Tech Support Forum banner
Status
Not open for further replies.

Black Worm/vicking Worm [moved from security]

4K views 64 replies 3 participants last post by  samual 
#1 ·
Hi Sd Picked Up The Above Worms Can Anyone Assist Thanks
 
#3 · (Edited)
black worm/ viking worm

ComboScan v20070306.20 run by chris pc on 2007-03-11 at 16:15:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-03-11 23:15:25 UTC - RP1 - System Checkpoint


Performed disk cleanup.


-- HijackThis (run as chris pc.exe) -------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 4:17:12 PM, on 3/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\chris pc\Desktop\New Briefcase\comboscan.exe
C:\PROGRA~1\HIJACK~1\chris pc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170349875140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170351159718
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4949/mcfscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe


-- File Associations -----------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.cmd - cmdfile - "%1" %*
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

1R Aavmker4 (avast! Asynchronous Virus Monitor) - C:\WINDOWS\system32\drivers\aavmker4.sys
2R aswMon2 (avast! Standard Shield Support) - C:\WINDOWS\system32\drivers\aswmon2.sys
3R aswRdr - C:\WINDOWS\system32\drivers\aswRdr.sys
1R aswTdi (avast! Network Shield Support) - C:\WINDOWS\system32\drivers\aswTdi.sys
3R ati2mtag - C:\WINDOWS\system32\drivers\ati2mtag.sys
3R b57w2k (Broadcom NetXtreme Gigabit Ethernet) - C:\WINDOWS\system32\drivers\b57xp32.sys
3S btaudio (Bluetooth Audio Device) - C:\WINDOWS\system32\drivers\btaudio.sys
3S BTDriver (Bluetooth Virtual Communications Driver) - C:\WINDOWS\system32\drivers\btport.sys
3R BTKRNL (Bluetooth Bus Enumerator) - C:\WINDOWS\system32\drivers\btkrnl.sys
3S BTWDNDIS (Bluetooth LAN Access Server) - C:\WINDOWS\system32\drivers\btwdndis.sys
3S BTWUSB (WIDCOMM USB Bluetooth Driver) - C:\WINDOWS\system32\drivers\btwusb.sys
3R GEARAspiWDM - C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
3R HDAudBus (Microsoft UAA Bus Driver for High Definition Audio) - C:\WINDOWS\system32\drivers\Hdaudbus.sys
3S HPZid412 (IEEE-1284.4 Driver HPZid412) - C:\WINDOWS\system32\drivers\HPZid412.sys
3S HPZipr12 (Print Class Driver for IEEE-1284.4 HPZipr12) - C:\WINDOWS\system32\drivers\HPZipr12.sys
3S HPZius12 (USB to IEEE-1284.4 Translation Driver HPZius12) - C:\WINDOWS\system32\drivers\HPZius12.sys
3R HSFHWBS2 - C:\WINDOWS\system32\drivers\HSFHWBS2.sys
3R HSF_DPV - C:\WINDOWS\system32\drivers\HSF_DPV.sys
1R ikhfile (File Security Kernel Anti-Spyware Driver) - C:\WINDOWS\system32\drivers\ikhfile.sys
1R ikhlayer (Kernel Anti-Spyware Driver) - C:\WINDOWS\system32\drivers\ikhlayer.sys
4R InCDfs (InCD File System) - C:\WINDOWS\system32\drivers\InCDfs.sys
1R InCDPass - C:\WINDOWS\system32\drivers\InCDpass.sys
1R incdrm (InCD Reader) - C:\WINDOWS\system32\drivers\InCDrm.sys
3R IntcAzAudAddService (Service for Realtek HD Audio (WDM)) - C:\WINDOWS\system32\drivers\RtkHDAud.sys
1R intelppm (Intel Processor Driver) - C:\WINDOWS\system32\drivers\intelppm.sys
2R mdmxsdk - C:\WINDOWS\system32\drivers\mdmxsdk.sys
3R pcouffin (VSO Software pcouffin) - C:\WINDOWS\system32\drivers\pcouffin.sys
3R pfc (Padus ASPI Shell) - C:\WINDOWS\system32\drivers\pfc.sys
3R RTL8023 (Realtek RTL8139/810x/8169/8110 all in one NDIS NT Driver) - C:\WINDOWS\system32\drivers\Rtlnic51.sys
3S rtl8139 (Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver) - C:\WINDOWS\system32\drivers\RTL8139.sys
0R Teefer (Teefer for NT) - C:\WINDOWS\system32\drivers\Teefer.sys
2R tmcomm - C:\WINDOWS\system32\drivers\tmcomm.sys
3S usbccgp (Microsoft USB Generic Parent Driver) - C:\WINDOWS\system32\drivers\usbccgp.sys
3R usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - C:\WINDOWS\system32\drivers\usbehci.sys
3S usbprint (Microsoft USB PRINTER Class) - C:\WINDOWS\system32\drivers\usbprint.sys
3S usbscan (USB Scanner Driver) - C:\WINDOWS\system32\drivers\usbscan.sys
3S USBSTOR (USB Mass Storage Driver) - C:\WINDOWS\system32\drivers\USBSTOR.SYS
2R wg3n (SyGate for NT, wg3n) - C:\WINDOWS\system32\drivers\wg3n.sys
2R wg4n (SyGate for NT, wg4n) - C:\WINDOWS\system32\drivers\wg4n.sys
2R wg5n (SyGate for NT, wg5n) - C:\WINDOWS\system32\drivers\wg5n.sys
2R wg6n (SyGate for NT, wg6n) - C:\WINDOWS\system32\drivers\wg6n.sys
3R winachsf - C:\WINDOWS\system32\drivers\HSF_CNXT.sys
1R wpsdrvnt - C:\WINDOWS\system32\drivers\wpsdrvnt.sys
4S WS2IFSL (Windows Socket 2.0 Non-IFS Service Provider Support Environment) - C:\WINDOWS\system32\drivers\ws2ifsl.sys
3S WudfPf (Windows Driver Foundation - User-mode Driver Framework Platform Driver) - C:\WINDOWS\system32\drivers\WudfPf.sys
3S WudfRd (Windows Driver Foundation - User-mode Driver Framework Reflector) - C:\WINDOWS\system32\drivers\WudfRd.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

3S aspnet_state (ASP.NET State Service) - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
2R aswUpdSv (avast! iAVS4 Control Service) - "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"
2R Ati HotKey Poller - C:\WINDOWS\system32\Ati2evxx.exe
2S ATI Smart - C:\WINDOWS\system32\ati2sgag.exe
2R avast! Antivirus - "C:\Program Files\Alwil Software\Avast4\ashServ.exe"
3R avast! Mail Scanner - "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service
3R avast! Web Scanner - "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service
2R btwdins (Bluetooth Service) - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
2R InCDsrv (InCD Helper) - C:\Program Files\Ahead\InCD\InCDsrv.exe
3R iPod Service - "C:\Program Files\iPod\bin\iPodService.exe"
2S Pml Driver HPZ12 - C:\WINDOWS\system32\HPZipm12.exe
2R SDhelper (PC Tools Spyware Doctor) - C:\Program Files\Spyware Doctor\sdhelp.exe
2R SmcService (Sygate Personal Firewall) - C:\Program Files\Sygate\SPF\smc.exe


-- Scheduled Tasks -------------------------------------------------------------

2007-02-12 09:49:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job<APPLES~1.JOB>


-- Files created between 2007-02-11 and 2007-03-11 -----------------------------

2007-03-11 16:08:17 0 d-------- C:\Documents and Settings\chris pc\Application Data\DMCache
2007-03-11 16:08:12 0 d-------- C:\Program Files\Internet Download Manager<INTERN~2>
2007-03-11 14:22:05 30592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2007-03-11 14:22:04 51072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2007-03-06 23:04:44 0 d-------- C:\Documents and Settings\chris pc\Application Data\MySpace
2007-03-06 23:04:42 0 d-------- C:\Program Files\MySpace
2007-03-05 20:50:13 0 d--h---c- C:\WINDOWS\ie7
2007-03-04 19:08:58 43176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-03-04 19:08:58 23352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-03-04 19:08:57 31560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-03-04 19:08:56 94424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-03-04 19:08:56 85952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-03-04 19:08:51 90112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-03-04 19:08:51 689280 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-03-04 14:42:26 14568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-03-04 14:42:26 14568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-03-04 14:42:25 14568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-03-04 14:42:25 14568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-03-04 14:42:24 60496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-03-04 14:42:23 21075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-03-04 14:42:20 83096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-03-04 14:42:15 0 d-------- C:\Program Files\Sygate
2007-03-03 23:26:12 0 d-------- C:\Program Files\a-squared Free<A-SQUA~2>
2007-03-03 23:17:47 0 d-a------ C:\WINDOWS\zts2.exe
2007-03-03 23:17:47 0 d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2007-03-03 23:17:47 0 d-a------ C:\WINDOWS\system32\iifgfgf.dll
2007-03-03 23:17:47 0 d-a------ C:\WINDOWS\rundl132.dll
2007-03-03 04:10:14 0 d-------- C:\WINDOWS\Prefetch
2007-02-26 20:36:44 0 d-------- C:\Documents and Settings\chris pc\Application Data\PC Tools<PCTOOL~1>
2007-02-25 05:14:44 349760 --a------ C:\WINDOWS\system32\mcinsctl.dll
2007-02-25 05:14:44 288320 --a------ C:\WINDOWS\system32\mcgdmgr.dll
2007-02-24 07:46:09 0 d-------- C:\Program Files\Registry Mechanic<REGIST~1>
2007-02-19 18:15:31 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com<SUPERA~1.COM>
2007-02-19 18:15:25 0 d-------- C:\Program Files\SUPERAntiSpyware<SUPERA~1>
2007-02-19 18:15:25 0 d-------- C:\Documents and Settings\chris pc\Application Data\SUPERAntiSpyware.com<SUPERA~1.COM>
2007-02-16 01:53:50 0 d-------- C:\Program Files\DVDFab Platinum 3<DVDFAB~1>
2007-02-15 15:15:27 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-02-15 15:15:26 0 d-------- C:\Program Files\Trend Micro<TRENDM~1>
2007-02-14 07:59:28 0 d-------- C:\Program Files\Lavasoft
2007-02-14 05:14:57 0 d-------- C:\Program Files\DVD Shrink<DVDSHR~1>


-- Find3M Report ---------------------------------------------------------------

2007-03-11 15:58:04 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~2>
2007-03-11 14:42:11 0 d-------- C:\Program Files\Spyware Doctor<SPYWAR~2>
2007-03-11 13:56:43 0 d-------- C:\Documents and Settings\chris pc\Application Data\uTorrent
2007-03-11 12:49:59 0 d-------- C:\Program Files\Mozilla Thunderbird<MOZILL~1>
2007-03-07 20:26:19 0 d-------- C:\Documents and Settings\chris pc\Application Data\MailWasher<MAILWA~1>
2007-03-06 23:13:32 0 dr-h----- C:\Documents and Settings\chris pc\Application Data\yahoo!
2007-03-06 03:38:30 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-03-05 21:47:24 0 d-------- C:\Documents and Settings\chris pc\Application Data\Image Zone Express<IMAGEZ~1>
2007-03-04 16:47:43 0 d---s---- C:\Documents and Settings\chris pc\Application Data\Microsoft<MICROS~1>
2007-03-03 00:11:54 0 d-------- C:\Program Files\Common Files\MicroWorld<MICROW~1>
2007-03-02 22:15:30 0 d-------- C:\Documents and Settings\chris pc\Application Data\Vso
2007-02-28 03:41:52 0 d-------- C:\Program Files\iTunes
2007-02-25 05:21:08 0 d-------- C:\Program Files\SlySoft
2007-02-14 07:59:48 0 d-------- C:\Documents and Settings\chris pc\Application Data\Lavasoft
2007-02-11 14:47:48 0 d-------- C:\Documents and Settings\chris pc\Application Data\Ahead
2007-02-10 22:33:45 34 --a------ C:\Documents and Settings\chris pc\Application Data\pcouffin.log
2007-02-10 22:33:40 47360 --a------ C:\Documents and Settings\chris pc\Application Data\pcouffin.sys
2007-02-10 22:33:40 1144 --a------ C:\Documents and Settings\chris pc\Application Data\pcouffin.inf
2007-02-10 22:33:40 1074 --a------ C:\Documents and Settings\chris pc\Application Data\pcouffin.cat
2007-02-10 22:33:40 87608 --a------ C:\Documents and Settings\chris pc\Application Data\ezpinst.exe
2007-02-10 22:33:38 0 d-------- C:\Program Files\vso
2007-02-10 22:02:36 0 d-------- C:\Program Files\Ahead
2007-02-10 01:01:06 0 d-------- C:\Documents and Settings\chris pc\Application Data\Uniblue
2007-02-10 00:51:28 0 d-------- C:\Documents and Settings\chris pc\Application Data\SlySoft
2007-02-08 23:59:59 0 d-------- C:\Program Files\PartyGaming<PARTYG~1>
2007-02-07 21:03:13 8192 --a------ C:\WINDOWS\system32\cidaemon.exe
2007-02-07 12:52:04 0 d-------- C:\Program Files\Common Files\Real
2007-02-07 12:51:47 0 d-------- C:\Documents and Settings\chris pc\Application Data\Real
2007-02-04 13:38:36 0 d-------- C:\Program Files\ToniArts
2007-02-04 10:22:20 0 d-------- C:\Documents and Settings\chris pc\Application Data\CyberLink<CYBERL~1>
2007-02-04 06:36:58 0 d-------- C:\Program Files\MailWasher<MAILWA~1>
2007-02-04 02:41:43 0 d-------- C:\Documents and Settings\chris pc\Application Data\MailWasherPro<MAILWA~2>
2007-02-03 02:59:51 0 d-------- C:\Program Files\OpenOffice.org 2.1<OPENOF~1.1>
2007-02-03 02:51:50 0 d-------- C:\Documents and Settings\chris pc\Application Data\OpenOffice.org2<OPENOF~1.ORG>
2007-02-01 20:52:39 0 d-------- C:\Documents and Settings\chris pc\Application Data\MSNInstaller<MSNINS~1>
2007-02-01 01:44:25 0 d-------- C:\Program Files\Raw Logic Software<RAWLOG~1>
2007-01-31 22:36:38 0 d-------- C:\Program Files\Western Digital Technologies<WESTER~1>
2007-01-29 01:58:06 60416 -----n--- C:\WINDOWS\system32\tzchange.exe
2007-01-28 16:32:45 0 d-------- C:\Documents and Settings\chris pc\Application Data\MyPhoneExplorer<MYPHON~1>
2007-01-28 16:27:30 0 d-------- C:\Program Files\MyPhoneExplorer<MYPHON~1>
2007-01-26 09:09:28 0 d-------- C:\Program Files\Common Files\Agnitum Shared<AGNITU~1>
2007-01-16 07:08:58 1992 --a------ C:\WINDOWS\system32\tmp.reg
2007-01-15 19:36:04 117644 --a------ C:\WINDOWS\hpoins11.dat
2007-01-15 19:35:07 0 d-------- C:\Program Files\Common Files\HP
2007-01-15 19:33:34 0 d-------- C:\Program Files\Hewlett-Packard<HEWLET~1>
2007-01-15 19:33:33 0 d-------- C:\Program Files\HP
2007-01-14 17:40:01 0 d-------- C:\Documents and Settings\chris pc\Application Data\McAfee
2007-01-14 06:35:00 0 d-------- C:\Documents and Settings\chris pc\Application Data\SiteAdvisor<SITEAD~1>
2007-01-12 13:42:34 14 --a------ C:\WINDOWS\system32\systeminfo3.dll<SYSTEM~1.DLL>
2007-01-12 10:27:42 232960 --a------ C:\WINDOWS\system32\webcheck.dll
2007-01-12 10:27:42 51712 -----n--- C:\WINDOWS\system32\msfeedsbs.dll<MSFEED~1.DLL>
2007-01-12 10:27:42 458752 -----n--- C:\WINDOWS\system32\msfeeds.dll
2007-01-12 10:27:42 6054400 --a------ C:\WINDOWS\system32\ieframe.dll
2007-01-08 20:04:54 105984 --a------ C:\WINDOWS\system32\url.dll
2007-01-08 20:04:08 102400 --a------ C:\WINDOWS\system32\occache.dll
2007-01-08 20:02:04 266752 --a------ C:\WINDOWS\system32\iertutil.dll
2007-01-08 20:02:04 44544 --a------ C:\WINDOWS\system32\iernonce.dll
2007-01-08 20:02:02 384000 --a------ C:\WINDOWS\system32\iedkcs32.dll
2007-01-08 20:02:02 383488 --a------ C:\WINDOWS\system32\ieapfltr.dll
2007-01-08 20:02:02 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2007-01-08 20:02:02 230400 --a------ C:\WINDOWS\system32\ieaksie.dll
2007-01-08 20:02:02 153088 --a------ C:\WINDOWS\system32\ieakeng.dll
2007-01-08 20:01:14 17408 --a------ C:\WINDOWS\system32\corpol.dll
2007-01-08 20:00:48 124928 --a------ C:\WINDOWS\system32\advpack.dll
2007-01-08 19:08:14 56832 --a------ C:\WINDOWS\system32\ie4uinit.exe
2007-01-08 19:08:10 13824 --a------ C:\WINDOWS\system32\ieudinit.exe
2007-01-04 22:17:37 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-01-02 14:14:53 7685 --a------ C:\WINDOWS\mozver.dat
2006-12-19 14:52:18 134656 --a------ C:\WINDOWS\system32\shsvcs.dll
2006-12-19 14:36:45 0 --a------ C:\WINDOWS\nsreg.dat
2006-12-19 14:29:22 82032 --a------ C:\WINDOWS\winsbak2.reg
2006-12-19 14:29:22 11026 --a------ C:\WINDOWS\winsbak.reg
2006-12-19 12:05:55 0 -rahs---- C:\MSDOS.SYS
2006-12-19 12:05:55 0 -rahs---- C:\IO.SYS
2006-12-19 12:05:55 0 --a------ C:\CONFIG.SYS
2006-12-19 12:05:55 0 -----n--- C:\AUTOEXEC.BAT
2006-12-19 12:03:02 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat<EMPTYR~1.DAT>
2006-12-19 11:16:47 333824 --a------ C:\WINDOWS\system32\wiaservc.dll
2006-12-19 03:56:12 62 --ahs---- C:\Documents and Settings\chris pc\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"PowerBar"="\"C:\\Program Files\\CyberLink DVD Solution\\Multimedia Launcher\\PowerBar.exe\" /AtBootTime"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"InCD"="\"C:\\Program Files\\Ahead\\InCD\\InCD.exe\""
"RTHDCPL"="RTHDCPL.EXE"
"Alcmtr"="ALCMTR.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"=dword:00000000
"SynchronousUserGroupPolicy"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of ComboScan: finished at 2007-03-11 at 16:17:44 -------------IV GOT THE WORMS IN QUARANTINE IN SPYWARE DOC, ALSO HIJAK THIS IS ON MY DESK TOP HAVE NEVER USED IT.
 
#4 ·
Spyware Doctor Activity Report
Generated on 3/11/2007 4:34:58 PM
Spyware Doctor Homepage PC Tools Homepage Technical Support
Scans (basic information only):
Scan Results:
scan start: 3/11/2007 4:37:13 PM
scan stop: 3/11/2007 4:37:16 PM
scanned items: 318
found items: 0
found and ignored: 0
tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Hosts Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner

Infection Name Location Risk

Scan Results:
scan start: 3/11/2007 4:37:20 PM
scan stop: 3/11/2007 4:45:37 PM
scanned items: 77940
found items: 0
found and ignored: 0
tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner

Infection Name Location Risk


Other Sections:

Copyright © 2003 PC Tools. All rights reserved. Legal Notice
sigs
Click to go back
 
#5 · (Edited)
ok am i waiting for something, how does hijack work? how or do i get rid of hijack and combo scancan i delete the files in sdComboScan v20070306.20 run by chris pc on 2007-03-11 at 16:15:20
Supplementary logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 3.00GHz
CPU 1: Intel(R) Pentium(R) 4 CPU 3.00GHz
Percentage of Memory in Use: 43%
Physical Memory (total/avail): 1023.48 MiB / 576.92 MiB
Pagefile Memory (total/avail): 2460.85 MiB / 2068.71 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1987.01 MiB

A: is Removable (Unformatted)
C: is Fixed (NTFS) - 149.04 GiB total, 129.42 GiB free.
D: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: R-Firewall v01.05.0053 (R-TT)
FW: Sygate Personal Firewall v4.6 (Sygate Technologies, Inc.)
AV: avast! antivirus 4.7.942 [VPS 000722-4] v4.7.942 (ALWIL Software)


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\chris pc\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HOME
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\chris pc
LOGONSERVER=\\HOME
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\SYSTEM32;C:\WINDOWS;C:\WINDOWS\SYSTEM32\WBEM;C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL;C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI.ACE\;C:\PROGRAM FILES\QUICKTIME\QTSYSTEM\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0403
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\CHRISP~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\CHRISP~1\LOCALS~1\Temp
USERDOMAIN=HOME
USERNAME=chris pc
USERPROFILE=C:\Documents and Settings\chris pc
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

chris pc (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
a-squared Free 2.1 --> "C:\Program Files\a-squared Free\unins000.exe"
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -q
Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> MsiExec.exe /I{12434270-10FC-401B-BF3C-A839A97AFAED}
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
Belkin Bluetooth Software --> MsiExec.exe /X{3F4EC965-28EF-45C3-B063-04B25D4E9679}
ConvertXtoDVD 2.1.12.214 --> "C:\Program Files\vso\ConvertXtoDVD\unins000.exe"
DriverCD --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\GIGABYTE\DriverCD\Uninst.isu"
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
DVD Solution --> "C:\Program Files\Uninstall_CDS.exe"
DVDFab Platinum 3.0.8.0 --> "C:\Program Files\DVDFab Platinum 3\unins000.exe"
EVEREST Home Edition v2.20 --> "C:\Program Files\Lavalys\EVEREST Home Edition\unins000.exe"
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HP Customer Participation Program 7.0 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Imaging Device Functions 7.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Essential --> MsiExec.exe /X{6994491D-D491-48F1-AE1F-E179C1FFFC2F}
HP Photosmart, Officejet and Deskjet 7.0.A --> C:\Program Files\HP\Digital Imaging\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}\setup\hpzscr01.exe -datfile hposcr11.dat
HP Software Update --> MsiExec.exe /X{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}
HP Solution Center 7.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
InCD --> C:\WINDOWS\NuNInst.exe /UNINSTALL
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
MailWasher --> "C:\Program Files\MailWasher\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (1.5.0.10) --> C:\PROGRA~1\MOZILL~2\uninstall\uninstall.exe /ua "1.5.0.10 (en-US)"
Mozilla Thunderbird (1.5.0.10) --> C:\Program Files\Mozilla Thunderbird\uninstall\uninstall.exe /ua "1.5.0.10 (en-US)"
Multimedia Launcher --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
MyPhoneExplorer --> C:\Program Files\MyPhoneExplorer\uninstall.exe
Nero Digital --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
Nero Media Player --> C:\WINDOWS\UNNMP.exe /UNINSTALL
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
PartyPoker --> "C:\Program Files\PartyGaming\PartyPoker\Uninstall.exe" "C:\Program Files\PartyGaming\PartyPoker\install.log"
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PowerProducer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\SETUP.EXE" -l0x9 REMOVE
Realtek High Definition Audio Driver --> RtlUpd.exe -r
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1\HXFSETUP.EXE -U -IPDRSLSM5K.inf
Sony Ericsson File Manager --> MsiExec.exe /X{60E5B847-2353-4AE3-829E-685937EDDC40}
Spyware Doctor 4.0 --> C:\Program Files\Spyware Doctor\unins000.exe
Sygate Personal Firewall --> MsiExec.exe /I{F34D9A5F-484A-4E31-A9D3-908CB265B289}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- End of ComboScan: finished at 2007-03-11 at 16:17:44 ------------------------

sorry bout that like i siad never done this before.
 
#6 ·
please explain

Can Someone Explain To Me How Hijak Works I Have No Idea, Iv Posted A Log Downloade Hijak This On My Desk Top Wat Next How Do U Hijak Wat Do U Hijak And Combo Scan Do I Click On Hijack This And Pick A File Or Combo Scan, Whats The Proces.
 
#7 ·
Hello samual,

Please do not create multiple threads for the same issue. I've merged this post to your original thread.

As was explained in the 5-Step Process that you read earlier, a Security Analyst will be along as soon as possible to review your logs and craft a fix for you.
 
#9 ·
Hello,

You had this thread already begun, then began a second which I merged here and then a third thread which I subsequently deleted.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

***************************************************

Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"


  • Install AVG Anti Spyware
  • Double-click the icon on Desktop to launch AVG
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.

--------------------------------------------------------------------

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop** Do not run it yet.

--------------------------------------------------------------------

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

--------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entries:

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE


Click 'Fix Checked' and close HijackThis.

--------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

--------------------------------------------------------------------

Using 'My Computer', navigate to and delete the following Files and Folders

C:\WINDOWS\rundl132.dll
C:\WINDOWS\system32\iifgfgf.dll
C:\WINDOWS\system32\vcmgcd32.dll
C:\WINDOWS\zts2.exe


--------------------------------------------------------------------

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, **Please ensure it is set to Quarantine then select "Apply all actions"
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).
**AVG Anti-Spyware is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner.

--------------------------------------------------------------------

Reboot into Normal Mode.

--------------------------------------------------------------------

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on
    located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on
    then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


--------------------------------------------------------------------

Close any open browsers.

--------------------------------------------------------------------


Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Post the ComboFix.txt in your next reply.

--------------------------------------------------------------------

Run a scan with HijackThis and save the log.

--------------------------------------------------------------------

Please include the following in your next reply:

AVG A-S results
Panda results
C:\ComboFix.txt
New HijackThis log
 
#10 · (Edited by Moderator)
black worm/ viking worm

i didnt get a report from panda it was clean, also hijack log can get it up here may need to try again.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:12:00 PM 3/12/2007

+ Scan result:



:mozilla.150:C:\Documents and Settings\chris pc\Application Data\Mozilla\Firefox\Profiles\0727qjr8.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.151:C:\Documents and Settings\chris pc\Application Data\Mozilla\Firefox\Profiles\0727qjr8.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.152:C:\Documents and Settings\chris pc\Application Data\Mozilla\Firefox\Profiles\0727qjr8.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.162:C:\Documents and Settings\chris pc\Application Data\Mozilla\Firefox\Profiles\0727qjr8.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.175:C:\Documents and Settings\chris pc\Application Data\Mozilla\Firefox\Profiles\0727qjr8.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned.
:mozilla.170:C:\Documents and Settings\chris pc\Application Data\Mozilla\Firefox\Profiles\0727qjr8.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.192:C:\Documents and Settings\chris pc\Application Data\Mozilla\Firefox\Profiles\0727qjr8.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.257:C:\Documents and Settings\chris pc\Application Data\Mozilla\Firefox\Profiles\0727qjr8.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.258:C:\Documents and Settings\chris pc\Application Data\Mozilla\Firefox\Profiles\0727qjr8.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.259:C:\Documents and Settings\chris pc\Application Data\Mozilla\Firefox\Profiles\0727qjr8.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.272:C:\Documents and Settings\chris pc\Application Data\Mozilla\Firefox\Profiles\0727qjr8.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.292:C:\Documents and Settings\chris pc\Application Data\Mozilla\Firefox\Profiles\0727qjr8.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.65:C:\Documents and Settings\chris pc\Application Data\Mozilla\Firefox\Profiles\0727qjr8.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.66:C:\Documents and Settings\chris pc\Application Data\Mozilla\Firefox\Profiles\0727qjr8.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.75:C:\Documents and Settings\chris pc\Application Data\Mozilla\Firefox\Profiles\0727qjr8.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.76:C:\Documents and Settings\chris pc\Application Data\Mozilla\Firefox\Profiles\0727qjr8.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.225:C:\Documents and Settings\chris pc\Application Data\Mozilla\Firefox\Profiles\0727qjr8.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.226:C:\Documents and Settings\chris pc\Application Data\Mozilla\Firefox\Profiles\0727qjr8.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.227:C:\Documents and Settings\chris pc\Application Data\Mozilla\Firefox\Profiles\0727qjr8.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.


::Report end

"chris pc" - 07-03-13 0:06:35 Service Pack 2
ComboFix 07-03-12 - Running from: "C:\Documents and Settings\chris pc\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2007-02-13 to 2007-03-13 ))))))))))))))))))))))))))))))))))


2007-03-12 23:29 <DIR> d-------- C:\WINDOWS\LastGood
2007-03-12 21:44 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-12 13:24 94,424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-03-12 13:24 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-03-12 13:24 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-03-12 13:24 689,280 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-03-12 13:24 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-03-12 13:24 31,560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-03-12 13:24 23,352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-03-12 04:41 <DIR> d-------- C:\Program Files\PC Tools AntiVirus
2007-03-12 03:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\fssg
2007-03-11 18:28 84,418 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\firstlsp.reg.dat
2007-03-11 16:08 <DIR> d-------- C:\DOCUME~1\CHRISP~1\APPLIC~1\DMCache
2007-03-06 23:04 <DIR> d-------- C:\Program Files\MySpace
2007-03-06 23:04 <DIR> d-------- C:\DOCUME~1\CHRISP~1\APPLIC~1\MySpace
2007-03-04 14:42 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-03-04 14:42 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-03-04 14:42 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-03-04 14:42 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-03-04 14:42 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-03-04 14:42 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-03-04 14:42 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-03-04 14:42 <DIR> d-------- C:\Program Files\Sygate
2007-03-03 23:26 <DIR> d-------- C:\Program Files\a-squared Free
2007-03-03 04:10 <DIR> d-------- C:\WINDOWS\Prefetch
2007-02-26 20:36 <DIR> d-------- C:\DOCUME~1\CHRISP~1\APPLIC~1\PC Tools
2007-02-25 05:14 349,760 --a------ C:\WINDOWS\system32\mcinsctl.dll
2007-02-25 05:14 288,320 --a------ C:\WINDOWS\system32\mcgdmgr.dll
2007-02-19 18:15 <DIR> d-------- C:\DOCUME~1\CHRISP~1\APPLIC~1\SUPERAntiSpyware.com
2007-02-19 18:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-02-16 01:53 <DIR> d-------- C:\Program Files\DVDFab Platinum 3
2007-02-15 15:15 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-02-15 15:15 <DIR> d-------- C:\Program Files\Trend Micro
2007-02-14 07:59 <DIR> d-------- C:\Program Files\Lavasoft
2007-02-14 05:14 <DIR> d-------- C:\Program Files\DVD Shrink


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-12 23:49 -------- d-------- C:\Program Files\itunes
2007-03-12 22:05 -------- d-------- C:\Program Files\mozilla thunderbird
2007-03-12 21:56 -------- d-------- C:\Program Files\spyware doctor
2007-03-11 20:13 -------- d-------- C:\DOCUME~1\CHRISP~1\APPLIC~1\vso
2007-03-11 13:56 -------- d-------- C:\DOCUME~1\CHRISP~1\APPLIC~1\utorrent
2007-03-07 20:26 -------- d-------- C:\DOCUME~1\CHRISP~1\APPLIC~1\mailwasher
2007-03-06 23:13 -------- dr-h----- C:\DOCUME~1\CHRISP~1\APPLIC~1\yahoo!
2007-03-06 03:38 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-03-05 21:47 -------- d-------- C:\DOCUME~1\CHRISP~1\APPLIC~1\image zone express
2007-03-04 16:47 -------- d---s---- C:\DOCUME~1\CHRISP~1\APPLIC~1\microsoft
2007-03-03 00:11 -------- d-------- C:\Program Files\Common Files\microworld
2007-02-25 05:21 -------- d-------- C:\Program Files\slysoft
2007-02-14 07:59 -------- d-------- C:\DOCUME~1\CHRISP~1\APPLIC~1\lavasoft
2007-02-11 14:47 -------- d-------- C:\DOCUME~1\CHRISP~1\APPLIC~1\ahead
2007-02-10 22:33 87608 --a------ C:\DOCUME~1\CHRISP~1\APPLIC~1\ezpinst.exe
2007-02-10 22:33 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-02-10 22:33 47360 --a------ C:\DOCUME~1\CHRISP~1\APPLIC~1\pcouffin.sys
2007-02-10 22:33 34 --a------ C:\DOCUME~1\CHRISP~1\APPLIC~1\pcouffin.log
2007-02-10 22:33 1144 --a------ C:\DOCUME~1\CHRISP~1\APPLIC~1\pcouffin.inf
2007-02-10 22:33 1074 --a------ C:\DOCUME~1\CHRISP~1\APPLIC~1\pcouffin.cat
2007-02-10 22:33 -------- d-------- C:\Program Files\vso
2007-02-10 22:02 -------- d-------- C:\Program Files\ahead
2007-02-10 01:01 -------- d-------- C:\DOCUME~1\CHRISP~1\APPLIC~1\uniblue
2007-02-10 00:51 -------- d-------- C:\DOCUME~1\CHRISP~1\APPLIC~1\slysoft
2007-02-08 23:59 -------- d-------- C:\Program Files\partygaming
2007-02-07 21:03 8192 --a------ C:\WINDOWS\system32\cidaemon.exe
2007-02-07 12:52 -------- d-------- C:\Program Files\Common Files\real
2007-02-07 12:51 -------- d-------- C:\DOCUME~1\CHRISP~1\APPLIC~1\real
2007-02-04 13:38 -------- d-------- C:\Program Files\toniarts
2007-02-04 10:22 -------- d-------- C:\DOCUME~1\CHRISP~1\APPLIC~1\cyberlink
2007-02-04 06:36 -------- d-------- C:\Program Files\mailwasher
2007-02-04 02:41 -------- d-------- C:\DOCUME~1\CHRISP~1\APPLIC~1\mailwasherpro
2007-02-03 02:59 -------- d-------- C:\Program Files\openoffice.org 2.1
2007-02-03 02:51 -------- d-------- C:\DOCUME~1\CHRISP~1\APPLIC~1\openoffice.org2
2007-02-01 20:52 -------- d-------- C:\DOCUME~1\CHRISP~1\APPLIC~1\msninstaller
2007-02-01 01:44 -------- d-------- C:\Program Files\raw logic software
2007-01-31 22:36 -------- d-------- C:\Program Files\western digital technologies
2007-01-28 16:32 -------- d-------- C:\DOCUME~1\CHRISP~1\APPLIC~1\myphoneexplorer
2007-01-28 16:27 -------- d-------- C:\Program Files\myphoneexplorer
2007-01-26 09:09 -------- d-------- C:\Program Files\Common Files\agnitum shared
2007-01-16 07:08 1992 --a------ C:\WINDOWS\system32\tmp.reg
2007-01-15 19:36 117644 --a------ C:\WINDOWS\hpoins11.dat
2007-01-15 19:35 -------- d-------- C:\Program Files\Common Files\hp
2007-01-15 19:33 -------- d-------- C:\Program Files\hp
2007-01-15 19:33 -------- d-------- C:\Program Files\hewlett-packard
2007-01-14 17:40 -------- d-------- C:\DOCUME~1\CHRISP~1\APPLIC~1\mcafee
2007-01-14 06:35 -------- d-------- C:\DOCUME~1\CHRISP~1\APPLIC~1\siteadvisor
2007-01-12 13:42 14 --a------ C:\WINDOWS\system32\systeminfo3.dll
2007-01-08 20:01 17408 --a------ C:\WINDOWS\system32\corpol.dll
2007-01-04 22:17 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-01-02 14:14 7685 --a------ C:\WINDOWS\mozver.dat
2006-12-19 14:36 0 --a------ C:\WINDOWS\nsreg.dat
2006-12-19 14:29 82032 --a------ C:\WINDOWS\winsbak2.reg
2006-12-19 14:29 11026 --a------ C:\WINDOWS\winsbak.reg
2006-12-19 12:05 0 -rahs---- C:\MSDOS.SYS
2006-12-19 12:05 0 -rahs---- C:\IO.SYS
2006-12-19 12:05 0 --a------ C:\CONFIG.SYS
2006-12-19 12:05 0 --------- C:\AUTOEXEC.BAT
2006-12-19 12:03 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2006-12-19 03:56 62 --ahs---- C:\DOCUME~1\CHRISP~1\APPLIC~1\desktop.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"PowerBar"="\"C:\\Program Files\\CyberLink DVD Solution\\Multimedia Launcher\\PowerBar.exe\" /AtBootTime"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"InCD"="\"C:\\Program Files\\Ahead\\InCD\\InCD.exe\""
"RTHDCPL"="RTHDCPL.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"=dword:00000000
"SynchronousUserGroupPolicy"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-13 0:07:25
 

Attachments

#13 ·
Logfile of HijackThis v1.99.1
Scan saved at 12:20:58 AM, on 3/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\Documents and Settings\chris pc\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170349875140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170351159718
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4949/mcfscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
 
#15 ·
realy good , im woried about conecting the other pc ,iv got a network my boys p3 got the worms as well iv deleted them and cleaned out the same stuff that was on mine ,mite have to conect it to the net by its self just to be on the safe side and do the whole proces again which will be easy this time round lol, thanks alot for ur help.regards samual
 
#16 ·
Hi samual,

It would be a good idea to run the ComboScan on the other PC's and begin a new thread for each PC and let us check them out. If you decide to post those logs, please indicate in the title of your thread '2nd Computer' or '3rd Computer', so the threads are not mistaken for duplicate threads.

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

Reset hidden/system files and folders
Windows XP
===============
Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Deselect the Show hidden files and folders option.
* Select the Hide file extensions for known types option.
* Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Enable Windows Auto Update
*Go to Start>Run - type wuaucpl.cpl
*Tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Create a new System Restore point
Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will prevent any reinfection from previous restore points.


To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

Spyware Guard to catch and block spyware before it can execute.

IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. This is a self-extracting .ZIP file, save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD)
  • Now navigate to C:\ie-spyad. Double click to open it.
  • From within the folder, double-click install.bat
  • Select Option #2 - Install the new IE-SPYAD list, by typing 2
  • Then return to the main menu.
  • Select option #4 - Add the old porn sites domain, by typing 4

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically. :smile:
 
#18 ·
This can be a persistent worm--which is why I left this thread 'open'.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan. This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, we need to change the default settings.
  • In the Menu Bar, Go to Options>Change Settings.
  • Click on the Actions tab
  • Using the drop down menus, change each item under Objects and Malware to Report
  • Next, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'No to All' if it asks if you want to cure/move the file.
  • After the scan has completed, in the Dr.Web CureIt menu on top, click File and choose Save Report List
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Post the contents of the log from Dr.Web you saved previously in your next reply.

-------------------------------------------------

I'd also like to see an online scan done here:

Go here and do the BitDefender online virus scan.
  • Click "I Agree" to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Leave the scanning options at default and press "Click here to scan" to begin the scan.
  • Please refrain from using the computer until the scan is finished.
  • When the scan is finished, click on "Click here to export the scan results"
  • Save the report to your desktop then come back here and post it in your next reply along with a new Hijack This log
-------------------------------------------------

And of course I'll need a new ComboScan. Post the ComboScan.txt here along with the DrWeb and BitDefender results.
 
#19 ·
ok bit defender came up cleanand dr web,ComboScan v20070306.20 run by chris pc on 2007-03-15 at 11:01:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as chris pc.exe) -------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:02:15 AM, on 3/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SiteAdvisor\5248\SiteAdv.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\SiteAdvisor\5248\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\Documents and Settings\chris pc\Desktop\comboscan.exe
C:\DOCUME~1\CHRISP~1\Desktop\chris pc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\5248\SiteAdv.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\5248\SiteAdv.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\5248\SiteAdv.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170349875140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170351159718
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4949/mcfscan.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\5248\SiteAdv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\5248\SAService.exe


-- Files created between 2007-02-15 and 2007-03-15 -----------------------------

2007-03-15 10:10:03 0 d-------- C:\WINDOWS\LastGood
2007-03-15 09:40:10 0 d-------- C:\Documents and Settings\chris pc\DoctorWeb<DOCTOR~1>
2007-03-14 20:49:18 0 d-------- C:\WINDOWS\system32\Color
2007-03-14 20:49:18 0 d-------- C:\Program Files\E-Color
2007-03-14 20:43:42 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe<NEROCH~1.EXE>
2007-03-14 20:43:25 0 d-------- C:\Program Files\Common Files\Nero
2007-03-14 19:47:11 0 d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor<SITEAD~1>
2007-03-14 19:47:05 0 d-------- C:\Program Files\SiteAdvisor<SITEAD~1>
2007-03-14 19:46:48 0 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor<SITEAD~1>
2007-03-14 17:15:31 90112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-03-14 13:53:55 30592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2007-03-14 13:53:54 51072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2007-03-14 13:53:48 0 d-------- C:\Program Files\Spyware Doctor<SPYWAR~1>
2007-03-14 13:15:01 0 d-a------ C:\WINDOWS\zts2.exe
2007-03-14 13:15:01 0 d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2007-03-14 13:15:01 0 d-a------ C:\WINDOWS\system32\iifgfgf.dll
2007-03-14 13:15:01 0 d-a------ C:\WINDOWS\rundl132.dll
2007-03-12 21:44:00 3968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-12 21:43:57 0 d-------- C:\Program Files\Grisoft
2007-03-12 13:24:35 23352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-03-12 13:24:33 43176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-03-12 13:24:33 31560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-03-12 13:24:30 94424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-03-12 13:24:30 85952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-03-12 13:24:22 689280 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-03-12 03:21:39 0 d-------- C:\Documents and Settings\All Users\Application Data\fssg
2007-03-11 16:08:17 0 d-------- C:\Documents and Settings\chris pc\Application Data\DMCache
2007-03-06 23:04:44 0 d-------- C:\Documents and Settings\chris pc\Application Data\MySpace
2007-03-06 23:04:42 0 d-------- C:\Program Files\MySpace
2007-03-05 20:50:13 0 d--h---c- C:\WINDOWS\ie7
2007-03-03 23:26:12 0 d-------- C:\Program Files\a-squared Free<A-SQUA~2>
2007-03-03 04:10:14 0 d-------- C:\WINDOWS\Prefetch
2007-02-26 20:36:44 0 d-------- C:\Documents and Settings\chris pc\Application Data\PC Tools<PCTOOL~1>
2007-02-25 05:14:44 349760 --a------ C:\WINDOWS\system32\mcinsctl.dll
2007-02-25 05:14:44 288320 --a------ C:\WINDOWS\system32\mcgdmgr.dll
2007-02-24 07:46:09 0 d-------- C:\Program Files\Registry Mechanic<REGIST~1>
2007-02-19 18:15:31 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com<SUPERA~1.COM>
2007-02-19 18:15:25 0 d-------- C:\Documents and Settings\chris pc\Application Data\SUPERAntiSpyware.com<SUPERA~1.COM>
2007-02-16 01:53:50 0 d-------- C:\Program Files\DVDFab Platinum 3<DVDFAB~1>
2007-02-15 15:15:27 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-02-15 15:15:26 0 d-------- C:\Program Files\Trend Micro<TRENDM~1>


-- Find3M Report ---------------------------------------------------------------

2007-03-15 10:54:38 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~2>
2007-03-15 10:30:24 0 d-------- C:\Program Files\HP
2007-03-15 09:16:41 0 d-------- C:\Documents and Settings\chris pc\Application Data\MailWasher<MAILWA~1>
2007-03-15 07:57:37 0 d-------- C:\Program Files\Mozilla Thunderbird<MOZILL~1>
2007-03-14 20:35:23 0 d-------- C:\Program Files\SlySoft
2007-03-14 20:21:28 0 d-------- C:\Documents and Settings\chris pc\Application Data\Vso
2007-03-14 19:59:04 0 d-------- C:\Documents and Settings\chris pc\Application Data\SiteAdvisor<SITEAD~1>
2007-03-14 13:05:37 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-03-14 00:33:18 0 d-------- C:\Program Files\iTunes
2007-03-13 10:29:20 0 d-------- C:\Documents and Settings\chris pc\Application Data\uTorrent
2007-03-06 23:13:32 0 dr-h----- C:\Documents and Settings\chris pc\Application Data\yahoo!
2007-03-06 03:38:30 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-03-05 21:47:24 0 d-------- C:\Documents and Settings\chris pc\Application Data\Image Zone Express<IMAGEZ~1>
2007-03-04 16:47:43 0 d---s---- C:\Documents and Settings\chris pc\Application Data\Microsoft<MICROS~1>
2007-03-03 00:11:54 0 d-------- C:\Program Files\Common Files\MicroWorld<MICROW~1>
2007-02-14 07:59:48 0 d-------- C:\Documents and Settings\chris pc\Application Data\Lavasoft
2007-02-14 07:59:28 0 d-------- C:\Program Files\Lavasoft
2007-02-14 05:14:57 0 d-------- C:\Program Files\DVD Shrink<DVDSHR~1>
2007-02-11 14:47:48 0 d-------- C:\Documents and Settings\chris pc\Application Data\Ahead
2007-02-10 22:33:45 34 --a------ C:\Documents and Settings\chris pc\Application Data\pcouffin.log
2007-02-10 22:33:40 47360 --a------ C:\Documents and Settings\chris pc\Application Data\pcouffin.sys
2007-02-10 22:33:40 1144 --a------ C:\Documents and Settings\chris pc\Application Data\pcouffin.inf
2007-02-10 22:33:40 1074 --a------ C:\Documents and Settings\chris pc\Application Data\pcouffin.cat
2007-02-10 22:33:40 87608 --a------ C:\Documents and Settings\chris pc\Application Data\ezpinst.exe
2007-02-10 22:33:38 0 d-------- C:\Program Files\vso
2007-02-10 22:02:36 0 d-------- C:\Program Files\Ahead
2007-02-10 01:01:06 0 d-------- C:\Documents and Settings\chris pc\Application Data\Uniblue
2007-02-10 00:51:28 0 d-------- C:\Documents and Settings\chris pc\Application Data\SlySoft
2007-02-08 23:59:59 0 d-------- C:\Program Files\PartyGaming<PARTYG~1>
2007-02-07 21:03:13 8192 --a------ C:\WINDOWS\system32\cidaemon.exe
2007-02-07 12:52:04 0 d-------- C:\Program Files\Common Files\Real
2007-02-07 12:51:47 0 d-------- C:\Documents and Settings\chris pc\Application Data\Real
2007-02-04 13:38:36 0 d-------- C:\Program Files\ToniArts
2007-02-04 10:22:20 0 d-------- C:\Documents and Settings\chris pc\Application Data\CyberLink<CYBERL~1>
2007-02-04 06:36:58 0 d-------- C:\Program Files\MailWasher<MAILWA~1>
2007-02-04 02:41:43 0 d-------- C:\Documents and Settings\chris pc\Application Data\MailWasherPro<MAILWA~2>
2007-02-03 02:59:51 0 d-------- C:\Program Files\OpenOffice.org 2.1<OPENOF~1.1>
2007-02-03 02:51:50 0 d-------- C:\Documents and Settings\chris pc\Application Data\OpenOffice.org2<OPENOF~1.ORG>
2007-02-01 20:52:39 0 d-------- C:\Documents and Settings\chris pc\Application Data\MSNInstaller<MSNINS~1>
2007-02-01 01:44:25 0 d-------- C:\Program Files\Raw Logic Software<RAWLOG~1>
2007-01-31 22:36:38 0 d-------- C:\Program Files\Western Digital Technologies<WESTER~1>
2007-01-29 01:58:06 60416 -----n--- C:\WINDOWS\system32\tzchange.exe
2007-01-28 16:32:45 0 d-------- C:\Documents and Settings\chris pc\Application Data\MyPhoneExplorer<MYPHON~1>
2007-01-28 16:27:30 0 d-------- C:\Program Files\MyPhoneExplorer<MYPHON~1>
2007-01-26 09:09:28 0 d-------- C:\Program Files\Common Files\Agnitum Shared<AGNITU~1>
2007-01-16 07:08:58 1992 --a------ C:\WINDOWS\system32\tmp.reg
2007-01-15 19:36:04 117644 --a------ C:\WINDOWS\hpoins11.dat
2007-01-15 19:35:07 0 d-------- C:\Program Files\Common Files\HP
2007-01-15 19:33:34 0 d-------- C:\Program Files\Hewlett-Packard<HEWLET~1>
2007-01-12 13:42:34 14 --a------ C:\WINDOWS\system32\systeminfo3.dll<SYSTEM~1.DLL>
2007-01-12 10:27:42 232960 --a------ C:\WINDOWS\system32\webcheck.dll
2007-01-12 10:27:42 51712 -----n--- C:\WINDOWS\system32\msfeedsbs.dll<MSFEED~1.DLL>
2007-01-12 10:27:42 458752 -----n--- C:\WINDOWS\system32\msfeeds.dll
2007-01-12 10:27:42 6054400 --a------ C:\WINDOWS\system32\ieframe.dll
2007-01-08 20:04:54 105984 --a------ C:\WINDOWS\system32\url.dll
2007-01-08 20:04:08 102400 --a------ C:\WINDOWS\system32\occache.dll
2007-01-08 20:02:04 266752 --a------ C:\WINDOWS\system32\iertutil.dll
2007-01-08 20:02:04 44544 --a------ C:\WINDOWS\system32\iernonce.dll
2007-01-08 20:02:02 384000 --a------ C:\WINDOWS\system32\iedkcs32.dll
2007-01-08 20:02:02 383488 --a------ C:\WINDOWS\system32\ieapfltr.dll
2007-01-08 20:02:02 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2007-01-08 20:02:02 230400 --a------ C:\WINDOWS\system32\ieaksie.dll
2007-01-08 20:02:02 153088 --a------ C:\WINDOWS\system32\ieakeng.dll
2007-01-08 20:01:14 17408 --a------ C:\WINDOWS\system32\corpol.dll
2007-01-08 20:00:48 124928 --a------ C:\WINDOWS\system32\advpack.dll
2007-01-08 19:08:14 56832 --a------ C:\WINDOWS\system32\ie4uinit.exe
2007-01-08 19:08:10 13824 --a------ C:\WINDOWS\system32\ieudinit.exe
2007-01-04 22:17:37 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-01-02 14:14:53 7685 --a------ C:\WINDOWS\mozver.dat
2006-12-19 14:52:18 134656 --a------ C:\WINDOWS\system32\shsvcs.dll
2006-12-19 14:36:45 0 --a------ C:\WINDOWS\nsreg.dat
2006-12-19 14:29:22 82032 --a------ C:\WINDOWS\winsbak2.reg
2006-12-19 14:29:22 11026 --a------ C:\WINDOWS\winsbak.reg
2006-12-19 12:05:55 0 -rahs---- C:\MSDOS.SYS
2006-12-19 12:05:55 0 -rahs---- C:\IO.SYS
2006-12-19 12:05:55 0 --a------ C:\CONFIG.SYS
2006-12-19 12:05:55 0 -----n--- C:\AUTOEXEC.BAT
2006-12-19 12:03:02 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat<EMPTYR~1.DAT>
2006-12-19 11:16:47 333824 --a------ C:\WINDOWS\system32\wiaservc.dll
2006-12-19 03:56:12 62 --ahs---- C:\Documents and Settings\chris pc\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"PowerBar"="\"C:\\Program Files\\CyberLink DVD Solution\\Multimedia Launcher\\PowerBar.exe\" /AtBootTime"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"RTHDCPL"="RTHDCPL.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SiteAdvisor"="C:\\Program Files\\SiteAdvisor\\5248\\SiteAdv.exe"
"CloneCDTray"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"=dword:00000000
"SynchronousUserGroupPolicy"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of ComboScan: finished at 2007-03-15 at 11:02:41 ------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:02:15 AM, on 3/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SiteAdvisor\5248\SiteAdv.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\SiteAdvisor\5248\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\Documents and Settings\chris pc\Desktop\comboscan.exe
C:\DOCUME~1\CHRISP~1\Desktop\chris pc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\5248\SiteAdv.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\5248\SiteAdv.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\5248\SiteAdv.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170349875140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170351159718
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4949/mcfscan.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\5248\SiteAdv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\5248\SAService.exe

i think all is well sd was comprimized i d loaded a clean install ran a scan it picked up cws black worm and viking worm i deleted them this morning , seems ok
 
#21 · (Edited)
You're still infected--we can't fix anything until we remove the infection and this one is particularly nasty. Please stop 'fixing' it with Spyware Doctor as it's not doing a thorough job and may be hiding entries from me temporarily.

This is important--did you clean it with Spyware Doctor before you ran this ComboScan?

I'd like you to run ComboScan again, but do it in the following manner:

Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK

"%userprofile%\desktop\comboscan.exe" /config

A box will pop up. There should already be a check mark next to 'ComboScan Log' and a few categories below that. Place a 'check' next to everything under the ComboScan Log category.

'Check' the SupplementaryLog Category
In the list below it, 'check' Add/Remove programs

Click Scan!

When finished, it shall produce a log for you. Post that log in your next reply.
 
#22 · (Edited by Moderator)
system restore was off and opened hiden files.and yes spyware docror did clean it up i deleted the files.

ComboScan v20070306.20 run by chris pc on 2007-03-15 at 17:31:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-03-16 00:31:05 UTC - RP1 - System Checkpoint


Performed disk cleanup.


-- HijackThis (run as chris pc.exe) -------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 5:31:38 PM, on 3/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SiteAdvisor\5248\SiteAdv.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\SiteAdvisor\5248\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\Documents and Settings\chris pc\desktop\comboscan.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\HIJACK~1\chris pc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\5248\SiteAdv.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\5248\SiteAdv.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\5248\SiteAdv.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170349875140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170351159718
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4949/mcfscan.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\5248\SiteAdv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\5248\SAService.exe


-- File Associations -----------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.cmd - cmdfile - "%1" %*
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

1R Aavmker4 (avast! Asynchronous Virus Monitor) - C:\WINDOWS\system32\drivers\aavmker4.sys
2R aswMon2 (avast! Standard Shield Support) - C:\WINDOWS\system32\drivers\aswmon2.sys
3R aswRdr - C:\WINDOWS\system32\drivers\aswRdr.sys
1R aswTdi (avast! Network Shield Support) - C:\WINDOWS\system32\drivers\aswTdi.sys
3R ati2mtag - C:\WINDOWS\system32\drivers\ati2mtag.sys
1R AVG Anti-Spyware Driver - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
1R AvgAsCln (AVG Anti-Spyware Clean Driver) - C:\WINDOWS\system32\drivers\AvgAsCln.sys
3R b57w2k (Broadcom NetXtreme Gigabit Ethernet) - C:\WINDOWS\system32\drivers\b57xp32.sys
3S btaudio (Bluetooth Audio Device) - C:\WINDOWS\system32\drivers\btaudio.sys
3S BTDriver (Bluetooth Virtual Communications Driver) - C:\WINDOWS\system32\drivers\btport.sys
3R BTKRNL (Bluetooth Bus Enumerator) - C:\WINDOWS\system32\drivers\btkrnl.sys
3S BTWDNDIS (Bluetooth LAN Access Server) - C:\WINDOWS\system32\drivers\btwdndis.sys
3S BTWUSB (WIDCOMM USB Bluetooth Driver) - C:\WINDOWS\system32\drivers\btwusb.sys
3R ElbyCDFL - C:\WINDOWS\system32\drivers\ElbyCDFL.sys
2R ElbyCDIO (ElbyCDIO Driver) - C:\WINDOWS\system32\drivers\ElbyCDIO.sys
3R GEARAspiWDM - C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
3S GMSIPCI - D:\INSTALL\GMSIPCI.SYS (not found)
3R HDAudBus (Microsoft UAA Bus Driver for High Definition Audio) - C:\WINDOWS\system32\drivers\Hdaudbus.sys
3R HPZid412 (IEEE-1284.4 Driver HPZid412) - C:\WINDOWS\system32\drivers\HPZid412.sys
3R HPZipr12 (Print Class Driver for IEEE-1284.4 HPZipr12) - C:\WINDOWS\system32\drivers\HPZipr12.sys
3R HPZius12 (USB to IEEE-1284.4 Translation Driver HPZius12) - C:\WINDOWS\system32\drivers\HPZius12.sys
3R HSFHWBS2 - C:\WINDOWS\system32\drivers\HSFHWBS2.sys
3R HSF_DPV - C:\WINDOWS\system32\drivers\HSF_DPV.sys
1R ikhfile (File Security Kernel Anti-Spyware Driver) - C:\WINDOWS\system32\drivers\ikhfile.sys
1R ikhlayer (Kernel Anti-Spyware Driver) - C:\WINDOWS\system32\drivers\ikhlayer.sys
4R InCDfs (InCD File System) - C:\WINDOWS\system32\drivers\InCDfs.sys
1R InCDPass - C:\WINDOWS\system32\drivers\InCDpass.sys
1R incdrm (InCD Reader) - C:\WINDOWS\system32\drivers\InCDrm.sys
3R IntcAzAudAddService (Service for Realtek HD Audio (WDM)) - C:\WINDOWS\system32\drivers\RtkHDAud.sys
1R intelppm (Intel Processor Driver) - C:\WINDOWS\system32\drivers\intelppm.sys
2R mdmxsdk - C:\WINDOWS\system32\drivers\mdmxsdk.sys
3R pcouffin (VSO Software pcouffin) - C:\WINDOWS\system32\drivers\pcouffin.sys
3R pfc (Padus ASPI Shell) - C:\WINDOWS\system32\drivers\pfc.sys
3R RTL8023 (Realtek RTL8139/810x/8169/8110 all in one NDIS NT Driver) - C:\WINDOWS\system32\drivers\Rtlnic51.sys
3S rtl8139 (Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver) - C:\WINDOWS\system32\drivers\RTL8139.sys
2R tmcomm - C:\WINDOWS\system32\drivers\tmcomm.sys
3R usbccgp (Microsoft USB Generic Parent Driver) - C:\WINDOWS\system32\drivers\usbccgp.sys
3R usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - C:\WINDOWS\system32\drivers\usbehci.sys
3R usbprint (Microsoft USB PRINTER Class) - C:\WINDOWS\system32\drivers\usbprint.sys
3R usbscan (USB Scanner Driver) - C:\WINDOWS\system32\drivers\usbscan.sys
3S USBSTOR (USB Mass Storage Driver) - C:\WINDOWS\system32\drivers\USBSTOR.SYS
3R winachsf - C:\WINDOWS\system32\drivers\HSF_CNXT.sys
4S WS2IFSL (Windows Socket 2.0 Non-IFS Service Provider Support Environment) - C:\WINDOWS\system32\drivers\ws2ifsl.sys
3S WudfPf (Windows Driver Foundation - User-mode Driver Framework Platform Driver) - C:\WINDOWS\system32\drivers\WudfPf.sys
3S WudfRd (Windows Driver Foundation - User-mode Driver Framework Reflector) - C:\WINDOWS\system32\drivers\WudfRd.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

3S aspnet_state (ASP.NET State Service) - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
2R aswUpdSv (avast! iAVS4 Control Service) - "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"
2R Ati HotKey Poller - C:\WINDOWS\system32\Ati2evxx.exe
2S ATI Smart - C:\WINDOWS\system32\ati2sgag.exe
2R avast! Antivirus - "C:\Program Files\Alwil Software\Avast4\ashServ.exe"
3R avast! Mail Scanner - "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service
3R avast! Web Scanner - "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service
2R AVG Anti-Spyware Guard - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
2R btwdins (Bluetooth Service) - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
2R InCDsrv (InCD Helper) - C:\Program Files\Ahead\InCD\InCDsrv.exe
3S iPod Service - "C:\Program Files\iPod\bin\iPodService.exe"
2R Pml Driver HPZ12 - C:\WINDOWS\system32\HPZipm12.exe
2R SDhelper (PC Tools Spyware Doctor) - C:\Program Files\Spyware Doctor\sdhelp.exe
2R SiteAdvisor Service - C:\Program Files\SiteAdvisor\5248\SAService.exe


-- Scheduled Tasks -------------------------------------------------------------

2007-02-12 09:49:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job<APPLES~1.JOB>


-- Files created between 2007-02-15 and 2007-03-15 -----------------------------

2007-03-15 09:40:10 0 d-------- C:\Documents and Settings\chris pc\DoctorWeb<DOCTOR~1>
2007-03-14 20:49:18 0 d-------- C:\WINDOWS\system32\Color
2007-03-14 20:49:18 0 d-------- C:\Program Files\E-Color
2007-03-14 20:43:42 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe<NEROCH~1.EXE>
2007-03-14 20:43:25 0 d-------- C:\Program Files\Common Files\Nero
2007-03-14 19:47:11 0 d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor<SITEAD~1>
2007-03-14 19:47:05 0 d-------- C:\Program Files\SiteAdvisor<SITEAD~1>
2007-03-14 19:46:48 0 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor<SITEAD~1>
2007-03-14 17:15:31 90112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-03-14 13:53:55 30592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2007-03-14 13:53:54 51072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2007-03-14 13:53:48 0 d-------- C:\Program Files\Spyware Doctor<SPYWAR~1>
2007-03-14 13:15:01 0 d-a------ C:\WINDOWS\zts2.exe
2007-03-14 13:15:01 0 d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2007-03-14 13:15:01 0 d-a------ C:\WINDOWS\system32\iifgfgf.dll
2007-03-14 13:15:01 0 d-a------ C:\WINDOWS\rundl132.dll
2007-03-12 21:44:00 3968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-12 21:43:57 0 d-------- C:\Program Files\Grisoft
2007-03-12 13:24:35 23352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-03-12 13:24:33 43176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-03-12 13:24:33 31560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-03-12 13:24:30 94424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-03-12 13:24:30 85952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-03-12 13:24:22 689280 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-03-12 03:21:39 0 d-------- C:\Documents and Settings\All Users\Application Data\fssg
2007-03-11 16:08:17 0 d-------- C:\Documents and Settings\chris pc\Application Data\DMCache
2007-03-06 23:04:44 0 d-------- C:\Documents and Settings\chris pc\Application Data\MySpace
2007-03-06 23:04:42 0 d-------- C:\Program Files\MySpace
2007-03-05 20:50:13 0 d--h---c- C:\WINDOWS\ie7
2007-03-03 23:26:12 0 d-------- C:\Program Files\a-squared Free<A-SQUA~2>
2007-03-03 04:10:14 0 d-------- C:\WINDOWS\Prefetch
2007-02-26 20:36:44 0 d-------- C:\Documents and Settings\chris pc\Application Data\PC Tools<PCTOOL~1>
2007-02-25 05:14:44 349760 --a------ C:\WINDOWS\system32\mcinsctl.dll
2007-02-25 05:14:44 288320 --a------ C:\WINDOWS\system32\mcgdmgr.dll
2007-02-24 07:46:09 0 d-------- C:\Program Files\Registry Mechanic<REGIST~1>
2007-02-19 18:15:31 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com<SUPERA~1.COM>
2007-02-19 18:15:25 0 d-------- C:\Documents and Settings\chris pc\Application Data\SUPERAntiSpyware.com<SUPERA~1.COM>
2007-02-16 01:53:50 0 d-------- C:\Program Files\DVDFab Platinum 3<DVDFAB~1>
2007-02-15 15:15:27 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-02-15 15:15:26 0 d-------- C:\Program Files\Trend Micro<TRENDM~1>


-- Find3M Report ---------------------------------------------------------------

2007-03-15 17:28:31 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~2>
2007-03-15 17:28:24 0 d-------- C:\Program Files\Mozilla Thunderbird<MOZILL~1>
2007-03-15 16:59:05 0 d-------- C:\Documents and Settings\chris pc\Application Data\MailWasher<MAILWA~1>
2007-03-15 10:30:24 0 d-------- C:\Program Files\HP
2007-03-14 20:35:23 0 d-------- C:\Program Files\SlySoft
2007-03-14 20:21:28 0 d-------- C:\Documents and Settings\chris pc\Application Data\Vso
2007-03-14 19:59:04 0 d-------- C:\Documents and Settings\chris pc\Application Data\SiteAdvisor<SITEAD~1>
2007-03-14 13:05:37 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-03-14 00:33:18 0 d-------- C:\Program Files\iTunes
2007-03-13 10:29:20 0 d-------- C:\Documents and Settings\chris pc\Application Data\uTorrent
2007-03-06 23:13:32 0 dr-h----- C:\Documents and Settings\chris pc\Application Data\yahoo!
2007-03-06 03:38:30 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-03-05 21:47:24 0 d-------- C:\Documents and Settings\chris pc\Application Data\Image Zone Express<IMAGEZ~1>
2007-03-04 16:47:43 0 d---s---- C:\Documents and Settings\chris pc\Application Data\Microsoft<MICROS~1>
2007-03-03 00:11:54 0 d-------- C:\Program Files\Common Files\MicroWorld<MICROW~1>
2007-02-14 07:59:48 0 d-------- C:\Documents and Settings\chris pc\Application Data\Lavasoft
2007-02-14 07:59:28 0 d-------- C:\Program Files\Lavasoft
2007-02-14 05:14:57 0 d-------- C:\Program Files\DVD Shrink<DVDSHR~1>
2007-02-11 14:47:48 0 d-------- C:\Documents and Settings\chris pc\Application Data\Ahead
2007-02-10 22:33:45 34 --a------ C:\Documents and Settings\chris pc\Application Data\pcouffin.log
2007-02-10 22:33:40 47360 --a------ C:\Documents and Settings\chris pc\Application Data\pcouffin.sys
2007-02-10 22:33:40 1144 --a------ C:\Documents and Settings\chris pc\Application Data\pcouffin.inf
2007-02-10 22:33:40 1074 --a------ C:\Documents and Settings\chris pc\Application Data\pcouffin.cat
2007-02-10 22:33:40 87608 --a------ C:\Documents and Settings\chris pc\Application Data\ezpinst.exe
2007-02-10 22:33:38 0 d-------- C:\Program Files\vso
2007-02-10 22:02:36 0 d-------- C:\Program Files\Ahead
2007-02-10 01:01:06 0 d-------- C:\Documents and Settings\chris pc\Application Data\Uniblue
2007-02-10 00:51:28 0 d-------- C:\Documents and Settings\chris pc\Application Data\SlySoft
2007-02-08 23:59:59 0 d-------- C:\Program Files\PartyGaming<PARTYG~1>
2007-02-07 21:03:13 8192 --a------ C:\WINDOWS\system32\cidaemon.exe
2007-02-07 12:52:04 0 d-------- C:\Program Files\Common Files\Real
2007-02-07 12:51:47 0 d-------- C:\Documents and Settings\chris pc\Application Data\Real
2007-02-04 13:38:36 0 d-------- C:\Program Files\ToniArts
2007-02-04 10:22:20 0 d-------- C:\Documents and Settings\chris pc\Application Data\CyberLink<CYBERL~1>
2007-02-04 06:36:58 0 d-------- C:\Program Files\MailWasher<MAILWA~1>
2007-02-04 02:41:43 0 d-------- C:\Documents and Settings\chris pc\Application Data\MailWasherPro<MAILWA~2>
2007-02-03 02:59:51 0 d-------- C:\Program Files\OpenOffice.org 2.1<OPENOF~1.1>
2007-02-03 02:51:50 0 d-------- C:\Documents and Settings\chris pc\Application Data\OpenOffice.org2<OPENOF~1.ORG>
2007-02-01 20:52:39 0 d-------- C:\Documents and Settings\chris pc\Application Data\MSNInstaller<MSNINS~1>
2007-02-01 01:44:25 0 d-------- C:\Program Files\Raw Logic Software<RAWLOG~1>
2007-01-31 22:36:38 0 d-------- C:\Program Files\Western Digital Technologies<WESTER~1>
2007-01-29 01:58:06 60416 -----n--- C:\WINDOWS\system32\tzchange.exe
2007-01-28 16:32:45 0 d-------- C:\Documents and Settings\chris pc\Application Data\MyPhoneExplorer<MYPHON~1>
2007-01-28 16:27:30 0 d-------- C:\Program Files\MyPhoneExplorer<MYPHON~1>
2007-01-26 09:09:28 0 d-------- C:\Program Files\Common Files\Agnitum Shared<AGNITU~1>
2007-01-16 07:08:58 1992 --a------ C:\WINDOWS\system32\tmp.reg
2007-01-15 19:36:04 117644 --a------ C:\WINDOWS\hpoins11.dat
2007-01-15 19:35:07 0 d-------- C:\Program Files\Common Files\HP
2007-01-15 19:33:34 0 d-------- C:\Program Files\Hewlett-Packard<HEWLET~1>
2007-01-12 13:42:34 14 --a------ C:\WINDOWS\system32\systeminfo3.dll<SYSTEM~1.DLL>
2007-01-12 10:27:42 232960 --a------ C:\WINDOWS\system32\webcheck.dll
2007-01-12 10:27:42 51712 -----n--- C:\WINDOWS\system32\msfeedsbs.dll<MSFEED~1.DLL>
2007-01-12 10:27:42 458752 -----n--- C:\WINDOWS\system32\msfeeds.dll
2007-01-12 10:27:42 6054400 --a------ C:\WINDOWS\system32\ieframe.dll
2007-01-08 20:04:54 105984 --a------ C:\WINDOWS\system32\url.dll
2007-01-08 20:04:08 102400 --a------ C:\WINDOWS\system32\occache.dll
2007-01-08 20:02:04 266752 --a------ C:\WINDOWS\system32\iertutil.dll
2007-01-08 20:02:04 44544 --a------ C:\WINDOWS\system32\iernonce.dll
2007-01-08 20:02:02 384000 --a------ C:\WINDOWS\system32\iedkcs32.dll
2007-01-08 20:02:02 383488 --a------ C:\WINDOWS\system32\ieapfltr.dll
2007-01-08 20:02:02 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2007-01-08 20:02:02 230400 --a------ C:\WINDOWS\system32\ieaksie.dll
2007-01-08 20:02:02 153088 --a------ C:\WINDOWS\system32\ieakeng.dll
2007-01-08 20:01:14 17408 --a------ C:\WINDOWS\system32\corpol.dll
2007-01-08 20:00:48 124928 --a------ C:\WINDOWS\system32\advpack.dll
2007-01-08 19:08:14 56832 --a------ C:\WINDOWS\system32\ie4uinit.exe
2007-01-08 19:08:10 13824 --a------ C:\WINDOWS\system32\ieudinit.exe
2007-01-04 22:17:37 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-01-02 14:14:53 7685 --a------ C:\WINDOWS\mozver.dat
2006-12-19 14:52:18 134656 --a------ C:\WINDOWS\system32\shsvcs.dll
2006-12-19 14:36:45 0 --a------ C:\WINDOWS\nsreg.dat
2006-12-19 14:29:22 82032 --a------ C:\WINDOWS\winsbak2.reg
2006-12-19 14:29:22 11026 --a------ C:\WINDOWS\winsbak.reg
2006-12-19 12:05:55 0 -rahs---- C:\MSDOS.SYS
2006-12-19 12:05:55 0 -rahs---- C:\IO.SYS
2006-12-19 12:05:55 0 --a------ C:\CONFIG.SYS
2006-12-19 12:05:55 0 -----n--- C:\AUTOEXEC.BAT
2006-12-19 12:03:02 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat<EMPTYR~1.DAT>
2006-12-19 11:16:47 333824 --a------ C:\WINDOWS\system32\wiaservc.dll
2006-12-19 03:56:12 62 --ahs---- C:\Documents and Settings\chris pc\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"PowerBar"="\"C:\\Program Files\\CyberLink DVD Solution\\Multimedia Launcher\\PowerBar.exe\" /AtBootTime"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"RTHDCPL"="RTHDCPL.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SiteAdvisor"="C:\\Program Files\\SiteAdvisor\\5248\\SiteAdv.exe"
"CloneCDTray"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"=dword:00000000
"SynchronousUserGroupPolicy"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of ComboScan: finished at 2007-03-15 at 17:32:06 ------------------------
 

Attachments

#23 ·
they where in quarintine since 14/3/07 i deleted them last night seven scans since states its clear, i ran mcafee removal tool, avira removal tool has a good read up on it,those files u directed me to in windows and system 32 where emty if that maters?
 
#24 ·
You began a thread at Majorgeeks yesterday. http://forums.majorgeeks.com/showthread.php?t=120301

This will cause confusion and actually waste time and resources, both yours and mine, as every Analyst will work in a different way.

Please decide which forum you are going to work with and let me know. If you want to continue here, then post in your thread at Majorgeeks that you are being helped at TSF and request them to close that thread. Once that thread is closed, we will continue.

If you choose to work with Majorgeeks--notify me so I can close this thread.
 
#26 ·
Removing malware from a system is a methodical process. If you are posting at more than 1 forum, you'll confuse any Analysts trying to clean your system--the 'right hand won't know what the left hand is doing'. Across the forums there are more infected logs than available Analysts as it is to handle them all. To tie up multiple Analysts for your issue is a waste of those resources available to help others.

Did you delete these files earlier?

C:\WINDOWS\zts2.exe
C:\WINDOWS\system32\vcmgcd32.dll
C:\WINDOWS\system32\iifgfgf.dll
C:\WINDOWS\rundl132.dll

-----------------------------------------------------

Please download SREng.

**You may receive a message "The bandwidth limit for this site has been exceeded", please keep trying--eventually you'll get through.

1. Extract it to Desktop & double click SREng.exe to run it

2. Select 'Smart Scan' & tick "Verify Digital Signatures"

3. Click on the [Scan] button

4. When finished, click on the [Save Reports] button & save the log to Desktop

5. Attach the log in your next reply. Dont post it.

You may have to rename SREngLOG.log to SREngLOG.txt to upload it.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top