log, download Deckard's System Scanner (DSS) to your Desktop.

What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review.
  • DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.


Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply.
  5. Please attach extra.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\Deckard\System Scanner\extra.txt
  3. Click Upload.

Please include the following in your next reply:

main.txt
an attached extra.txt
__________________
Member of ASAP since 2005
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 12-23-2007, 09:24 PM   #6
Registered Member
 
Join Date: Dec 2007
Posts: 10
OS: xp


other log
Deckard's System Scanner v20071014.68
Run by Owner on 2007-12-23 00:19:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
55: 2007-12-23 05:19:36 UTC - RP120 - Deckard's System Scanner Restore Point
54: 2007-12-22 10:12:25 UTC - RP119 - System Checkpoint
53: 2007-12-17 22:57:53 UTC - RP118 - System Checkpoint
52: 2007-12-14 08:17:25 UTC - RP117 - System Checkpoint
51: 2007-12-13 08:00:56 UTC - RP116 - Software Distribution Service 3.0


-- First Restore Point --
1: 2007-09-26 01:54:20 UTC - RP66 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 447 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-12-23 00:21:01
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee.com\Agent\Mcdetect.exe
C:\Program Files\McAfee.com\VSO\McShield.exe
C:\Program Files\McAfee.com\Agent\McTskshd.exe
C:\Program Files\McAfee.com\Personal Firewall\MpfService.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Digital Media Reader\shwicon2k.exe
C:\Program Files\Common Files\AOL\1141258253\EE\aolsoftware.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee\SpamKiller\MSKAgent.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\Personal Firewall\MpfAgent.exe
C:\Program Files\McAfee.com\MPS\mscifapp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\digital imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.khinsider.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F0 - system.ini: Shell=explorer.exe
F2 - REG:system.ini: Shell=explorer.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\windows\system32\ntos.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - C:\Program Files\McAfee.com\MPS\McBrHlpr.dll
O2 - BHO: McAfee Privacy Service Popup Blocker - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - C:\Program Files\McAfee.com\MPS\PopupKiller.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - C:\Program Files\McAfee\SpamKiller\McApfBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\WINDOWS\system32\bae.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\Program Files\McAfee.com\VSO\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar3.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141258253\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\windows\system32\hphmon06.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O15 - Trusted Zone: https://www.neopets.com (HKCU)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} () - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - C:\Program Files\McAfee.com\Agent\Mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - C:\Program Files\McAfee.com\VSO\McShield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - C:\Program Files\McAfee.com\Agent\McTskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\Program Files\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\McAfee.com\Personal Firewall\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\Program Files\McAfee\SpamKiller\MSKSrvr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O24 - Desktop Component 0: - C:\Program Files\Windows Plus\prolyhd.html

--
End of file - 12389 bytes

-- HijackThis Fixed Entries (C:\Program Files\Hijackthis\backups\) -------------

backup-20070629-221019-223 O4 - HKCU\..\Run: [My Web Search Community Tools] "C:\Program Files\MyWebSearch\bar\4.bin\m3IMPipe.exe"
backup-20070629-221019-235 O2 - BHO: (no name) - {286F1967-A265-4467-8697-92A919A4B06B} - \
backup-20070629-221019-256 R3 - URLSearchHook: (no name) - - (no file)
backup-20070629-221019-631 O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZCxdm801YYUS
backup-20070629-221019-828 O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\4.bin\MWSBAR.DLL,S

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BTHidMgr (Bluetooth HID Manager Service) - c:\windows\system32\drivers\bthidmgr.sys <Not Verified; IVT Corporation; BlueSoleil(c)>
R1 MPFIREWL - c:\windows\system32\drivers\mpfirewall.sys <Not Verified; McAfee; McAfee Personal Firewall>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R3 BlueletAudio (Bluetooth Audio Service) - c:\windows\system32\drivers\blueletaudio.sys <Not Verified; IVT Corporation; Windows (R) 2000 DDK driver>
R3 BT (Bluetooth PAN Network Adapter) - c:\windows\system32\drivers\btnetdrv.sys <Not Verified; IVT Corporation; BlueSoleil>
R3 BTHidEnum (Bluetooth HID Enumerator) - c:\windows\system32\drivers\vbtenum.sys
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
R3 VComm (Virtual Serial port driver) - c:\windows\system32\drivers\vcomm.sys <Not Verified; IVT Corporation; BlueSoleil>
R3 VcommMgr (Bluetooth VComm Manager Service) - c:\windows\system32\drivers\vcommmgr.sys <Not Verified; IVT Corporation; BlueSoleil>

S3 AMDMSRIO - c:\docume~1\admini~1\locals~1\temp\safe to delete 3_0_4_8\amdmsrio.sys (file missing)
S3 Btcsrusb (Bluetooth USB For Bluetooth Service) - c:\windows\system32\drivers\btcusb.sys <Not Verified; IVT Corporation; Bluetooth USB Device Driver>
S3 EMCFILT (Alcor Micro Corp for Emachine- 9361) - c:\windows\system32\drivers\emcfilt.sys <Not Verified; Alcor Micro Corp.; emcfilt>
S3 TnIDriver - c:\docume~1\owner\locals~1\temp\tni15b.tmp (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 BlueSoleil Hid Service - c:\program files\ivt corporation\bluesoleil\btntservice.exe

S2 MskService (McAfee SpamKiller Server) - c:\progra~1\mcafee\spamki~1\msksrvr.exe <Not Verified; McAfee Inc.; McAfee SpamKiller>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\5001ED4232521
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\5001ED4232521
Service: NIC1394


-- Scheduled Tasks -------------------------------------------------------------

2007-12-22 23:27:02 316 --a------ C:\windows\Tasks\HP Usg Daily.job


-- Files created between 2007-11-23 and 2007-12-23 -----------------------------

2007-12-23 00:11:29 0 d-------- C:\Program Files\SpywareBlaster
2007-12-22 23:56:14 0 d-------- C:\ie-spyad_zo
2007-12-22 22:18:24 0 d-------- C:\windows\system32\ActiveScan
2007-12-22 22:18:20 0 d-------- C:\windows\LastGood
2007-12-21 10:16:34 0 dr-h----- C:\Documents and Settings\Owner\Recent
2007-12-07 19:25:18 0 d--hs---- C:\windows\system32\wsnpoem
2007-12-01 22:41:31 0 d-------- C:\Program Files\Theme Park World Fix
2007-12-01 18:49:42 285 --a------ C:\windows\EReg072.dat
2007-12-01 18:47:30 0 d-------- C:\Program Files\SimTheme Park
2007-11-27 23:15:19 0 d-------- C:\Program Files\Common Files\Adobe
2007-11-25 01:10:09 0 d-------- C:\windows\system32\LogFiles


-- Find3M Report ---------------------------------------------------------------

2007-12-22 23:10:14 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-12-22 23:09:38 0 d-------- C:\Program Files\QuickTime
2007-12-22 2352 0 d-------- C:\Program Files\Messenger
2007-12-22 23:02:46 0 d-------- C:\Program Files\Google
2007-12-22 23:02:08 0 d-------- C:\Program Files\Digital Media Reader
2007-12-22 22:59:53 0 d-------- C:\Program Files\BigFix
2007-12-14 15:17:29 0 d-------- C:\Program Files\Microsoft Money 2006
2007-12-13 03:11:46 12 --a------ C:\windows\bthservsdp.dat
2007-11-30 18:28:47 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2007-11-27 23:15:19 0 d-------- C:\Program Files\Common Files
2007-11-22 00:05:07 0 d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2007-11-21 23:55:40 0 d-------- C:\Program Files\CCleaner
2007-11-21 23:55:30 0 d-------- C:\Program Files\Yahoo!
2007-11-19 21:03:55 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-19 20:16:55 1152 --a------ C:\windows\system32\windrv.sys
2007-11-19 20:15:56 0 d-------- C:\Program Files\Common Files\Download Manager
2007-11-14 03:10:46 12800 --a------ C:\windows\system32\rldyt.dll
2007-10-23 18:28:06 0 d-------- C:\Program Files\EleFun Desktops
2007-10-23 18:27:29 0 d-------- C:\Documents and Settings\Owner\Application Data\elefundesktops
2007-10-23 18:14:47 194560 --a------ C:\windows\Halloween.scr <Not Verified; ScreenTime Media; ScreenTime For Flash>
2007-10-23 18:13:19 12288 --a------ C:\windows\impborl.dll
2007-10-23 18:13:19 606848 --a------ C:\windows\flashax.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(R) Operating System>
2007-10-02 17:26:26 458752 --a------ C:\windows\3DRT - Dark forest mansion - low.scr <Not Verified; ScreenTime Media; ScreenTime For Director>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [04/15/2005 12:05 AM]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [11/05/2004 10:47 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [11/05/2004 10:47 AM]
"@"="" []
"SunKist"="C:\Program Files\Digital Media Reader\shwicon2k.exe" [05/26/2004 08:57 PM]
"HostManager"="C:\Program Files\Common Files\AOL\1141258253\ee\AOLSoftware.exe" [03/08/2006 01:38 PM]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [07/08/2005 09:18 PM]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [08/12/2005 01:02 AM]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [09/22/2005 05:29 PM]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [01/11/2006 11:05 AM]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [09/26/2005 01:26 PM]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [08/12/2005 07:16 PM]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [08/10/2005 03:49 PM]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [09/27/2005 08:17 PM]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [04/18/2005 01:38 PM]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [03/27/2006 10:57 AM]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/10/2004 02:00 PM C:\WINDOWS\system32\bthprops.cpl]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/01/2006 07:12 PM]
"MPSExe"="c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" [09/28/2005 03:28 PM]
"HPDJ Taskbar Utility"="C:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [04/06/2004 05:28 AM]
"HPHUPD06"="C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [06/06/2004 11:53 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [02/12/2004 12:38 PM]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [05/12/2004 02:18 PM]
"HPHmon06"="C:\windows\system32\hphmon06.exe" [06/06/2004 11:42 PM]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [03/01/2006 07:11 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 04:25 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 07:51 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 06:24 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/08/2007 08:53 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2007 01:06 PM]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [11/13/2007 03:48 PM]
"@"="" []
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [08/10/2004 02:00 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=NA

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [3/1/2006 7:14:08 PM]
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [7/24/2006 5:54:54 AM]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [11/19/2007 9:16:20 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\digital imaging\bin\hpqtra08.exe [5/28/2004 9:31:38 PM]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\digital imaging\bin\hpqthb08.exe [5/28/2004 1036 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Windows Plus\prolyhd.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="explorer.exe "
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\windows\system32\ntos.exe,"
"System"=" "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23e0a72a-4239-11dc-a159-0011b107a2cd}]
AutoRun\command- F:\LaunchU3.exe -a

*Newly Created Service* - RKPAVPROC



-- End of Deckard's System Scanner: finished at 2007-12-23 00:22:00 ------------
Attached Files
File Type: txt extra.txt (16.1 KB, 2 views)
__________________
ScarletRose is offline  
Old 12-23-2007, 09:42 PM   #7
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 38,645
OS: WinXP Home, Vista, Windows 7 64bit


Re: Malware Removal
This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

1. Delete your existing ComboFix.exe and download Combofix again from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**


2. Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% -(Drive that contains the Windows Directory, typically C:\SDFix). Do not run it yet.

--------------------------------------------------------------------

1. Disconnect from the internet.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account.

--------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs)

My Web Search (Zwinky)

*Disregard any prompts to reboot.

--------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entry:

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} () - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab

Click 'Fix Checked' and close HijackThis.

--------------------------------------------------------------------

Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt I'll need that in your next reply.
--------------------------------------------------------------------

From Normal Mode....

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • I'll need the C:\ComboFix.txt in your next reply

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

---------------------------------------------------------------------

Please include the following in your next reply, in the following order:

C:\ComboFix2.txt
C:\SDFix\Report.txt
C:\ComboFix.txt
New HijackThis log
__________________
Member of ASAP since 2005
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 12-24-2007, 04:03 AM   #8
Registered Member
 
Join Date: Dec 2007
Posts: 10
OS: xp


sorry it took long
ComboFix 07-12-24.8 - Owner 2007-12-23 6:39:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.130 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Guest\Application Data\Starware316
C:\Documents and Settings\Guest\Application Data\Starware316\BrowserSearch\BrowserSearch.xml
C:\Documents and Settings\Guest\Application Data\Starware316\BrowserSearch\BrowserSearch.xml.backup
C:\Documents and Settings\Guest\Application Data\Starware316\Configurator\Configurator.xml
C:\Documents and Settings\Guest\Application Data\Starware316\Configurator\Configurator.xml.backup
C:\Documents and Settings\Guest\Application Data\Starware316\ErrorSearch\ErrorSearchOptions.xml
C:\Documents and Settings\Guest\Application Data\Starware316\ErrorSearch\ErrorSearchOptions.xml.backup
C:\Documents and Settings\Guest\Application Data\Starware316\Games\GamesOptions.xml
C:\Documents and Settings\Guest\Application Data\Starware316\Games\GamesOptions.xml.backup
C:\Documents and Settings\Guest\Application Data\Starware316\Layouts\ToolbarLayout.xml
C:\Documents and Settings\Guest\Application Data\Starware316\Layouts\ToolbarLayout.xml.backup
C:\Documents and Settings\Guest\Application Data\Starware316\Manager\ManagerOptions.xml
C:\Documents and Settings\Guest\Application Data\Starware316\Manager\ManagerOptions.xml.backup
C:\Documents and Settings\Guest\Application Data\Starware316\Movies\MoviesOptions.xml
C:\Documents and Settings\Guest\Application Data\Starware316\Movies\MoviesOptions.xml.backup
C:\Documents and Settings\Guest\Application Data\Starware316\Reference\ReferenceOptions.xml
C:\Documents and Settings\Guest\Application Data\Starware316\Reference\ReferenceOptions.xml.backup
C:\Documents and Settings\Guest\Application Data\Starware316\RelatedSearch\RelatedSearchOptions.xml
C:\Documents and Settings\Guest\Application Data\Starware316\RelatedSearch\RelatedSearchOptions.xml.backup
C:\Documents and Settings\Guest\Application Data\Starware316\Screensavers\ScreensaversOptions.xml
C:\Documents and Settings\Guest\Application Data\Starware316\Screensavers\ScreensaversOptions.xml.backup
C:\Documents and Settings\Guest\Application Data\Starware316\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml
C:\Documents and Settings\Guest\Application Data\Starware316\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup
C:\Documents and Settings\Guest\Application Data\Starware316\SearchAssistPlus\SearchAssistPlusOptions.xml
C:\Documents and Settings\Guest\Application Data\Starware316\SearchAssistPlus\SearchAssistPlusOptions.xml.backup
C:\Documents and Settings\Guest\Application Data\Starware316\SearchMatch\SearchMatchOptions.xml
C:\Documents and Settings\Guest\Application Data\Starware316\SearchMatch\SearchMatchOptions.xml.backup
C:\Documents and Settings\Guest\Application Data\Starware316\Tem1BA.tmp
C:\Documents and Settings\Guest\Application Data\Starware316\Toolbar\TBProductsOptions.xml
C:\Documents and Settings\Guest\Application Data\Starware316\Toolbar\TBProductsOptions.xml.backup
C:\Documents and Settings\Guest\Application Data\Starware316\ToolbarLogo\ToolbarLogoOptions.xml
C:\Documents and Settings\Guest\Application Data\Starware316\ToolbarLogo\ToolbarLogoOptions.xml.backup
C:\Documents and Settings\Guest\Application Data\Starware316\ToolbarSearch\ToolbarSearchOptions.xml
C:\Documents and Settings\Guest\Application Data\Starware316\ToolbarSearch\ToolbarSearchOptions.xml.backup
C:\Documents and Settings\Guest\Application Data\Starware316\TravelSearch\TravelSearchOptions.xml
C:\Documents and Settings\Guest\Application Data\Starware316\TravelSearch\TravelSearchOptions.xml.backup
C:\Documents and Settings\Guest\Application Data\Starware316\Weather\AlertArchive.xml
C:\Documents and Settings\Guest\Application Data\Starware316\Weather\WeatherOptions.xml
C:\Documents and Settings\Guest\Application Data\Starware316\Weather\WeatherOptions.xml.backup
C:\Documents and Settings\Owner\Application Data\FunWebProducts
C:\Documents and Settings\Owner\Application Data\FunWebProducts\Data\Owner\avatar.dat
C:\Documents and Settings\Owner\Application Data\FunWebProducts\Data\Owner\register.dat
C:\Documents and Settings\Owner\Application Data\FunWebProducts\Data\Owner\wffavs.dat
C:\Documents and Settings\Owner\Application Data\FunWebProducts\Data\Owner\zbucks.dat
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\ScreenSaver\Images\000F743C.urr
C:\Program Files\FunWebProducts\Shared\002D10CD.dat
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn-new.html
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\internet explorer\msimg32.dll
C:\windows\system32\f3PSSavr.scr
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-11-24 to 2007-12-24 )))))))))))))))))))))))))))))))
.

2007-12-23 06:16 . 2007-12-23 06:16 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-23 05:45 . 2007-12-23 05:45 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-23 00:11 . 2007-12-23 00:14 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-22 23:56 . 2007-12-22 23:56 <DIR> d-------- C:\ie-spyad_zo
2007-12-22 22:18 . 2007-12-22 23:25 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-22 22:18 . 2007-12-22 22:18 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-01 22:41 . 2007-12-01 22:43 <DIR> d-------- C:\Program Files\Theme Park World Fix
2007-12-01 18:49 . 2007-12-01 22:31 285 --a------ C:\WINDOWS\EReg072.dat
2007-12-01 18:47 . 2007-12-01 22:46 <DIR> d-------- C:\Program Files\SimTheme Park
2007-11-27 23:15 . 2007-11-27 23:18 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-11-25 01:10 . 2007-11-25 01:10 <DIR> d-------- C:\WINDOWS\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-23 06:00 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-12-23 05:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-23 05:38 --------- d-----w C:\Program Files\Common Files\Real
2007-12-23 04:09 --------- d-----w C:\Program Files\QuickTime
2007-12-23 04:02 --------- d-----w C:\Program Files\Google
2007-12-23 04:02 --------- d-----w C:\Program Files\Digital Media Reader
2007-12-23 03:59 --------- d-----w C:\Program Files\BigFix
2007-12-14 20:17 --------- d-----w C:\Program Files\Microsoft Money 2006
2007-11-22 05:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\Grisoft
2007-11-22 05:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-22 05:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-22 05:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-22 04:55 --------- d-----w C:\Program Files\Yahoo!
2007-11-22 04:55 --------- d-----w C:\Program Files\CCleaner
2007-11-20 02:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-20 01:15 --------- d-----w C:\Program Files\Common Files\Download Manager
2007-11-13 10:25 20,480 ----a-w C:\windows\system32\drivers\secdrv.sys
2007-10-23 23:14 194,560 ----a-w C:\windows\Halloween.scr
2007-10-23 23:13 606,848 ----a-w C:\windows\flashax.exe
2007-10-23 23:13 12,288 ----a-w C:\windows\impborl.dll
2007-10-02 22:26 458,752 ----a-w C:\windows\3DRT - Dark forest mansion - low.scr
2007-02-24 05:59 556 -c--a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-06-20 01:53 6,530 -csha-w C:\windows\system32\qpqss.bak1
2007-06-20 13:53 1,843,836 -csha-w C:\windows\system32\qpqss.bak2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-08 20:53]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 13:06]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2007-11-13 15:48]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-10 14:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-15 00:05]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 10:47]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 10:47]
"SunKist"="C:\Program Files\Digital Media Reader\shwicon2k.exe" [2004-05-26 20:57]
"HostManager"="C:\Program Files\Common Files\AOL\1141258253\ee\AOLSoftware.exe" [2006-03-08 13:38]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 21:18]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 01:02]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 17:29]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 11:05]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 13:26]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 19:16]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 15:49]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-09-27 20:17]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2005-04-18 13:38]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-03-27 10:57]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-10 14:00 C:\WINDOWS\system32\bthprops.cpl]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-03-01 19:12]
"MPSExe"="c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" [2005-09-28 15:28]
"HPDJ Taskbar Utility"="C:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2004-04-06 05:28]
"HPHUPD06"="C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-06 23:53]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 12:38]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 14:18]
"HPHmon06"="C:\windows\system32\hphmon06.exe" [2004-06-06 23:42]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2006-03-01 19:14:08]
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2006-07-24 05:54:54]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-11-19 21:16:20]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\digital imaging\bin\hpqtra08.exe [2004-05-28 21:31:38]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\digital imaging\bin\hpqthb08.exe [2004-05-28 2236]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Windows Plus\prolyhd.html
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"=" "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R3 HSFHWATI;HSFHWATI;C:\windows\system32\DRIVERS\HSFHWATI.sys [2004-12-15 17:18]
S3 AMDMSRIO;AMDMSRIO;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Safe To Delete 3_0_4_8\AMDMSRIO.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23e0a72a-4239-11dc-a159-0011b107a2cd}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-12-23 04:27:02 C:\windows\Tasks\HP Usg Daily.job"
- C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped05.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-24 06:45:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-24 6:50:58 - machine was rebooted
.
2007-12-13 08:05:48 --- E O F ---















SDFix: Version 1.119

Run by Owner on Sun 12/23/2007 at 06:19 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\windows\system32\wsnpoem\audio.dll - Deleted
C:\windows\system32\wsnpoem\audio.dll.cla - Deleted
C:\windows\system32\wsnpoem\video.dll - Deleted



Folder C:\windows\system32\wsnpoem - Removed

Removing Temp Files...

ADS Check:

C:\windows
No streams found.

C:\windows\system32
No streams found.

C:\windows\system32\svchost.exe
No streams found.

C:\windows\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-23 06:28:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0011b107a2cd]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0011b107a2cd]

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\\24\xe1\21]
"DisplayName"="\xf008\x32d\xf008\x32d\1"
"DeviceDesc"="\xf008\x32d\xf008\x32d\1"
"ProviderName"="\xfed4\21\xee18\x7c90\xff44\21\b"
"MFG"="\x598"
"ReinstallString"="C:\WINDOWS\System32\ReinstallBackups\\xe114\21\x80\xc010\DriverFiles\.INF"
"DeviceInstanceIds"=str(7):"d:\i386\apps\app24254\smbus\smbusati.inf"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:0000002c

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil"
"C:\\Documents and Settings\\Owner\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\Owner\\Desktop\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
"C:\\WINDOWS\\system32\\dxdiag.exe"="C:\\WINDOWS\\system32\\dxdiag.exe:*:Enabled:Microsoft DirectX Diagnostic Tool"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sun 16 Jul 2006 6,458 A..H. --- "C:\Temp\t4.bak"
Sun 16 Jul 2006 4,730 A..H. --- "C:\Temp\t4.bak1"
Tue 19 Jun 2007 6,530 A.SH. --- "C:\WINDOWS\system32\qpqss.bak1"
Wed 20 Jun 2007 1,843,836 A.SH. --- "C:\WINDOWS\system32\qpqss.bak2"
Sat 13 Oct 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sun 16 Jul 2006 1,234 A..H. --- "C:\Program Files\Common Files\AOL\IPHSend\IPH.BAK"

Finished!














Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:02:52 AM, on 12/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\windows\eHome\ehRecvr.exe
C:\windows\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\windows\system32\svchost.exe
C:\windows\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\windows\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Digital Media Reader\shwicon2k.exe
C:\Program Files\Common Files\AOL\1141258253\ee\AOLSoftware.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\windows\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\windows\system32\hphmon06.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\windows\system32\HPZipm12.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\windows\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.khinsider.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee Privacy Service Popup Blocker - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141258253\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\windows\system32\hphmon06.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\windows\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows Plus\prolyhd.html

--
End of file - 10443 bytes
__________________
ScarletRose is offline  
Old 12-24-2007, 04:04 AM   #9
Registered Member
 
Join Date: Dec 2007
Posts: 10
OS: xp


Re: Malware Removal
I Could not remove my web search zwinky. I got the following message:

error loading C:\PROGRA~1\MYWEBS~\bar\4.bin\mwsbar.dll
The specified module could not be found
__________________
ScarletRose is offline  
Old 12-24-2007, 08:58 AM   #10
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 38,645
OS: WinXP Home, Vista, Windows 7 64bit


Re: Malware Removal
Hi,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Code:
File::
C:\windows\system32\qpqss.bak1
C:\windows\system32\qpqss.bak2
C:\Program Files\Windows Plus\prolyhd.html

Folder::
C:\Temp

Registry::
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"=-
Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------------

Open HJT. Click on Open the Misc Tools Section.
*Click on 'Open Uninstall Manager"
*Highlight (click on) my web search zwinky
*Click "Delete this entry"
Close HijackThis

--------------------------------------------------------------------

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------

Run a new scan with HijackThis and save the log.

---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
New HijackThis log
Update on system behavior
__________________
Member of ASAP since 2005
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 12-24-2007, 12:42 PM   #11
Registered Member
 
Join Date: Dec 2007
Posts: 10
OS: xp


Re: Malware Removal
ComboFix 07-12-24.8 - Owner 2007-12-24 14:25:23.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.167 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Program Files\Windows Plus\prolyhd.html
C:\windows\system32\qpqss.bak1
C:\windows\system32\qpqss.bak2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp
C:\Temp\ETH1.jpg
C:\Temp\QuickStartGuide.html
C:\Temp\t4.bak
C:\Temp\t4.bak1
C:\Temp\t4.log
C:\windows\system32\qpqss.bak1
C:\windows\system32\qpqss.bak2

.
((((((((((((((((((((((((( Files Created from 2007-11-24 to 2007-12-24 )))))))))))))))))))))))))))))))
.

2007-12-23 06:16 . 2007-12-23 06:16 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-23 05:45 . 2007-12-23 05:45 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-23 00:11 . 2007-12-24 14:14 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-22 23:56 . 2007-12-22 23:56 <DIR> d-------- C:\ie-spyad_zo
2007-12-22 22:18 . 2007-12-22 23:25 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-22 22:18 . 2007-12-22 22:18 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-01 22:41 . 2007-12-01 22:43 <DIR> d-------- C:\Program Files\Theme Park World Fix
2007-12-01 18:49 . 2007-12-01 22:31 285 --a------ C:\WINDOWS\EReg072.dat
2007-12-01 18:47 . 2007-12-01 22:46 <DIR> d-------- C:\Program Files\SimTheme Park
2007-11-27 23:15 . 2007-11-27 23:18 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-11-25 01:10 . 2007-11-25 01:10 <DIR> d-------- C:\WINDOWS\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-24 12:18 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-12-24 11:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-23 05:38 --------- d-----w C:\Program Files\Common Files\Real
2007-12-23 04:09 --------- d-----w C:\Program Files\QuickTime
2007-12-23 04:02 --------- d-----w C:\Program Files\Google
2007-12-23 04:02 --------- d-----w C:\Program Files\Digital Media Reader
2007-12-23 03:59 --------- d-----w C:\Program Files\BigFix
2007-12-14 20:17 --------- d-----w C:\Program Files\Microsoft Money 2006
2007-11-22 05:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\Grisoft
2007-11-22 05:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-22 05:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-22 05:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-22 04:55 --------- d-----w C:\Program Files\Yahoo!
2007-11-22 04:55 --------- d-----w C:\Program Files\CCleaner
2007-11-20 02:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-20 01:15 --------- d-----w C:\Program Files\Common Files\Download Manager
2007-11-14 08:10 12,800 ----a-w C:\windows\system32\rldyt.dll
2007-11-13 10:25 20,480 ----a-w C:\windows\system32\drivers\secdrv.sys
2007-10-29 22:35 1,287,680 ----a-w C:\windows\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\windows\system32\wmasf.dll
2007-10-23 23:14 194,560 ----a-w C:\windows\Halloween.scr
2007-10-23 23:13 606,848 ----a-w C:\windows\flashax.exe
2007-10-23 23:13 12,288 ----a-w C:\windows\impborl.dll
2007-10-02 22:26 458,752 ----a-w C:\windows\3DRT - Dark forest mansion - low.scr
2007-02-24 05:59 556 -c--a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-08 20:53]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 13:06]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2007-11-13 15:48]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-10 14:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-15 00:05]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 10:47]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 10:47]
"SunKist"="C:\Program Files\Digital Media Reader\shwicon2k.exe" [2004-05-26 20:57]
"HostManager"="C:\Program Files\Common Files\AOL\1141258253\ee\AOLSoftware.exe" [2006-03-08 13:38]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 21:18]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 01:02]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 17:29]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 11:05]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 13:26]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 19:16]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 15:49]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-09-27 20:17]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2005-04-18 13:38]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-03-27 10:57]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-10 14:00 C:\WINDOWS\system32\bthprops.cpl]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-03-01 19:12]
"MPSExe"="c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" [2005-09-28 15:28]
"HPDJ Taskbar Utility"="C:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2004-04-06 05:28]
"HPHUPD06"="C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-06 23:53]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 12:38]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 14:18]
"HPHmon06"="C:\windows\system32\hphmon06.exe" [2004-06-06 23:42]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2006-03-01 19:14:08]
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2006-07-24 05:54:54]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-11-19 21:16:20]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\digital imaging\bin\hpqtra08.exe [2004-05-28 21:31:38]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\digital imaging\bin\hpqthb08.exe [2004-05-28 2236]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R3 HSFHWATI;HSFHWATI;C:\windows\system32\DRIVERS\HSFHWATI.sys [2004-12-15 17:18]
S3 AMDMSRIO;AMDMSRIO;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Safe To Delete 3_0_4_8\AMDMSRIO.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23e0a72a-4239-11dc-a159-0011b107a2cd}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-12-24 16:27:01 C:\windows\Tasks\HP Usg Daily.job"
- C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped05.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-24 14:27:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-24 14:28:19
C:\ComboFix2.txt ... 2007-12-24 06:50
.
2007-12-13 08:05:48 --- E O F ---





-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, December 24, 2007 3:39:01 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 24/12/2007
Kaspersky Anti-Virus database records: 493131
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 54405
Number of viruses found: 16
Number of infected objects: 35
Number of suspicious objects: 0
Duration of the scan process: 00:48:42

Infected Object Name / Virus Name / Last Action
C:\!KillBox\MyWebSearch\bar\3.bin\F3BROVLY.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\!KillBox\MyWebSearch\bar\3.bin\F3HTMLMU.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\!KillBox\MyWebSearch\bar\3.bin\MWSBAR.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ba skipped
C:\!KillBox\MyWebSearch\bar\3.bin\MWSOESTB.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\!KillBox\MyWebSearch\bar\4.bin\F3BROVLY.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\!KillBox\MyWebSearch\bar\4.bin\F3DTACTL.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\!KillBox\MyWebSearch\bar\4.bin\F3HISTSW.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\!KillBox\MyWebSearch\bar\4.bin\F3HTMLMU.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\!KillBox\MyWebSearch\bar\4.bin\F3HTTPCT.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
C:\!KillBox\MyWebSearch\bar\4.bin\F3IMSTUB.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\!KillBox\MyWebSearch\bar\4.bin\F3POPSWT.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\!KillBox\MyWebSearch\bar\4.bin\F3PSSAVR.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\!KillBox\MyWebSearch\bar\4.bin\F3REPROX.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\!KillBox\MyWebSearch\bar\4.bin\F3RESTUB.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\!KillBox\MyWebSearch\bar\4.bin\F3SCHMON.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
C:\!KillBox\MyWebSearch\bar\4.bin\F3SCRCTR.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\!KillBox\MyWebSearch\bar\4.bin\F3SHLLVW.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\!KillBox\MyWebSearch\bar\4.bin\F3WPHOOK.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped
C:\!KillBox\MyWebSearch\bar\4.bin\M3HTML.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\!KillBox\MyWebSearch\bar\4.bin\M3IDLE.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\!KillBox\MyWebSearch\bar\4.bin\M3MSG.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\!KillBox\MyWebSearch\bar\4.bin\M3OUTLCN.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\!KillBox\MyWebSearch\bar\4.bin\M3PLUGIN.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\!KillBox\MyWebSearch\bar\4.bin\M3SKIN.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\!KillBox\MyWebSearch\bar\4.bin\M3SLSRCH.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\!KillBox\MyWebSearch\bar\4.bin\M3SRCHMN.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\!KillBox\MyWebSearch\bar\4.bin\MWSOEPLG.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\!KillBox\MyWebSearch\bar\4.bin\MWSOESTB.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\!KillBox\MyWebSearch\bar\4.bin\NPMYWEBS.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\!KillBox\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd000.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\ApplicationHistory\hpqgalry.exe.cf8dd223.ini.inuse Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007122420071225\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFCC15.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFE8E8.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\gather-now.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\ie7conflict.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\notes.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\partner-700.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\subscrip-2000.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\survey.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\updates-300.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\urgent-800.dat Object is locked skipped
C:\Program Files\BigFix\__Data\__Global\Logs\20071224.log Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Program Files\Veoh Networks\Veoh\client.log Object is locked skipped
C:\Program Files\Veoh Networks\Veoh\upload.log Object is locked skipped
C:\qoobox\Quarantine\C\Program Files\Internet Explorer\msimg32.dll.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\f3PSSavr.scr.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP122\A0102286.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP122\A0102287.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP124\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_AC97 Soft Data Fax Modem with SmartCP.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{58C74BF8-389E-4596-8D7B-D6F48E7A44CD}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{7FAEE8F3-B355-4422-851E-07A70B7DF3FB}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\rldyt.dll Infected: Trojan-Downloader.Win32.Bojo.v skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP124\change.log Object is locked skipped

Scan process completed.











Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:40:51 PM, on 12/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\windows\eHome\ehRecvr.exe
C:\windows\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\windows\system32\Ati2evxx.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\windows\system32\svchost.exe
C:\windows\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Digital Media Reader\shwicon2k.exe
C:\Program Files\Common Files\AOL\1141258253\ee\AOLSoftware.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\windows\system32\hphmon06.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\windows\system32\HPZipm12.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\windows\System32\svchost.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\windows\explorer.exe
C:\windows\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.khinsider.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee Privacy Service Popup Blocker - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141258253\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\windows\system32\hphmon06.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\windows\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 10351 bytes
__________________
ScarletRose is offline  
Old 12-24-2007, 08:10 PM   #12
Registered Member
 
Join Date: Dec 2007
Posts: 10
OS: xp


Re: Malware Removal
oh right, I forgot, my systems behavior is way better than before, its faster and my homepage doesn't keep being changed anymore, that virus(logger.Zbot) scared me really bad cause it wouldn't go away no matter what I tryed,, so what should I do about the remaining viruses that kaspersky found?
__________________
ScarletRose is offline  
Old 12-26-2007, 08:37 AM   #13
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 38,645
OS: WinXP Home, Vista, Windows 7 64bit


Re: Malware Removal
Simply delete this folder:

C:\!KillBox

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will clear out the ComboFix.exe, as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------


To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
  • It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.


Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.
__________________
Member of ASAP since 2005
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 12-26-2007, 08:19 PM   #14
Registered Member
 
Join Date: Dec 2007
Posts: 10
OS: xp


Re: Malware Removal
yes, I think my pc is virus free, thank you so much, this was my second time infected and I don't know how it happend, I'll read the articles word for word and get extra protection, if I ever get another infection, I defenitly know where to come
how do I mark this thread solved?
__________________
ScarletRose is offline  
Old 12-26-2007, 08:30 PM   #15
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 38,645
OS: WinXP Home, Vista, Windows 7 64bit


Re: Malware Removal
Hi ScarletRose,

You're welcome, and I'm glad we could be of assistance, take care.

I'll take care of moving this thread to the Resolved area.

__________________
Member of ASAP since 2005
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
 

« kaspersky picked up a trojan, need help removing | Advertising popup help! »
Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off

Post a Question





Our Communities

Our communities encompass many different hobbies and interests, but each one is built on friendly, intelligent membership.

» More about our Communities

Automotive Communities

Our Automotive communities encompass many different makes and models. From U.S. domestics to European Saloons.

» More about our Automotive Communities

RV & Travel Trailer Communities

Our RV & Travel Trailer sites encompasses virtually all types of Recreational Vehicles, from brand-specific to general RV communities.

» More about our RV Communities

Marine Communities

Our Marine websites focus on Cruising and Sailing Vessels, including forums and the largest cruising Wiki project on the web today.

» More about our Marine Communities


All times are GMT -7. The time now is 02:39 PM.

Contact Us - Tech Support Forum - Site Map - Community Rules - Terms of Service - Privacy - Top

Copyright 2001 - 2010, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security