Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page computer infected
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 2 of 2 1 2
 
LinkBack Thread Tools
Old 12-09-2006, 07:38 AM   #21 (permalink)
Registered User
 
Join Date: Nov 2006
Posts: 21
OS: xp


Hi Iain - Here's combofix:

Jerms - 06-12-08 21:31:40.07 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Jerms\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-11-08 to 2006-12-08 ))))))))))))))))))))))))))))))))))


2006-12-07 22:45 <DIR> d-------- C:\avenger
2006-12-01 11:27 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-11-30 13:08 80 --a------ C:\WINDOWS\gmer_uninstall.cmd
2006-11-30 08:36 <DIR> d-------- C:\Program Files\CleanUp!
2006-11-29 13:34 <DIR> d-------- C:\HJT
2006-11-28 10:08 <DIR> d-------- C:\WINDOWS\system32\Dell
2006-11-28 08:58 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-11-28 08:58 <DIR> d-------- C:\c73728d49eb7a2e29c25ae21666b6baf
2006-11-28 08:57 <DIR> d-------- C:\f2edc3c88727fce3440535
2006-11-27 12:12 <DIR> d-------- C:\WINDOWS\network diagnostic
2006-11-27 12:07 <DIR> d-------- C:\d24b460bec1d525a09c9b9
2006-11-27 12:03 <DIR> d-------- C:\WINDOWS\system32\ODCTOOLS
2006-11-26 16:10 <DIR> d-------- C:\Program Files\PCPitstop
2006-11-26 10:45 <DIR> d-------- C:\Program Files\RegCure
2006-11-23 12:23 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-23 12:23 <DIR> d-------- C:\Program Files\Grisoft
2006-11-23 10:41 86,016 --a------ C:\WINDOWS\unvise32.exe
2006-11-22 18:10 <DIR> d--hs---- C:\WINDOWS\CSC
2006-11-16 16:58 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2006-11-13 15:05 <DIR> d-------- C:\WINDOWS\system32\LogFiles


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-08 21:28 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-12-08 03:19 -------- d-------- C:\Program Files\World of Warcraft
2006-12-07 04:09 -------- d-------- C:\Program Files\Warcraft III
2006-12-04 21:23 -------- d-------- C:\Program Files\Java
2006-12-04 02:23 -------- d-------- C:\Program Files\QuickTime
2006-12-01 20:16 -------- d-------- C:\Program Files\Norton SystemWorks
2006-12-01 11:41 -------- d-------- C:\Program Files\MSN Messenger
2006-12-01 11:41 -------- d-------- C:\Program Files\Messenger
2006-12-01 11:40 -------- d-------- C:\Program Files\iTunes
2006-12-01 11:40 -------- d-------- C:\Program Files\Internet Explorer
2006-12-01 11:39 -------- d-------- C:\Program Files\Google
2006-12-01 11:39 -------- d-------- C:\Program Files\Digital Line Detect
2006-12-01 11:39 -------- d-------- C:\Program Files\Dell Support
2006-12-01 11:38 -------- d-------- C:\Program Files\BAE
2006-12-01 11:38 -------- d-------- C:\Program Files\America Online 9.0
2006-11-29 13:16 -------- d-------- C:\Program Files\Common Files
2006-11-28 12:50 -------- d-------- C:\Documents and Settings\Jerms\Application Data\Hamachi
2006-11-28 10:08 -------- d-------- C:\Program Files\Dell
2006-11-23 10:41 -------- d-------- C:\Program Files\RegistryPatrol3.0
2006-11-17 18:55 -------- d-------- C:\Program Files\Google Toolbar
2006-11-16 17:39 7438520 --a------ C:\WINDOWS\system32\mi2.exe
2006-11-16 17:37 379071 --a------ C:\WINDOWS\system32\mi1.exe
2006-11-16 16:56 2724 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2006-11-16 16:54 -------- d-------- C:\Program Files\BearShare Applications
2006-11-09 19:22 -------- d-------- C:\Program Files\Apple Software Update
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-03 19:20 56 -r-hs---- C:\WINDOWS\system32\80020AEA00.sys
2006-11-03 19:19 61678 --a------ C:\Documents and Settings\Jerms\Application Data\PFP120JPR.{PB
2006-11-03 19:19 12358 --a------ C:\Documents and Settings\Jerms\Application Data\PFP120JCM.{PB
2006-11-03 19:19 -------- d-------- C:\Documents and Settings\Jerms\Application Data\COREL
2006-11-02 20:42 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-10-27 12:08 -------- d-------- C:\Program Files\XPMedic
2006-10-27 08:06 -------- d-------- C:\Program Files\AdwareAlert
2006-10-25 14:27 -------- d-------- C:\Program Files\Lavasoft
2006-10-25 14:27 -------- d-------- C:\Documents and Settings\Jerms\Application Data\Lavasoft
2006-10-24 11:57 1886 --a------ C:\WINDOWS\system32\coke.exe
2006-10-24 09:36 -------- d-------- C:\Program Files\Symantec Technical Support
2006-10-23 18:50 -------- d-------- C:\Program Files\MSN
2006-10-23 18:50 -------- d-------- C:\Documents and Settings\Jerms\Application Data\MSNInstaller
2006-10-23 08:30 -------- d-------- C:\Program Files\SpywareBot
2006-10-22 20:33 -------- d-------- C:\Program Files\TrojanHunter 4.6
2006-10-22 13:58 -------- d-------- C:\Documents and Settings\Jerms\Application Data\TrojanHunter
2006-10-22 13:57 -------- d-------- C:\Documents and Settings\Jerms\Application Data\Help
2006-10-22 13:48 -------- d-------- C:\Documents and Settings\Jerms\Application Data\Simply Super Software
2006-10-22 13:41 -------- d-------- C:\Program Files\Common Files\Download Manager
2006-10-22 13:00 -------- d---s---- C:\Documents and Settings\Jerms\Application Data\Microsoft
2006-10-14 22:22 -------- d-------- C:\Documents and Settings\Jerms\Application Data\Corel Photo Album
2006-10-13 06:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 06:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 06:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-13 04:23 163584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2006-10-11 13:07 252752 --a------ C:\WINDOWS\system32\odc.dll
2006-09-12 23:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"DMXLauncher"="C:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"MMTray"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe\""
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"DLA"="C:\\WINDOWS\\System32\\DLA\\DLACTRLW.EXE"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~3\\mimboot.exe"
"Corel Photo Downloader"="C:\\Program Files\\Corel\\Corel Photo Album 6\\MediaDetect.exe"
"MSKDetectorExe"="C:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe /uninstall"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"GhostStartTrayApp"="C:\\Program Files\\Norton SystemWorks\\Norton Ghost\\GhostStartTrayApp.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"_mzu_stonedrv8"="c:\\windows\\system32\\_mzu_stonedrv8.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"_mzu_stonedrv8"="c:\\windows\\system32\\_mzu_stonedrv8.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2240}"="DCOM Server 2240"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
C:\WINDOWS\tasks\RegCure.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-12-08 21:32:48.71
C:\ComboFix.txt ... 06-12-08 21:32
C:\ComboFix2.txt ... 06-12-01 11:58
C:\ComboFix3.txt ... 06-11-29 21:02

Thanks

Cathy
cathyp is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 12-09-2006, 10:43 AM   #22 (permalink)
Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic
 
Glaswegian's Avatar
 
Join Date: Sep 2005
Location: Glasgow
Posts: 25,129
OS: Win XP Pro SP3 / Win 7 Pro

My System

Blog Entries: 10
Hi Cathy


Click on the zip file attached to this post to open and extract the file cathy.reg to your desktop. Do not run it yet.


Reboot
Reboot your system in Safe Mode.
  • Restart the computer. The computer begins processing a set of instructions known as BIOS.
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (dependent on your system this may be F5 or another key)
  • Instead of Windows loading as normal, a menu should appear
  • Use the arrow key to highlight Safe Mode and press Enter.



Registry Fix
Double click on the file cathy.reg to run it. Answer yes to any prompts and allow it to merge into the Registry.



File Deletions
Delete the following Files indicated in RED if they still exist.

C:\WINDOWS\system32\mi2.exe
C:\WINDOWS\system32\mi1.exe
C:\WINDOWS\system32\80020AEA00.sys
c:\windows\\system32\_mzu_stonedrv8.exe



Reboot
Reboot your system in Normal Mode.



Please run combofix again, just as you did the last time.



Online Scan
Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky WebScanner

Next Click on Kaspersky Online Scanner


A Welcome screen will appear - click 'Accept' at the bottom. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
  • Extended
Scan Options:
  • Scan Archives
  • Scan Mail Bases
Click OK

Now under select a target to scan: Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Take note of the name(s) and location(s) of any file(s) it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan


Please post back with the Kaspersky Log and a fresh HijackThis Log. Please also let me know how your system is performing now and if you have any specific problems. In order to provide you with the best possible help, please ensure that HijackThis logs are produced only while in Normal Mode.
__________________
Iain - Defender of the Haggis and all things Scottish.
I don't help by PM - post in the Forums.



PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner
Last edited by Glaswegian; 03-27-2008 at 04:12 PM.
Glaswegian is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-10-2006, 07:24 AM   #23 (permalink)
Registered User
 
Join Date: Nov 2006
Posts: 21
OS: xp


Hi Iain - I am sorry but I don't know how to find the zip file attached to this post - would you please tell me how to find it. Thanks - Cathy
cathyp is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-10-2006, 01:55 PM   #24 (permalink)
Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic
 
Glaswegian's Avatar
 
Join Date: Sep 2005
Location: Glasgow
Posts: 25,129
OS: Win XP Pro SP3 / Win 7 Pro

My System

Blog Entries: 10
Cathy, look at the bottom of my post, just above yours. There is a separate box, called "Attached Files", with a zip file icon - just click on the zip icon and follow my instructions.
__________________
Iain - Defender of the Haggis and all things Scottish.
I don't help by PM - post in the Forums.



PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner
Glaswegian is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-11-2006, 08:59 AM   #25 (permalink)
Registered User
 
Join Date: Nov 2006
Posts: 21
OS: xp


Hi Iani - Okay found the file but now when I click on it I get 2 prompts - one asking if I want it to be added to registry and the other saying it has been done successfully and then nothing else happens - it doesn't show me any files. What am I doing wrong?? - Cathy
cathyp is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-11-2006, 10:29 AM   #26 (permalink)
Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic
 
Glaswegian's Avatar
 
Join Date: Sep 2005
Location: Glasgow
Posts: 25,129
OS: Win XP Pro SP3 / Win 7 Pro

My System

Blog Entries: 10
Nothing obvious will happen. We can check later and see if it worked, although it sounds OK. Just carry on with the remaining instructions and post back with the logs.
__________________
Iain - Defender of the Haggis and all things Scottish.
I don't help by PM - post in the Forums.



PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner
Glaswegian is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-11-2006, 05:20 PM   #27 (permalink)
Registered User
 
Join Date: Nov 2006
Posts: 21
OS: xp


Jerms - 06-12-11 1:41:49.87 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Jerms\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-11-11 to 2006-12-11 ))))))))))))))))))))))))))))))))))


2006-12-07 22:45 <DIR> d-------- C:\avenger
2006-12-01 11:27 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-11-30 13:08 80 --a------ C:\WINDOWS\gmer_uninstall.cmd
2006-11-30 08:36 <DIR> d-------- C:\Program Files\CleanUp!
2006-11-29 13:34 <DIR> d-------- C:\HJT
2006-11-28 10:08 <DIR> d-------- C:\WINDOWS\system32\Dell
2006-11-28 08:58 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-11-28 08:58 <DIR> d-------- C:\c73728d49eb7a2e29c25ae21666b6baf
2006-11-28 08:57 <DIR> d-------- C:\f2edc3c88727fce3440535
2006-11-27 12:12 <DIR> d-------- C:\WINDOWS\network diagnostic
2006-11-27 12:07 <DIR> d-------- C:\d24b460bec1d525a09c9b9
2006-11-27 12:03 <DIR> d-------- C:\WINDOWS\system32\ODCTOOLS
2006-11-26 16:10 <DIR> d-------- C:\Program Files\PCPitstop
2006-11-26 10:45 <DIR> d-------- C:\Program Files\RegCure
2006-11-23 12:23 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-23 12:23 <DIR> d-------- C:\Program Files\Grisoft
2006-11-23 10:41 86,016 --a------ C:\WINDOWS\unvise32.exe
2006-11-22 18:10 <DIR> d--hs---- C:\WINDOWS\CSC
2006-11-16 16:58 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2006-11-13 15:05 <DIR> d-------- C:\WINDOWS\system32\LogFiles


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-10 23:07 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-12-08 03:19 -------- d-------- C:\Program Files\World of Warcraft
2006-12-07 04:09 -------- d-------- C:\Program Files\Warcraft III
2006-12-04 21:23 -------- d-------- C:\Program Files\Java
2006-12-04 02:23 -------- d-------- C:\Program Files\QuickTime
2006-12-01 20:16 -------- d-------- C:\Program Files\Norton SystemWorks
2006-12-01 11:41 -------- d-------- C:\Program Files\MSN Messenger
2006-12-01 11:41 -------- d-------- C:\Program Files\Messenger
2006-12-01 11:40 -------- d-------- C:\Program Files\iTunes
2006-12-01 11:40 -------- d-------- C:\Program Files\Internet Explorer
2006-12-01 11:39 -------- d-------- C:\Program Files\Google
2006-12-01 11:39 -------- d-------- C:\Program Files\Digital Line Detect
2006-12-01 11:39 -------- d-------- C:\Program Files\Dell Support
2006-12-01 11:38 -------- d-------- C:\Program Files\BAE
2006-12-01 11:38 -------- d-------- C:\Program Files\America Online 9.0
2006-11-29 13:16 -------- d-------- C:\Program Files\Common Files
2006-11-28 12:50 -------- d-------- C:\Documents and Settings\Jerms\Application Data\Hamachi
2006-11-28 10:08 -------- d-------- C:\Program Files\Dell
2006-11-23 10:41 -------- d-------- C:\Program Files\RegistryPatrol3.0
2006-11-17 18:55 -------- d-------- C:\Program Files\Google Toolbar
2006-11-16 17:39 7438520 --a------ C:\WINDOWS\system32\mi2.exe
2006-11-16 17:37 379071 --a------ C:\WINDOWS\system32\mi1.exe
2006-11-16 16:56 2724 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2006-11-16 16:54 -------- d-------- C:\Program Files\BearShare Applications
2006-11-09 19:22 -------- d-------- C:\Program Files\Apple Software Update
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-03 19:20 56 -r-hs---- C:\WINDOWS\system32\80020AEA00.sys
2006-11-03 19:19 61678 --a------ C:\Documents and Settings\Jerms\Application Data\PFP120JPR.{PB
2006-11-03 19:19 12358 --a------ C:\Documents and Settings\Jerms\Application Data\PFP120JCM.{PB
2006-11-03 19:19 -------- d-------- C:\Documents and Settings\Jerms\Application Data\COREL
2006-11-02 20:42 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-10-27 12:08 -------- d-------- C:\Program Files\XPMedic
2006-10-27 08:06 -------- d-------- C:\Program Files\AdwareAlert
2006-10-25 14:27 -------- d-------- C:\Program Files\Lavasoft
2006-10-25 14:27 -------- d-------- C:\Documents and Settings\Jerms\Application Data\Lavasoft
2006-10-24 11:57 1886 --a------ C:\WINDOWS\system32\coke.exe
2006-10-24 09:36 -------- d-------- C:\Program Files\Symantec Technical Support
2006-10-23 18:50 -------- d-------- C:\Program Files\MSN
2006-10-23 18:50 -------- d-------- C:\Documents and Settings\Jerms\Application Data\MSNInstaller
2006-10-23 08:30 -------- d-------- C:\Program Files\SpywareBot
2006-10-22 20:33 -------- d-------- C:\Program Files\TrojanHunter 4.6
2006-10-22 13:58 -------- d-------- C:\Documents and Settings\Jerms\Application Data\TrojanHunter
2006-10-22 13:57 -------- d-------- C:\Documents and Settings\Jerms\Application Data\Help
2006-10-22 13:48 -------- d-------- C:\Documents and Settings\Jerms\Application Data\Simply Super Software
2006-10-22 13:41 -------- d-------- C:\Program Files\Common Files\Download Manager
2006-10-22 13:00 -------- d---s---- C:\Documents and Settings\Jerms\Application Data\Microsoft
2006-10-14 22:22 -------- d-------- C:\Documents and Settings\Jerms\Application Data\Corel Photo Album
2006-10-13 06:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 06:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 06:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-13 04:23 163584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2006-10-11 13:07 252752 --a------ C:\WINDOWS\system32\odc.dll
2006-09-12 23:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"DMXLauncher"="C:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"MMTray"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe\""
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"DLA"="C:\\WINDOWS\\System32\\DLA\\DLACTRLW.EXE"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~3\\mimboot.exe"
"Corel Photo Downloader"="C:\\Program Files\\Corel\\Corel Photo Album 6\\MediaDetect.exe"
"MSKDetectorExe"="C:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe /uninstall"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"GhostStartTrayApp"="C:\\Program Files\\Norton SystemWorks\\Norton Ghost\\GhostStartTrayApp.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2240}"="DCOM Server 2240"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
C:\WINDOWS\tasks\RegCure.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-12-11 1:42:43.42
C:\ComboFix.txt ... 06-12-11 01:42
C:\ComboFix2.txt ... 06-12-10 22:56
C:\ComboFix3.txt ... 06-12-08 21:32



Monday, December 11, 2006 7:11:32 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 11/12/2006
Kaspersky Anti-Virus database records: 249919


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 58439
Number of viruses found 20
Number of infected objects 101 / 0
Number of suspicious objects 0
Duration of the scan process 00:35:35

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped

C:\Documents and Settings\Jerms\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped

C:\Documents and Settings\Jerms\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Jerms\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Jerms\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Jerms\Local Settings\Application Data\Musicmatch\Jukebox\mmjbaltlog.txt Object is locked skipped

C:\Documents and Settings\Jerms\Local Settings\Application Data\Musicmatch\Jukebox\mmjblog.txt Object is locked skipped

C:\Documents and Settings\Jerms\Local Settings\Application Data\Musicmatch\MIM\Database\Default.ldb Object is locked skipped

C:\Documents and Settings\Jerms\Local Settings\Application Data\Musicmatch\MIM\Database\Default.mdb Object is locked skipped

C:\Documents and Settings\Jerms\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Jerms\Local Settings\Temp\JET5EE8.tmp Object is locked skipped

C:\Documents and Settings\Jerms\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Jerms\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Jerms\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\AVApp.log Object is locked skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\AVError.log Object is locked skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\AVVirus.log Object is locked skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\11BC68DE Infected: Trojan-Downloader.Win32.Tibs.ir skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\126A1A1F Infected: Trojan-Clicker.Win32.Costrat.e skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\12731814 Infected: Trojan-Downloader.Win32.Tibs.ir skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\128D67F8 Infected: Trojan-Clicker.Win32.Costrat.e skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\15796182.exe Infected: Backdoor.Win32.Agent.acx skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\193D0FBF.exe Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1B853419 Infected: Trojan-Clicker.Win32.Costrat.e skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C496BD4.dll Infected: Trojan-PSW.Win32.Sinowal.bg skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C496BD4.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C496BD4.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C496BD4.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C496BD4.exe/stream/data0007 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C496BD4.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C496BD4.exe NSIS: infected - 5 skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C496BD4.exe CryptFF: infected - 5 skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1CD26EAB Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\238E0741 Infected: Trojan-Clicker.Win32.Costrat.e skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\24AA53C1 Infected: Trojan-Proxy.Win32.Agent.df skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\28CF2131 Infected: Trojan-Proxy.Win32.Small.bo skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2A435397 Infected: Trojan.Win32.ExitWin.z skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2FED255C.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2FED255C.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2FED255C.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2FED255C.exe/stream/data0007 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2FED255C.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2FED255C.exe NSIS: infected - 5 skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2FED255C.exe CryptFF: infected - 5 skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2FFB4595 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\30117334.exe Infected: Trojan-Downloader.Win32.Tibs.ir skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\35A03D2C.exe Infected: Trojan-Clicker.Win32.Costrat.e skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4255142D Infected: Backdoor.Win32.Small.ls skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\45876745 Infected: Trojan-Downloader.Win32.Adload.fu skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\515C3B1A Infected: Backdoor.Win32.Small.ls skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\55876C78.dll Infected: Trojan-Downloader.Win32.Zlob.anf skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5E0558D2 Infected: Trojan-Downloader.Win32.Tibs.ir skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5EAB361B Infected: Trojan-Downloader.Win32.Small.ddy skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5EBF3205 Infected: Trojan-PSW.Win32.Sinowal.bg skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5EC505FE Infected: Trojan-Downloader.Win32.Tibs.ir skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\604A3EFF.exe Infected: Trojan-Downloader.Win32.Tibs.ir skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\61D5174C.exe Infected: Trojan-Proxy.Win32.Small.bo skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\62581FA1.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\62581FA1.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\62581FA1.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\62581FA1.exe/stream/data0007 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\62581FA1.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\62581FA1.exe NSIS: infected - 5 skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\62581FA1.exe CryptFF: infected - 5 skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\635A66F4 Infected: Trojan-Downloader.Win32.Tibs.ir skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\637A0AD0 Infected: Trojan-Downloader.Win32.Small.ddy skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\63E91E56 Infected: Trojan-Downloader.Win32.Small.ctf skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\669E635C Infected: Backdoor.Win32.Agent.acx skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\66BA53E6.dll Infected: Trojan-Downloader.Win32.Zlob.anf skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\67A00CEC.sys Infected: Trojan-Clicker.Win32.Costrat.e skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\67DB00AC.sys Infected: Trojan-Proxy.Win32.Small.bo skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6BD5779E Infected: Backdoor.Win32.Small.ls skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6CE73E70 Infected: Trojan-PSW.Win32.Sinowal.bg skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6DA47051.exe Infected: Trojan-Downloader.Win32.Small.cyh skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6DC5142E.exe Infected: Trojan-Clicker.Win32.VB.is skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6DF933F4.exe Infected: Trojan-Downloader.Win32.Small.cyh skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6E1D01CC.exe Infected: Trojan-Downloader.Win32.Small.cyh skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\704260BF Infected: Backdoor.Win32.Agent.acx skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\74FC4FF2 Infected: Trojan-Downloader.Win32.Adload.fu skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\770970F8.dll Infected: Trojan-Downloader.Win32.Zlob.anf skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7A2422BB.exe Infected: Trojan-Downloader.Win32.Tibs.ir skipped

C:\Program Files\SoftwareRevenue.org\2r_samba.exe/stream/data0006 Infected: not-a-virus:AdWare.Win32.Softomate.e skipped

C:\Program Files\SoftwareRevenue.org\2r_samba.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.e skipped

C:\Program Files\SoftwareRevenue.org\2r_samba.exe NSIS: infected - 2 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP64\A0027444.exe Infected: Backdoor.Win32.Small.ls skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP64\A0027445.exe Infected: Backdoor.Win32.Small.ls skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP64\A0029477.exe Infected: Backdoor.Win32.Small.ls skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP64\A0030469.exe Infected: Backdoor.Win32.Small.ls skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP65\A0030551.exe Infected: Backdoor.Win32.Small.ls skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP65\A0031593.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP65\A0031593.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP65\A0031593.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP65\A0031593.exe/stream/data0007 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP65\A0031593.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP65\A0031593.exe NSIS: infected - 5 skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP65\A0031593.exe Crypt.Quarantine: infected - 5 skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP66\A0033980.EXE Infected: Backdoor.Win32.Small.ls skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP66\A0034178.dll Infected: Trojan-Downloader.Win32.Small.ece skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP74\A0037167.exe/data0009/stream/data0006 Infected: not-a-virus:AdWare.Win32.Softomate.e skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP74\A0037167.exe/data0009/stream Infected: not-a-virus:AdWare.Win32.Softomate.e skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP74\A0037167.exe/data0009 Infected: not-a-virus:AdWare.Win32.Softomate.e skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP74\A0037167.exe NSIS: infected - 3 skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP74\A0037168.exe/WISE0023.BIN/clientax.dll Infected: not-a-virus:AdWare.Win32.180Solutions.ao skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP74\A0037168.exe/WISE0023.BIN Infected: not-a-virus:AdWare.Win32.180Solutions.ao skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP74\A0037168.exe WiseSFX: infected - 2 skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP74\A0037168.exe WiseSFX Dropper: infected - 2 skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP74\A0037170.exe/stream/data0006 Infected: not-a-virus:AdWare.Win32.Softomate.e skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP74\A0037170.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.e skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP74\A0037170.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP89\A0088242.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP93\A0093660.EXE/deskbar.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP93\A0093660.EXE/deskbar.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP93\A0093660.EXE/deskbar.exe Infected: not-a-virus:AdWare.Win32.Softomate.r skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP93\A0093660.EXE ZIP: infected - 3 skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP96\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt Object is locked skipped

C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{C3CED034-E57C-40C4-8255-E5953F0D6E06}.crmlog Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{A596CCB0-4B0B-456C-A45D-CF11EC446C5E}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\mi1.exe/data0009/stream/data0006 Infected: not-a-virus:AdWare.Win32.Softomate.e skipped

C:\WINDOWS\system32\mi1.exe/data0009/stream Infected: not-a-virus:AdWare.Win32.Softomate.e skipped

C:\WINDOWS\system32\mi1.exe/data0009 Infected: not-a-virus:AdWare.Win32.Softomate.e skipped

C:\WINDOWS\system32\mi1.exe NSIS: infected - 3 skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Logfile of HijackThis v1.99.1
Scan saved at 7:14:59 AM, on 12/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jerms\Desktop\HijackThis.exe
C:\WINDOWS\system32\dwwin.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/search/index.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/search/index.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/search/index.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/search/index.html?src=ssb
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1164582830312
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} (OcarptMain Class) - https://oca.microsoft.com/en/secure/ocarpt.CAB
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)



Regarding my system's performance - no more blue screens and it seems to be fine. This is actually my son's computer so I don't use it so I have to go by what he tells me. I told him to take off bearshare which he says he has done - do you still see it anywhere? The only other problem we are having is the sound which I presume this is not the forum for that.

Thanks Cathy
cathyp is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-12-2006, 02:36 PM   #28 (permalink)
Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic
 
Glaswegian's Avatar
 
Join Date: Sep 2005
Location: Glasgow
Posts: 25,129
OS: Win XP Pro SP3 / Win 7 Pro

My System

Blog Entries: 10
Hi Cathy

You’ve done a fine job here – we’re nearly at the end now. As regards the sound, have you tried to re-install the drivers for the soundcard? Malware can sometimes affect these things and a re-install may help. Let me know.


Delete the following Files indicated in RED if they still exist.

C:\Program Files\SoftwareRevenue.org\2r_samba.exe
C:\WINDOWS\system32\mi1.exe

Note: If they resist, you may have to boot to Safe Mode to delete them.


One more online scan, as a final check.

Choose any one of these (although try for one that you’ve never used before) and post back with any log produced.

http://housecall.trendmicro.com/ <- - you can use Firefox for this scanner
http://www3.ca.com/virusinfo/virusscan.aspx
http://www.bitdefender.com/scan8/ie.html
http://us.mcafee.com/root/mfs/default.asp
http://security.symantec.com/sscv6/d...d=ie&venid=sym
__________________
Iain - Defender of the Haggis and all things Scottish.
I don't help by PM - post in the Forums.



PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner
Glaswegian is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-13-2006, 02:43 PM   #29 (permalink)
Registered User
 
Join Date: Nov 2006
Posts: 21
OS: xp


Hi Iain - Got the sound problem sorted out - thanks. Here is the mcafee log I think:

C:\Program Files\...\toolbar-w-google-r.dll Adware-Softomate.dll
C:\RECYCLER\...\Dc1.exe Adware-Softomate.dr
C:\WINDOWS\system32\mi1.exe Adware-Softomate.dr

Cathy
cathyp is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-14-2006, 03:31 PM   #30 (permalink)
Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic
 
Glaswegian's Avatar
 
Join Date: Sep 2005
Location: Glasgow
Posts: 25,129
OS: Win XP Pro SP3 / Win 7 Pro

My System

Blog Entries: 10
Hi Cathy

Empty your Recycle Bin.

That mi1.exe file should already be gone. In view of the infections you had, please run combofix once more and post back with its log. Then I'll feel happier.
__________________
Iain - Defender of the Haggis and all things Scottish.
I don't help by PM - post in the Forums.



PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner
Glaswegian is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-15-2006, 05:50 AM   #31 (permalink)
Registered User
 
Join Date: Nov 2006
Posts: 21
OS: xp


Hi Iain - Here's combofix:

Jerms - 06-12-14 19:45:09.28 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Jerms\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-11-14 to 2006-12-14 ))))))))))))))))))))))))))))))))))


2006-12-13 02:04 <DIR> d-------- C:\WINDOWS\McAfee.com
2006-12-13 00:02 <DIR> d-------- C:\Download
2006-12-11 01:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2006-12-07 22:45 <DIR> d-------- C:\avenger
2006-12-01 11:27 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-11-30 13:08 80 --a------ C:\WINDOWS\gmer_uninstall.cmd
2006-11-30 08:36 <DIR> d-------- C:\Program Files\CleanUp!
2006-11-29 13:34 <DIR> d-------- C:\HJT
2006-11-28 10:08 <DIR> d-------- C:\WINDOWS\system32\Dell
2006-11-28 08:58 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-11-28 08:58 <DIR> d-------- C:\c73728d49eb7a2e29c25ae21666b6baf
2006-11-28 08:57 <DIR> d-------- C:\f2edc3c88727fce3440535
2006-11-27 12:12 <DIR> d-------- C:\WINDOWS\network diagnostic
2006-11-27 12:07 <DIR> d-------- C:\d24b460bec1d525a09c9b9
2006-11-27 12:03 <DIR> d-------- C:\WINDOWS\system32\ODCTOOLS
2006-11-26 16:10 <DIR> d-------- C:\Program Files\PCPitstop
2006-11-26 10:45 <DIR> d-------- C:\Program Files\RegCure
2006-11-23 12:23 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-23 12:23 <DIR> d-------- C:\Program Files\Grisoft
2006-11-23 10:41 86,016 --a------ C:\WINDOWS\unvise32.exe
2006-11-22 18:10 <DIR> d--hs---- C:\WINDOWS\CSC
2006-11-16 16:58 <DIR> d-------- C:\WINDOWS\system32\appmgmt


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-14 19:41 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-12-13 07:42 -------- d-------- C:\Program Files\Google Toolbar
2006-12-13 07:18 -------- d-------- C:\Program Files\World of Warcraft
2006-12-13 04:00 56 -r-hs---- C:\WINDOWS\system32\80020AEA00.sys
2006-12-13 04:00 2620 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2006-12-13 00:06 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-12-12 21:32 -------- d-------- C:\Program Files\SoftwareRevenue.org
2006-12-12 10:14 -------- d-------- C:\Program Files\Internet Explorer
2006-12-12 10:13 -------- d-------- C:\Program Files\Windows Media Player
2006-12-12 10:12 -------- d-------- C:\Program Files\Outlook Express
2006-12-12 10:12 -------- d-------- C:\Program Files\Common Files\System
2006-12-07 04:09 -------- d-------- C:\Program Files\Warcraft III
2006-12-06 22:14 2330624 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-04 21:23 -------- d-------- C:\Program Files\Java
2006-12-04 02:23 -------- d-------- C:\Program Files\QuickTime
2006-12-01 20:16 -------- d-------- C:\Program Files\Norton SystemWorks
2006-12-01 11:41 -------- d-------- C:\Program Files\MSN Messenger
2006-12-01 11:41 -------- d-------- C:\Program Files\Messenger
2006-12-01 11:40 -------- d-------- C:\Program Files\iTunes
2006-12-01 11:39 -------- d-------- C:\Program Files\Google
2006-12-01 11:39 -------- d-------- C:\Program Files\Digital Line Detect
2006-12-01 11:39 -------- d-------- C:\Program Files\Dell Support
2006-12-01 11:38 -------- d-------- C:\Program Files\BAE
2006-12-01 11:38 -------- d-------- C:\Program Files\America Online 9.0
2006-11-29 13:16 -------- d-------- C:\Program Files\Common Files
2006-11-28 12:50 -------- d-------- C:\Documents and Settings\Jerms\Application Data\Hamachi
2006-11-28 10:08 -------- d-------- C:\Program Files\Dell
2006-11-23 10:41 -------- d-------- C:\Program Files\RegistryPatrol3.0
2006-11-16 17:39 7438520 --a------ C:\WINDOWS\system32\mi2.exe
2006-11-16 17:37 379071 --a------ C:\WINDOWS\system32\mi1.exe
2006-11-16 16:54 -------- d-------- C:\Program Files\BearShare Applications
2006-11-09 19:22 -------- d-------- C:\Program Files\Apple Software Update
2006-11-07 23:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-03 19:19 61678 --a------ C:\Documents and Settings\Jerms\Application Data\PFP120JPR.{PB
2006-11-03 19:19 12358 --a------ C:\Documents and Settings\Jerms\Application Data\PFP120JCM.{PB
2006-11-03 19:19 -------- d-------- C:\Documents and Settings\Jerms\Application Data\COREL
2006-11-02 20:42 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-10-27 12:08 -------- d-------- C:\Program Files\XPMedic
2006-10-27 08:06 -------- d-------- C:\Program Files\AdwareAlert
2006-10-25 14:27 -------- d-------- C:\Program Files\Lavasoft
2006-10-25 14:27 -------- d-------- C:\Documents and Settings\Jerms\Application Data\Lavasoft
2006-10-24 11:57 1886 --a------ C:\WINDOWS\system32\coke.exe
2006-10-24 09:36 -------- d-------- C:\Program Files\Symantec Technical Support
2006-10-23 18:50 -------- d-------- C:\Program Files\MSN
2006-10-23 18:50 -------- d-------- C:\Documents and Settings\Jerms\Application Data\MSNInstaller
2006-10-23 08:30 -------- d-------- C:\Program Files\SpywareBot
2006-10-22 20:33 -------- d-------- C:\Program Files\TrojanHunter 4.6
2006-10-22 13:58 -------- d-------- C:\Documents and Settings\Jerms\Application Data\TrojanHunter
2006-10-22 13:57 -------- d-------- C:\Documents and Settings\Jerms\Application Data\Help
2006-10-22 13:48 -------- d-------- C:\Documents and Settings\Jerms\Application Data\Simply Super Software
2006-10-22 13:41 -------- d-------- C:\Program Files\Common Files\Download Manager
2006-10-22 13:00 -------- d---s---- C:\Documents and Settings\Jerms\Application Data\Microsoft
2006-10-19 07:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-14 22:22 -------- d-------- C:\Documents and Settings\Jerms\Application Data\Corel Photo Album
2006-10-13 06:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 06:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 06:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-11 13:07 252752 --a------ C:\WINDOWS\system32\odc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"DMXLauncher"="C:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"MMTray"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe\""
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"DLA"="C:\\WINDOWS\\System32\\DLA\\DLACTRLW.EXE"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~3\\mimboot.exe"
"Corel Photo Downloader"="C:\\Program Files\\Corel\\Corel Photo Album 6\\MediaDetect.exe"
"MSKDetectorExe"="C:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe /uninstall"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"GhostStartTrayApp"="C:\\Program Files\\Norton SystemWorks\\Norton Ghost\\GhostStartTrayApp.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"SigmatelSysTrayApp"="stsystra.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2240}"="DCOM Server 2240"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
C:\WINDOWS\tasks\RegCure.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-12-14 19:46:12.51
C:\ComboFix.txt ... 06-12-14 19:46
C:\ComboFix2.txt ... 06-12-12 21:22
C:\ComboFix3.txt ... 06-12-11 01:42


I hope this makes you happy!
Cathy
cathyp is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-15-2006, 01:56 PM   #32 (permalink)
Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic
 
Glaswegian's Avatar
 
Join Date: Sep 2005
Location: Glasgow
Posts: 25,129
OS: Win XP Pro SP3 / Win 7 Pro

My System

Blog Entries: 10
Hi Cathy

Well, perhaps not that happy – those 2 files are still showing. We’ll use Avenger again – if you still have it on your system then ignore the download part.


1. Please download The Avenger to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Quote:
Files to delete:

C:\WINDOWS\system32\mi2.exe
C:\WINDOWS\system32\mi1.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:
  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt at the end of this fix.


Then run combofix again and post it’s log along with Avenger’s log.
__________________
Iain - Defender of the Haggis and all things Scottish.
I don't help by PM - post in the Forums.



PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner
Glaswegian is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-17-2006, 09:15 AM   #33 (permalink)
Registered User
 
Join Date: Nov 2006
Posts: 21
OS: xp


Hi Iain - Sorry for the delay _ I am only just reaching my computer. Here's the logs:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\yvebemrk

*******************

Script file located at: \??\C:\WINDOWS\fwrurqam.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\mi2.exe deleted successfully.
File C:\WINDOWS\system32\mi1.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.





Jerms - 06-12-16 23:14:01.57 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Jerms\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-11-16 to 2006-12-16 ))))))))))))))))))))))))))))))))))


2006-12-16 22:55 <DIR> d-------- C:\avenger
2006-12-16 22:17 <DIR> d-------- C:\Program Files\Carrie the Caregiver
2006-12-16 22:17 <DIR> d-------- C:\Program Files\bfgtoolbar
2006-12-15 23:28 <DIR> d-------- C:\Program Files\IMVU
2006-12-15 23:28 <DIR> d-------- C:\Documents and Settings\Jerms\Application Data\IMVU
2006-12-13 02:04 <DIR> d-------- C:\WINDOWS\McAfee.com
2006-12-13 00:02 <DIR> d-------- C:\Download
2006-12-11 01:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2006-12-01 11:27 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-11-30 13:08 80 --a------ C:\WINDOWS\gmer_uninstall.cmd
2006-11-30 08:36 <DIR> d-------- C:\Program Files\CleanUp!
2006-11-29 13:34 <DIR> d-------- C:\HJT
2006-11-28 10:08 <DIR> d-------- C:\WINDOWS\system32\Dell
2006-11-28 08:58 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-11-28 08:58 <DIR> d-------- C:\c73728d49eb7a2e29c25ae21666b6baf
2006-11-28 08:57 <DIR> d-------- C:\f2edc3c88727fce3440535
2006-11-27 12:12 <DIR> d-------- C:\WINDOWS\network diagnostic
2006-11-27 12:07 <DIR> d-------- C:\d24b460bec1d525a09c9b9
2006-11-27 12:03 <DIR> d-------- C:\WINDOWS\system32\ODCTOOLS
2006-11-26 16:10 <DIR> d-------- C:\Program Files\PCPitstop
2006-11-26 10:45 <DIR> d-------- C:\Program Files\RegCure
2006-11-23 12:23 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-23 12:23 <DIR> d-------- C:\Program Files\Grisoft
2006-11-23 10:41 86,016 --a------ C:\WINDOWS\unvise32.exe
2006-11-22 18:10 <DIR> d--hs---- C:\WINDOWS\CSC
2006-11-16 16:58 <DIR> d-------- C:\WINDOWS\system32\appmgmt


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-16 22:55 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-12-16 22:17 -------- d-------- C:\Program Files\BFG
2006-12-13 07:42 -------- d-------- C:\Program Files\Google Toolbar
2006-12-13 07:18 -------- d-------- C:\Program Files\World of Warcraft
2006-12-13 04:00 56 -r-hs---- C:\WINDOWS\system32\80020AEA00.sys
2006-12-13 04:00 2620 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2006-12-13 00:06 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-12-12 21:32 -------- d-------- C:\Program Files\SoftwareRevenue.org
2006-12-12 10:14 -------- d-------- C:\Program Files\Internet Explorer
2006-12-12 10:13 -------- d-------- C:\Program Files\Windows Media Player
2006-12-12 10:12 -------- d-------- C:\Program Files\Outlook Express
2006-12-12 10:12 -------- d-------- C:\Program Files\Common Files\System
2006-12-07 04:09 -------- d-------- C:\Program Files\Warcraft III
2006-12-06 22:14 2330624 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-04 21:23 -------- d-------- C:\Program Files\Java
2006-12-04 02:23 -------- d-------- C:\Program Files\QuickTime
2006-12-01 20:16 -------- d-------- C:\Program Files\Norton SystemWorks
2006-12-01 11:41 -------- d-------- C:\Program Files\MSN Messenger
2006-12-01 11:41 -------- d-------- C:\Program Files\Messenger
2006-12-01 11:40 -------- d-------- C:\Program Files\iTunes
2006-12-01 11:39 -------- d-------- C:\Program Files\Google
2006-12-01 11:39 -------- d-------- C:\Program Files\Digital Line Detect
2006-12-01 11:39 -------- d-------- C:\Program Files\Dell Support
2006-12-01 11:38 -------- d-------- C:\Program Files\BAE
2006-12-01 11:38 -------- d-------- C:\Program Files\America Online 9.0
2006-11-29 13:16 -------- d-------- C:\Program Files\Common Files
2006-11-28 12:50 -------- d-------- C:\Documents and Settings\Jerms\Application Data\Hamachi
2006-11-28 10:08 -------- d-------- C:\Program Files\Dell
2006-11-23 10:41 -------- d-------- C:\Program Files\RegistryPatrol3.0
2006-11-16 16:54 -------- d-------- C:\Program Files\BearShare Applications
2006-11-09 19:22 -------- d-------- C:\Program Files\Apple Software Update
2006-11-07 23:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-03 19:19 61678 --a------ C:\Documents and Settings\Jerms\Application Data\PFP120JPR.{PB
2006-11-03 19:19 12358 --a------ C:\Documents and Settings\Jerms\Application Data\PFP120JCM.{PB
2006-11-03 19:19 -------- d-------- C:\Documents and Settings\Jerms\Application Data\COREL
2006-11-02 20:42 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-10-27 12:08 -------- d-------- C:\Program Files\XPMedic
2006-10-27 08:06 -------- d-------- C:\Program Files\AdwareAlert
2006-10-25 14:27 -------- d-------- C:\Program Files\Lavasoft
2006-10-25 14:27 -------- d-------- C:\Documents and Settings\Jerms\Application Data\Lavasoft
2006-10-24 11:57 1886 --a------ C:\WINDOWS\system32\coke.exe
2006-10-24 09:36 -------- d-------- C:\Program Files\Symantec Technical Support
2006-10-23 18:50 -------- d-------- C:\Program Files\MSN
2006-10-23 18:50 -------- d-------- C:\Documents and Settings\Jerms\Application Data\MSNInstaller
2006-10-23 08:30 -------- d-------- C:\Program Files\SpywareBot
2006-10-22 20:33 -------- d-------- C:\Program Files\TrojanHunter 4.6
2006-10-22 13:58 -------- d-------- C:\Documents and Settings\Jerms\Application Data\TrojanHunter
2006-10-22 13:57 -------- d-------- C:\Documents and Settings\Jerms\Application Data\Help
2006-10-22 13:48 -------- d-------- C:\Documents and Settings\Jerms\Application Data\Simply Super Software
2006-10-22 13:41 -------- d-------- C:\Program Files\Common Files\Download Manager
2006-10-22 13:00 -------- d---s---- C:\Documents and Settings\Jerms\Application Data\Microsoft
2006-10-19 07:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-13 06:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 06:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 06:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-11 13:07 252752 --a------ C:\WINDOWS\system32\odc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"DMXLauncher"="C:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"MMTray"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe\""
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"DLA"="C:\\WINDOWS\\System32\\DLA\\DLACTRLW.EXE"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~3\\mimboot.exe"
"Corel Photo Downloader"="C:\\Program Files\\Corel\\Corel Photo Album 6\\MediaDetect.exe"
"MSKDetectorExe"="C:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe /uninstall"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"GhostStartTrayApp"="C:\\Program Files\\Norton SystemWorks\\Norton Ghost\\GhostStartTrayApp.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"SigmatelSysTrayApp"="stsystra.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2240}"="DCOM Server 2240"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
C:\WINDOWS\tasks\RegCure.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-12-16 23:15:03.29
C:\ComboFix.txt ... 06-12-16 23:15
C:\ComboFix2.txt ... 06-12-14 19:46
C:\ComboFix3.txt ... 06-12-12 21:22




Cathy
cathyp is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-17-2006, 09:41 AM   #34 (permalink)
Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic
 
Glaswegian's Avatar
 
Join Date: Sep 2005
Location: Glasgow
Posts: 25,129
OS: Win XP Pro SP3 / Win 7 Pro

My System

Blog Entries: 10
Hi Cathy

Well done - your system is now clean. Any more problems? If not we’ll just tidy up and I’ll let you go, along with my recommendations for staying safe and secure.

You can go ahead and delete any special tools we used (SmitRem, SmitfraudFix, ComboFix, etc). They won't serve a future purpose and are replaced with updated versions frequently, so the copies you have are probably already out of date and there is therefore no need to keep them.



Reset Hidden/System Files
To reset your hidden and system files:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Deselect the Show hidden files and folders option.
  • Select the Hide file extensions for known types option.
  • Select the Hide protected operating system files option.
  • Click Yes to confirm.
  • Click OK.


System Restore
To turn off System Restore click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

To turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

This will create a new Restore Point.



Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

Spyware Blaster to help prevent spyware from installing in the first place.
Spyware Guard to catch and block spyware before it can execute.
Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here.


Ad-aware
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here.


IE-SPYAD
IE-Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here.


SnoopFree
SnoopFree is a real time monitor that notifies you when a programme wants to record your keystrokes or read your screen. Note that SnoopFree is only for XP systems.


MVPS Hosts File
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.


Alternate Browsers
Try the following free alternate browsers rather than Internet Explorer
Firefox
Opera
Maxthon



Firewalls
A good firewall will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall does not monitor outgoing traffic. If you do not have a firewall, here are 3 free ones available for personal use:
Sygate Personal Firewall
ZoneAlarm
Tiny Personal Firewall


Anti Virus Software
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online antivirus scanners:
Anti-Spyware Tutorial

Here are three very good free Antivirus products which are available:
BitDefender Free
Avast!
AVG

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Other Protection
Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here:
Using Winpatrol to protect your computer.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

PC Safety & Security - What Do I Need?.
Making Internet Explorer Safer.

Keep clean and safe and enjoy your computing!

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Iain - Defender of the Haggis and all things Scottish.
I don't help by PM - post in the Forums.



PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner
Glaswegian is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-17-2006, 02:17 PM   #35 (permalink)
Registered User
 
Join Date: Nov 2006
Posts: 21
OS: xp


Hi Iain - I can't thank you enough for all your help! Thanks also for all the recommendations to help prevent any future infections - I will definitely follow up on those. Take care and keep up your good work!

All the best,

Cathy
cathyp is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 2 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 12:49 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85