Malware has taken over! Hijackthis logfile follows..

CamwynF · 10-12-2007, 07:56 PM

OK, about 48hrs ago, my PC was taken over by a storm of malware. Spybot removed hundreds of programs, but the lingering effects are:

1. Locked out "by System Administrator" of my Control Panel and all System-oriented functions.
2. Massive amounts of CPU (>70%) being used even when I'm not doing anything.
3. Keystrokes are slow, missing letters if I type too fast.

Help?

Quote:

Logfile of HijackThis v1.99.1
Scan saved at 8:23:54 PM, on 10/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Cox\Applications\App\syssvcnt.exe
c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\Explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slashdot.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - C:\Program Files\Cox\Applications\App\popupbho01.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ESP] C:\Program Files\Cox\Applications\app\start.exe
O4 - HKLM\..\Run: [rygorad] C:\Program Files\ComPlus Applications\rygorad77798.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1103] command /c del "C:\WINDOWS\system32\printer.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2502] cmd /c del "C:\WINDOWS\system32\printer.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [fqfw] C:\PROGRA~1\COMMON~1\fqfw\fqfwm.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: autorun.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://chat.goarmy.com:8563/Java/cfs40320.cab
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_2.2.2.89.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - http://javadl-esd.sun.com/update/1.4...ndows-i586.cab
O20 - AppInit_DLLs: sulimo.dat
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\Cox\Applications\App\syssvcnt.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: WMP54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe" "WMP54GSv1_1.exe (file missing)

CamwynF · 10-13-2007, 08:13 AM

Bump.

CamwynF · 10-13-2007, 01:44 PM

Bump.

forhockey · 10-13-2007, 04:00 PM

Hello,

Are you going to stick with me until the end? Seems you abandoned your last thread started....

http://www.techsupportforum.com/secu...opping-up.html

If you have the intent to stick with it until the end then please following the below instructions

--------------------------------------------------------------

Please subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription.

--------------------------------------------------------------

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click smitfraudfix.exe to start the tool.
Select option #1 - Search by typing 1 and press "Enter"
and a text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Do not run option #2 unless instructed to!!

--------------------------------------------------------------

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
Please attach extra.txt to your post.

To attach a file to a new post, simply

Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:
C:\Deckard\System Scanner\extra.txt
Click Upload.

What DSS will do:

create a new System Restore point in Windows XP and Vista.
clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

--------------------------------------------------------------

Please include the following in your next reply:

SmitfraudFix Report
C:\Deckard\System Scanner\main.txt
C:\Deckard\System Scanner\extra.txt - Attached please

CamwynF · 10-13-2007, 05:38 PM

Thanks.

Smitfraud logfile:

Quote:

SmitFraudFix v2.240

Scan done at 18:33:11.79, Sat 10/13/2007
Run from C:\Documents and Settings\Michael\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Cox\Applications\App\syssvcnt.exe
c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\Explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Cox\Applications\app\WFRMailer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 legal-at-spybot.info
127.0.0.1 www.legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\sulimo.dat FOUND !
C:\WINDOWS\system32\vtr???.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Michael

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Michael\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Programs\Startup\autorun.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\MICHAE~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Common Files\\zysok.html"
"SubscribedURL"=""
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="sulimo.dat"

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Linksys Wireless-G PCI Adapter with SpeedBooster - Packet Scheduler Miniport
DNS Server Search Order: 68.105.28.11
DNS Server Search Order: 68.105.29.11
DNS Server Search Order: 68.105.28.12

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7E35FCC2-7F71-4CB7-98FB-EEE20BF7AB85}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7E35FCC2-7F71-4CB7-98FB-EEE20BF7AB85}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7E35FCC2-7F71-4CB7-98FB-EEE20BF7AB85}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

DSS (Main.txt.)

Quote:

Deckard's System Scanner v20070905.67
Run by Michael on 2007-10-13 18:40:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 1 Restore Point(s) --
1: 2007-10-13 23:40:06 UTC - RP600 - Deckard's System Scanner Restore Point

Backed up registry hives.
Performed disk cleanup.

System Drive C: has 2.41 GiB (less than 15%) free.

-- HijackThis (run as Michael.exe) --------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-10-13 18:41:56
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16544)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cox\Applications\app\syssvcnt.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Cox\Applications\app\WFRMailer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Michael\Desktop\dss.exe
C:\Documents and Settings\Michael\Desktop\Michael.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slashdot.org/
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - C:\Program Files\Cox\Applications\app\PopupBHO01.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKEY_LOCAL_MACHINE\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKEY_LOCAL_MACHINE\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKEY_LOCAL_MACHINE\..\Run: [ESP] C:\Program Files\Cox\Applications\app\start.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [rygorad] C:\Program Files\ComPlus Applications\rygorad77798.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe"
O4 - HKEY_LOCAL_MACHINE\..\RunOnce: [SpybotDeletingA1103] command /c del "C:\WINDOWS\system32\printer.exe"
O4 - HKEY_LOCAL_MACHINE\..\RunOnce: [SpybotDeletingC2502] cmd /c del "C:\WINDOWS\system32\printer.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [fqfw] C:\PROGRA~1\COMMON~1\fqfw\fqfwm.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: New Folder
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: autorun.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: https://www.torrentreactor.to (HKCU)
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 () - http://chat.goarmy.com:8563/Java/cfs40320.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get...irector/sw.cab
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} () - http://download.microsoft.com/downlo...8f/wvc1dmo.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_2.2.2.89.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.4.2_13) - http://javadl-esd.sun.com/update/1.4...ndows-i586.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get...nt/swflash.cab
O20 - AppInit_DLLs: sulimo.dat
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WMP54GSSVC - GEMTEKS - "C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe" "WMP54GSv1_1.exe"

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 oreans32 - c:\windows\system32\drivers\oreans32.sys
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
R3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>

S3 catchme - c:\docume~1\michae~1\locals~1\temp\catchme.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_11AB&DEV_4320&SUBSYS_811A1043&REV_13\4&2E98101C&0&28F0
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_11AB&DEV_4320&SUBSYS_811A1043&REV_13\4&2E98101C&0&28F0
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: DAVICOM 9102-Based PCI Fast Ethernet Adapter
Device ID: PCI\VEN_1282&DEV_9102&SUBSYS_82120291&REV_40\4&2E98101C&0&50F0
Manufacturer: DAVICOM Semiconductor, Inc.
Name: DAVICOM 9102-Based PCI Fast Ethernet Adapter
PNP Device ID: PCI\VEN_1282&DEV_9102&SUBSYS_82120291&REV_40\4&2E98101C&0&50F0
Service: DM9102

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_80F31043&REV_02\3&267A616A&0&FD
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_80F31043&REV_02\3&267A616A&0&FD
Service:

-- Files created between 2007-09-13 and 2007-10-13 -----------------------------

2007-10-13 18:33:46 1186 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-13 18:33:00 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-13 18:33:00 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-10-13 18:33:00 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-10-13 18:33:00 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-10-13 18:33:00 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-12 20:32:08 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-10-12 20:32:05 0 d-------- C:\WINDOWS\LastGood
2007-10-11 07:46:43 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2007-10-11 07:22:20 39424 --a------ C:\WINDOWS\system32\vtr.dll <Not Verified; ; IEHelper Module>
2007-10-11 07:22:20 7849 --a------ C:\WINDOWS\system32\sulimo.dat
2007-10-09 16:51:50 0 d-------- C:\WINDOWS\Sun
2007-10-09 16:51:29 0 d-------- C:\Documents and Settings\Michael\Application Data\Sun
2007-10-09 16:50:42 0 d-------- C:\Program Files\Java
2007-10-09 16:50:25 0 d-------- C:\Program Files\Common Files\Java
2007-10-09 11:59:32 301568 --a------ C:\WINDOWS\b148.exe
2007-10-07 18:46:36 35840 -ra------ C:\WINDOWS\tsitra11.exe
2007-10-05 23:28:20 0 d-------- C:\The Simpsons - Complete season 18
2007-10-01 18:35:38 0 d-------- C:\WINDOWS\fqfw
2007-10-01 18:35:38 0 d-------- C:\Program Files\Common Files\fqfw
2007-10-01 07:24:01 376832 --a------ C:\WINDOWS\system32\WinNB58.dll <Not Verified; ; MBar IES AFF>
2007-09-30 00:45:01 0 d-------- C:\Program Files\Common Files\??sks
2007-09-30 00:44:52 0 d-------- C:\WINDOWS\SxsCaPendDel
2007-09-30 00:43:13 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-30 00:32:56 0 d-------- C:\Program Files\Temporary
2007-09-30 00:29:35 2 --a------ C:\WINDOWS\system32\wcpisvsu.exe
2007-09-30 00:29:33 0 d-------- C:\Program Files\?ecurity
2007-09-30 00:29:24 0 d-------- C:\Program Files\?asks
2007-09-26 07:19:52 184320 --a------ C:\WINDOWS\b111.exe
2007-09-22 16:12:56 0 d-------- C:\From the Earth to the Moon
2007-09-16 11:41:26 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2007-09-16 10:12:35 442368 -ra------ C:\WINDOWS\system32\vp6vfw.dll <Not Verified; On2.com; On2_VP6>
2007-09-15 11:03:51 0 d-------- C:\Documents and Settings\Michael\Application Data\Help

-- Find3M Report ---------------------------------------------------------------

2007-10-13 18:36:48 0 d-------- C:\Program Files\PeerGuardian2
2007-10-13 11:34:51 0 d-------- C:\Program Files\eMule
2007-10-12 21:30:30 0 d-------- C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster
2007-10-11 03:27:21 0 d-------- C:\Program Files\Common Files
2007-10-06 16:56:44 0 d-------- C:\Program Files\PokerStars
2007-10-04 04:46:58 142 --a------ C:\Program Files\Common Files\zysok.html
2007-10-02 11:33:08 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-02 11:13:45 0 d--h----- C:\Program Files\Common Files\Authentium Shared
2007-10-02 10:48:35 0 d-------- C:\Program Files\?asks
2007-09-30 00:45:48 0 d-------- C:\Program Files\?ecurity
2007-09-30 00:45:01 0 d-------- C:\Program Files\Common Files\??sks
2007-09-30 00:32:09 0 d-------- C:\Program Files\Sierra
2007-09-16 16:56:22 0 d-------- C:\Program Files\EA GAMES
2007-09-16 12:57:47 0 d-------- C:\Program Files\BitComet
2007-09-15 12:55:16 0 d-------- C:\Program Files\Firaxis Games
2007-09-15 12:54:58 0 d-------- C:\Documents and Settings\Michael Magee\Application Data\My Games
2007-09-12 13:39:22 0 d-------- C:\Documents and Settings\Michael Magee\Application Data\Bioshock
2007-09-09 09:57:49 0 d-------- C:\Program Files\MagicISO
2007-09-08 21:56:21 0 d-------- C:\Program Files\Maxis
2007-09-06 19:23:05 0 d-------- C:\Program Files\MSXML 4.0
2007-09-06 15:25:32 0 d-------- C:\Program Files\Common Files\Aluria
2007-09-06 15:25:23 0 d-------- C:\Program Files\Common Files\Authentium
2007-09-05 15:33:00 0 d-------- C:\Program Files\Save
2007-09-05 10:34:10 0 d-------- C:\Program Files\Electronic Arts
2007-09-05 07:09:59 0 d-------- C:\Program Files\Sierra Entertainment
2007-09-03 13:34:03 0 d-------- C:\Program Files\CENEGA
2007-08-30 10:14:36 86016 --a------ C:\WINDOWS\b147.exe
2007-08-25 03:14:06 0 d-------- C:\Program Files\America's Army
2007-07-19 06:10:58 69632 --a------ C:\WINDOWS\b143.exe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [03/19/2004 03:33 AM C:\WINDOWS\system32\CTHELPER.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/22/2006 01:22 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/05/2006 08:58 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/02/2006 02:18 PM]
"ESP"="C:\Program Files\Cox\Applications\app\start.exe" [05/09/2007 01:40 PM]
"rygorad"="C:\Program Files\ComPlus Applications\rygorad77798.exe" [08/07/2007 03:30 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe" [10/18/2006 11:42 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [10/08/2004 07:01 AM]
"fqfw"="C:\PROGRA~1\COMMON~1\fqfw\fqfwm.exe" [07/19/2006 02:56 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08/31/2007 04:46 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingA1103"=command /c del "C:\WINDOWS\system32\printer.exe"
"SpybotDeletingC2502"=cmd /c del "C:\WINDOWS\system32\printer.exe"

C:\Documents and Settings\Michael\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [8/17/2006 5:00:47 PM]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [12/14/2004 7:44:06 AM]
autorun.exe [10/11/2007 7:22:20 AM]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Common Files\zysok.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe C:\WINDOWS\system32\printer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sulimo.dat

*Newly Created Service* - GTNDIS5

-- Hosts -----------------------------------------------------------------------

192.168.200.3 ad.doubleclick.net
192.168.200.3 ad.fastclick.net
192.168.200.3 ads.fastclick.net
192.168.200.3 atdmt.com
192.168.200.3 awaps.net
192.168.200.3 banner.fastclick.net
192.168.200.3 banners.fastclick.net
192.168.200.3 click.atdmt.com
192.168.200.3 clicks.atdmt.com
192.168.200.3 engine.awaps.net

6792 more entries in hosts file.

-- End of Deckard's System Scanner: finished at 2007-10-13 18:45:17 ------------

CamwynF · 10-13-2007, 07:52 PM

After running DSS, I've got access to my Control Panel back, but still using a lot of CPU (~50-60%) and the keystrokes are still delayed/skipping.

forhockey · 10-13-2007, 09:36 PM

Hi CamwynF,

Before beginning the proposed fix, read this post completely. Any questions should be kindly asked before proceeding. Ensure that there are no open browsers when carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

--------------------------------------------------------------

Please download SmitfraudFix to your Desktop. Do not run it yet. We will shortly
Restart your computer in Safe Mode
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8
- Instead of Windows loading as normal, a menu should appear
- Use the up arrow key to highlight Safe Mode and press Enter.
- Login with your usual account
- Once you have logged in, a warning message will appear regarding starting windows in Safe mode, click OK and windows will load your desktop environment
Note: Some systems, this may be the F5 key, so try that if F8 doesn't work.
Double-click on SmitfraudFix.exe to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot into Normal Windows.
The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
Next, go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:
· "Security Info"
· "Warning Message"
· "Security Desktop"
· "Warning Homepage"
· "Desktop Uninstall"

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.
Restart your computer in Normal Mode

--------------------------------------------------------------

Double-click on SmitfraudFix.exe to start the tool.
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note: if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

--------------------------------------------------------------

Delete your old copy of ComboFix and download a new copy.

Download combofix.exe to your desktop.
Disconnect from the internet....pull the plug!
Disable your real time protection of your Anti-Virus. Exit the program via the SystemTray icon.
Double click on combofix.exe & follow the prompts. Type "1" and press Enter to begin the scan.
When finished, it shall produce a log for you ( C:\ComboFix.txt ). Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------
Re-enable your Anti-Virus if it is not active...a reboot should have re-activated it.
Re-establish an internet connection.
Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

--------------------------------------------------------------

Please download HijackThis. This program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded. Click on the "Install" button. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Double click on HijackThis.exe to run the program.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.

--------------------------------------------------------------

Please reply back with the following logs:

C:\rapport.txt
C:\ComboFix.txt
HiJackThis log

CamwynF · 10-14-2007, 08:19 AM

Here's the logs:

Quote:

Logfile of HijackThis v1.99.1
Scan saved at 9:15:35 AM, on 10/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Cox\Applications\App\syssvcnt.exe
c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Cox\Applications\app\WFRMailer.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ComPlus Applications\rygorad77798.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Michael\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slashdot.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - C:\Program Files\Cox\Applications\App\popupbho01.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - C:\Program Files\Cox\Applications\App\popupbho01.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ESP] C:\Program Files\Cox\Applications\app\start.exe
O4 - HKLM\..\Run: [rygorad] C:\Program Files\ComPlus Applications\rygorad77798.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://chat.goarmy.com:8563/Java/cfs40320.cab
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_2.2.2.89.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\Cox\Applications\App\syssvcnt.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: WMP54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe" "WMP54GSv1_1.exe (file missing)

forhockey · 10-14-2007, 11:51 AM

Hi CamwynF,

Before beginning the proposed fix, read this post completely. Any questions should be kindly asked before proceeding. Ensure that there are no open browsers when carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

--------------------------------------------------------------

Please go to: VirusTotal

On the page you'll find a "Browse" button.
Next to the browse button you'll see a box to enter text.
Please copy/paste the following in BOLD:

C:\Program Files\ComPlus Applications\rygorad77798.exe
Then click the "Send File" button just below.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.

If VirusTotal is busy, try the same at Jotti

--------------------------------------------------------------

Restart your computer in Safe Mode
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8
- Instead of Windows loading as normal, a menu should appear
- Use the up arrow key to highlight Safe Mode and press Enter.
- Login with your usual account
- Once you have logged in, a warning message will appear regarding starting windows in Safe mode, click OK and windows will load your desktop environment
Note: Some systems, this may be the F5 key, so try that if F8 doesn't work.
Double-click on SmitfraudFix.exe to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot into Normal Windows.
The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
Restart your computer in Normal Mode

--------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

KILLALL::

File::
C:\WINDOWS\tsitra11.exe

DirLook::
C:\From the Earth to the Moon

Save this as CFScript

Refering to the picture above, drag CFScript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------

How is your system behaving now?

--------------------------------------------------------------

Please reply back with the following logs:

Virus Total Results
C:\rapport.txt
C:\ComboFix.txt
Update on system behaviour?

CamwynF · 10-15-2007, 10:25 AM

The script:

Quote:

KILLALL::

File::
C:\WINDOWS\tsitra11.exe

DirLook::
C:\From the Earth to the Moon

caused Combofix to stall out after completing Step 5. Ran Combofix without it, log appended below.

No visible improvement in system performance.

VirusTotal Report:

Quote:

File rygorad77798.exe received on 10.15.2007 18:12:16 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 22/31 (70.97%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 39 and 56 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2007.10.16.0 2007.10.15 Win-AppCare/Ttc.163840.B
AntiVir 7.6.0.23 2007.10.15 TR/Dldr.AW.awk
Authentium 4.93.8 2007.10.14 W32/Downldr2.QJZ
Avast 4.7.1051.0 2007.10.14 Win32:Trojan-gen. {Other}
AVG 7.5.0.488 2007.10.15 Adware Generic2.JSI
BitDefender 7.2 2007.10.15 Adware.TTC.B
CAT-QuickHeal 9.00 2007.10.13 AdWare.TTC.c (Not a Virus)
ClamAV 0.91.2 2007.10.14 Adware.TTC-1
DrWeb 4.44.0.09170 2007.10.15 -
eSafe 7.0.15.0 2007.10.10 -
eTrust-Vet 31.2.5207 2007.10.13 Win32/Zquest.H
Ewido 4.0 2007.10.15 -
FileAdvisor 1 2007.10.15 High threat detected
Fortinet 3.11.0.0 2007.10.15 -
F-Prot 4.3.2.48 2007.10.15 W32/Downldr2.QJZ
F-Secure 6.70.13030.0 2007.10.15 -
Ikarus T3.1.1.12 2007.10.15 not-a-virus:AdWare.Win32.TTC.c
Kaspersky 7.0.0.125 2007.10.15 not-a-virus:AdWare.Win32.TTC.c
McAfee 5140 2007.10.12 potentially unwanted program Generic Adware
Microsoft 1.2908 2007.10.15 Program:Win32/TTC
NOD32v2 2591 2007.10.14 -
Norman 5.80.02 2007.10.15 -
Panda 9.0.0.4 2007.10.15 Adware/TTC
Prevx1 V2 2007.10.15 -
Rising 19.45.02.00 2007.10.15 Trojan.DL.Win32.Agent.lq
Sophos 4.22.0 2007.10.15 Troj/TTC-A
Sunbelt 2.2.907.0 2007.10.13 Deskwizz/ZQuest
Symantec 10 2007.10.15 SecurityRiskOn
TheHacker 6.2.8.091 2007.10.15 Adware/TTC.c
VBA32 3.12.2.4 2007.10.15 AdWare.Win32.TTC.c
VirusBuster 4.3.26:9 2007.10.15 -
Additional information
File size: 163840 bytes
MD5: b517f6aeedb6f383fb38d99738ee66aa
SHA1: 93c57a64dab351ec8fa7b8cc3a59f3f284e11201
Bit9 info: http://fileadvisor.bit9.com/services...38d99738ee66aa
Sunbelt info: Deskwizz/ZQuest is an adware application that tracks the user's browsing in order to display targeted advertising on the desktop.

forhockey · 10-15-2007, 06:08 PM

Hi CamwynF,

Could you please stop attaching the logs, as it is making it is making the transition difficult for reading all the logs, thanks.

--------------------------------------------------------------

Before beginning the proposed fix, read this post completely. Any questions should be kindly asked before proceeding. Ensure that there are no open browsers when carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

--------------------------------------------------------------

Disable S& D Spybot's Tea Timer

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.

--------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below:
(don't forget to copy and paste REGEDIT4)

Quote:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"rygorad"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"fqfw"=-

Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files"
It should look like this:

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

--------------------------------------------------------------

Open My Computer. Select the View menu and click Folder Options. Select the View Tab then select Show all files in the Hidden files section. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.

--------------------------------------------------------------

Delete the following File indicated in RED and Folder indicated in BLUE if they still exist.

C:\Program Files\ComPlus Applications
C:\WINDOWS\tsitra11.exe

Note: If you have trouble deleting the above entries, then boot into Safe Mode to delete them.

--------------------------------------------------------------

Do you recognize this folder? Please open the folder and tell me what files and folders are within.

C:\From the Earth to the Moon

--------------------------------------------------------------

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

Java 2 Runtime Environment, SE v1.4.2_13 <- Known to be vulnerable to current infections out there

K-Lite Mega Codec Pack 1.53 <- Known to contain malware

--------------------------------------------------------------

Restart your computer for the changes to take in effect.

--------------------------------------------------------------

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 u3.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications". (4th one down)
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Double-click on jre-6u3-windowsi586-p.exe to install the newest version.

--------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on located at the bottom of the page.
A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click "Free Online Scan" * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------

Please run HiJackThis again, and post the resulting log.

--------------------------------------------------------------

Please reply back with the following logs:

Inquiry about C:\From the Earth to the Moon
Panda Online Scan Results
New HiJackThis Log

CamwynF · 10-18-2007, 07:28 PM

Sorry it took so long to reply, been having Internet troubles in my area.

Couldn't get Pandascan to work. It starts off well, but closes itself after completing ~25% of the scan.

C:\From the Earth to the Moon was an empty folder. Deleted.

Hijackthis Log follows:

Quote:

Logfile of HijackThis v1.99.1
Scan saved at 8:26:05 PM, on 10/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Cox\Applications\App\syssvcnt.exe
c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Cox\Applications\app\WFRMailer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Documents and Settings\Michael\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slashdot.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - C:\Program Files\Cox\Applications\App\popupbho01.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - C:\Program Files\Cox\Applications\App\popupbho01.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ESP] C:\Program Files\Cox\Applications\app\start.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://chat.goarmy.com:8563/Java/cfs40320.cab
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_2.2.2.89.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA} (Java Plug-in 1.4.2_13) -
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\Cox\Applications\App\syssvcnt.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: WMP54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe" "WMP54GSv1_1.exe (file missing)

forhockey · 10-18-2007, 10:22 PM

Lets try another online scan from Kaspersky. By the way, how is your system behaving now?

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

CamwynF · 10-19-2007, 10:09 AM

No visible improvement in performance.

Kapersky Log:

Quote:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, October 19, 2007 11:04:53 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/10/2007
Kaspersky Anti-Virus database records: 439449
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 97039
Number of viruses found: 26
Number of infected objects: 57
Number of suspicious objects: 0
Duration of the scan process: 02:40:51

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\30bce980f4e112b170806961a95ec6ea_48491b3c-ce3b-405c-828c-c5fa778e271c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\30bd22a59d0ebdb0099939752f25ecd1_48491b3c-ce3b-405c-828c-c5fa778e271c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\36fede918ac6e8cff0b4f9a5fba6294a_48491b3c-ce3b-405c-828c-c5fa778e271c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7eb56c0f467f1ef9f91c4a547cdeb87b_48491b3c-ce3b-405c-828c-c5fa778e271c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\99996bb517d6687c865e2c08d4f5c928_48491b3c-ce3b-405c-828c-c5fa778e271c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9ec1b2904fd2abcd9a7a9f75a176cf9e_48491b3c-ce3b-405c-828c-c5fa778e271c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a80dce2b71fa0ef57384fada836a2b0b_48491b3c-ce3b-405c-828c-c5fa778e271c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b75a2672b7512e47b740325731f75660_48491b3c-ce3b-405c-828c-c5fa778e271c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Authentium\ESPC\prf\imdb.bin Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Michael Magee\Application Data\Adobe\Acrobat\7.0\Digital Editions\Vouchers\actc.dat Object is locked skipped
C:\Documents and Settings\Michael Magee\Application Data\Adobe\Acrobat\7.0\Digital Editions\Vouchers\actind.dat Object is locked skipped
C:\Documents and Settings\Michael Magee\Application Data\Adobe\Acrobat\7.0\Digital Editions\Vouchers\activation.dat Object is locked skipped
C:\Documents and Settings\Michael Magee\Application Data\Adobe\Acrobat\7.0\Digital Editions\Vouchers\dbfile.dat Object is locked skipped
C:\Documents and Settings\Michael Magee\Application Data\Adobe\Acrobat\7.0\Digital Editions\Vouchers\dbind.dat Object is locked skipped
C:\Documents and Settings\Michael Magee\Application Data\Adobe\Acrobat\7.0\Digital Editions\Vouchers\vc.dat Object is locked skipped
C:\Documents and Settings\Michael Magee\Application Data\Adobe\Acrobat\7.0\Digital Editions\Vouchers\voucherlog.txt Object is locked skipped
C:\Documents and Settings\Michael Magee\Application Data\Adobe\Acrobat\7.0\Updater\udlog.txt Object is locked skipped
C:\Documents and Settings\Michael Magee\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Michael Magee\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Michael Magee\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Michael Magee\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Michael Magee\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Michael Magee\Local Settings\History\History.IE5\MSHist012007101920071020\index.dat Object is locked skipped
C:\Documents and Settings\Michael Magee\Local Settings\Temp\fla222.tmp Object is locked skipped
C:\Documents and Settings\Michael Magee\Local Settings\Temp\~DF117.tmp Object is locked skipped
C:\Documents and Settings\Michael Magee\Local Settings\Temp\~DF18A8.tmp Object is locked skipped
C:\Documents and Settings\Michael Magee\Local Settings\Temp\~DF1B27.tmp Object is locked skipped
C:\Documents and Settings\Michael Magee\Local Settings\Temp\~DF6401.tmp Object is locked skipped
C:\Documents and Settings\Michael Magee\Local Settings\Temp\~DF8AD9.tmp Object is locked skipped
C:\Documents and Settings\Michael Magee\Local Settings\Temp\~DF9943.tmp Object is locked skipped
C:\Documents and Settings\Michael Magee\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Michael Magee\Local Settings\Temporary Internet Files\Content.IE5\8T4RFY9U\acdt-pid70[1].exe/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Documents and Settings\Michael Magee\Local Settings\Temporary Internet Files\Content.IE5\8T4RFY9U\acdt-pid70[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\Michael Magee\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Michael Magee\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Michael Magee\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Save\ACM.dll Infected: not-a-virus:AdTool.Win32.WhenU.i skipped
C:\Program Files\Save\Save.exe Infected: not-a-virus:AdTool.Win32.WhenU.i skipped
C:\qoobox\Quarantine\C\Program Files\Common Files\fqfw\fqfwa.exe.vir Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\qoobox\Quarantine\C\Program Files\Common Files\fqfw\fqfwl.exe.vir Infected: Trojan-Downloader.Win32.TSUpdate.r skipped
C:\qoobox\Quarantine\C\Program Files\Common Files\fqfw\fqfwm.exe.vir Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\qoobox\Quarantine\C\Program Files\Common Files\fqfw\fqfwp.exe.vir Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\qoobox\Quarantine\C\Program Files\InetGet2\install.exe.vir Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\qoobox\Quarantine\C\Program Files\Network Monitor\netmon.exe.vir Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\qoobox\Quarantine\C\WINDOWS\b103.exe.vir Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\qoobox\Quarantine\C\WINDOWS\b104.exe.vir/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\qoobox\Quarantine\C\WINDOWS\b104.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\qoobox\Quarantine\C\WINDOWS\b104.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\qoobox\Quarantine\C\WINDOWS\b104.exe.vir NSIS: infected - 3 skipped
C:\qoobox\Quarantine\C\WINDOWS\b122.exe.vir Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\qoobox\Quarantine\C\WINDOWS\b128.exe.vir/stream/data0002/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\qoobox\Quarantine\C\WINDOWS\b128.exe.vir/stream/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\qoobox\Quarantine\C\WINDOWS\b128.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\qoobox\Quarantine\C\WINDOWS\b128.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\qoobox\Quarantine\C\WINDOWS\b128.exe.vir NSIS: infected - 4 skipped
C:\qoobox\Quarantine\C\WINDOWS\b136.exe.vir/stream/data0002 Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\qoobox\Quarantine\C\WINDOWS\b136.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\qoobox\Quarantine\C\WINDOWS\b136.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\qoobox\Quarantine\C\WINDOWS\b136.exe.vir NSIS: infected - 3 skipped
C:\qoobox\Quarantine\C\WINDOWS\b138.exe.vir Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\qoobox\Quarantine\C\WINDOWS\b143.exe.vir Infected: Trojan-Downloader.Win32.Agent.dlx skipped
C:\qoobox\Quarantine\C\WINDOWS\b147.exe.vir Infected: Trojan.Win32.Agent.bnd skipped
C:\qoobox\Quarantine\C\WINDOWS\retadpu11.exe.vir Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\qoobox\Quarantine\C\WINDOWS\retadpu72.exe.vir Infected: Trojan-Downloader.Win32.Agent.djj skipped
C:\qoobox\Quarantine\catchme2007-09-09_203643.50.zip/core.sys Infected: Rootkit.Win32.Agent.eq skipped
C:\qoobox\Quarantine\catchme2007-09-09_203643.50.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{3C20C16B-8086-4C47-AF51-39DA9B08B619}\RP602\A0059567.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{3C20C16B-8086-4C47-AF51-39DA9B08B619}\RP602\A0059567.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{3C20C16B-8086-4C47-AF51-39DA9B08B619}\RP602\A0059567.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{3C20C16B-8086-4C47-AF51-39DA9B08B619}\RP602\A0059573.dll Infected: not-virus:Hoax.Win32.Renos.lq skipped
C:\System Volume Information\_restore{3C20C16B-8086-4C47-AF51-39DA9B08B619}\RP603\A0059691.exe Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\System Volume Information\_restore{3C20C16B-8086-4C47-AF51-39DA9B08B619}\RP603\A0059692.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{3C20C16B-8086-4C47-AF51-39DA9B08B619}\RP603\A0059692.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{3C20C16B-8086-4C47-AF51-39DA9B08B619}\RP603\A0059692.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{3C20C16B-8086-4C47-AF51-39DA9B08B619}\RP603\A0059692.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{3C20C16B-8086-4C47-AF51-39DA9B08B619}\RP603\A0059694.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\System Volume Information\_restore{3C20C16B-8086-4C47-AF51-39DA9B08B619}\RP603\A0059695.exe Infected: Trojan-Downloader.Win32.Agent.dlx skipped
C:\System Volume Information\_restore{3C20C16B-8086-4C47-AF51-39DA9B08B619}\RP603\A0059696.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\System Volume Information\_restore{3C20C16B-8086-4C47-AF51-39DA9B08B619}\RP603\A0059698.exe Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\System Volume Information\_restore{3C20C16B-8086-4C47-AF51-39DA9B08B619}\RP603\A0059699.exe Infected: Trojan-Downloader.Win32.TSUpdate.r skipped
C:\System Volume Information\_restore{3C20C16B-8086-4C47-AF51-39DA9B08B619}\RP603\A0059701.exe Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\System Volume Information\_restore{3C20C16B-8086-4C47-AF51-39DA9B08B619}\RP603\A0059702.exe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\System Volume Information\_restore{3C20C16B-8086-4C47-AF51-39DA9B08B619}\RP604\A0060998.exe Infected: Trojan-Downloader.Win32.Agent.dve skipped
C:\System Volume Information\_restore{3C20C16B-8086-4C47-AF51-39DA9B08B619}\RP604\A0061000.exe Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\System Volume Information\_restore{3C20C16B-8086-4C47-AF51-39DA9B08B619}\RP609\A0061962.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{3C20C16B-8086-4C47-AF51-39DA9B08B619}\RP609\A0061963.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{3C20C16B-8086-4C47-AF51-39DA9B08B619}\RP609\A0061963.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{3C20C16B-8086-4C47-AF51-39DA9B08B619}\RP609\A0061963.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{3C20C16B-8086-4C47-AF51-39DA9B08B619}\RP610\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\retadpu11.exe.tmp Infected: Trojan-Downloader.Win32.Agent.dvd skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{DB6CC1E4-AD26-4E3F-AE64-335A5AB2403E}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\etc\hosts.20071011-081522.backup Infected: Trojan.Win32.Qhost.my skipped
C:\WINDOWS\system32\drivers\etc\hosts.20071011-081523.backup Infected: Trojan.Win32.Qhost.mg skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000002-00000000-0000000B-00001102-00000008-10011102}.CDF Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

forhockey · 10-19-2007, 07:30 PM

Please download ATF Cleaner - http://www.atribune.org/ccount/click.php?id=1

ATF Cleaner

* Double-click ATF-Cleaner.exe to run the program.
* Click Select All found at the bottom of the list.
* Click the Empty Selected button.

If you use Firefox browser, do this also:

* Click Firefox at the top and choose Select All from the list.
* Click the Empty Selected button.
* NOTE : If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

* Click Opera at the top and choose Select All from the list.
* Click the Empty Selected button.
* NOTE : If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

--------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

KILLALL::

File::
C:\Documents and Settings\Michael Magee\Local Settings\Temporary Internet Files\Content.IE5\8T4RFY9U\acdt-pid70[1].exe
C:\WINDOWS\retadpu11.exe.tmp
C:\WINDOWS\system32\drivers\etc\hosts.20071011-081522.backup
C:\Windows\system32\winav.exe

Folder::
C:\Program Files\Save

Registry::
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\winav.exe"=-

Save this as CFScript

Refering to the picture above, drag CFScript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------

Please do an online virus scan with BitDefender:

http://www.bitdefender.com/scan8/ie.html

Click "I Agree" to agree to the EULA.
Allow the ActiveX control to install when prompted.
Leave the scanning options at default and press "Click here to scan" to begin the scan.
Please refrain from using the computer until the scan is finished.
When the scan is finished, click on "Click here to export the scan results"
Save the report to your desktop then come back here and post it in your next reply along with a new Hijack This log

--------------------------------------------------------------

Please reply back with the following logs:

C:\ComboFix.txt
Bit Defender

CamwynF · 10-27-2007, 07:32 PM

Sorry it took so long, internet was down due to the local flooding.

BitDefender's ActiveX prog would not install (it could not copy a file).

No improvement after Combofix process.

Combofix log:

Quote:

ComboFix 07-10-27.4 - Michael Magee 2007-10-27 20:10:12.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.766 [GMT -5:00]
Running from: C:\Documents and Settings\Michael Magee\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Michael Magee\Desktop\cfscript.txt
* Created a new restore point

FILE::
C:\Documents and Settings\Michael Magee\Local Settings\Temporary Internet Files\Content.IE5\8T4RFY9U\acdt-pid70[1].exe
C:\WINDOWS\retadpu11.exe.tmp
C:\WINDOWS\system32\drivers\etc\hosts.20071011-081522.backup
C:\Windows\system32\winav.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\ISM
C:\Program Files\Save
C:\Program Files\Save\ACM.dll
C:\Program Files\Save\ffext.mod
C:\Program Files\Save\save.db
C:\Program Files\Save\Save.exe
C:\Program Files\Save\save.htm
C:\Program Files\Save\SaveUninst.exe
C:\Program Files\Save\store.db
C:\Program Files\Temporary
C:\Program Files\Words
C:\Program Files\Words\list.txt
C:\Program Files\Words\script.txt
C:\Program Files\Words\UnInstall.exe
C:\Program Files\Words\Words.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\b143.exe
C:\WINDOWS\b147.exe
C:\WINDOWS\retadpu11.exe.tmp
C:\WINDOWS\system32\drivers\etc\hosts.20071011-081522.backup
C:\WINDOWS\tsitra11.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-28 )))))))))))))))))))))))))))))))
.

2007-10-27 10:20 <DIR> d-------- C:\Stargate.Atlantis.S04E05.PROPER.DSR.XviD-XOR
2007-10-19 08:01 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-19 08:01 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2007-10-18 20:51 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-10-18 19:44 <DIR> d-------- C:\Program Files\Java
2007-10-18 19:44 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-18 19:26 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-10-15 20:01 <DIR> d-------- C:\Simpsons Complete Seasons 1-17 [kl0wnz]
2007-10-13 18:39 <DIR> d-------- C:\Deckard
2007-10-13 18:33 1,184 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-12 20:32 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-11 07:46 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2007-10-09 16:51 <DIR> d-------- C:\WINDOWS\Sun
2007-09-30 00:44 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-09-30 00:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-27 17:46 --------- d-----w C:\Program Files\PeerGuardian2
2007-10-21 22:51 --------- d-----w C:\Program Files\Electronic Arts
2007-10-19 00:56 --------- d-----w C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster
2007-10-19 00:21 --------- d-----w C:\Program Files\Common Files\Real
2007-10-18 02:50 --------- d-----w C:\Program Files\eMule
2007-10-14 01:54 --------- d-----w C:\Program Files\EA GAMES
2007-10-06 21:56 --------- d-----w C:\Program Files\PokerStars
2007-10-04 09:46 142 ----a-w C:\Program Files\Common Files\zysok.html
2007-10-02 16:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-02 16:13 --------- d--h--w C:\Program Files\Common Files\Authentium Shared
2007-09-30 05:32 --------- d-----w C:\Program Files\Sierra
2007-09-16 17:57 --------- d-----w C:\Program Files\BitComet
2007-09-16 16:39 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-09-15 17:55 --------- d-----w C:\Program Files\Firaxis Games
2007-09-15 17:54 --------- d-----w C:\Documents and Settings\Michael Magee\Application Data\My Games
2007-09-12 18:39 --------- d-----w C:\Documents and Settings\Michael Magee\Application Data\Bioshock
2007-09-09 14:57 --------- d-----w C:\Program Files\MagicISO
2007-09-09 02:56 --------- d-----w C:\Program Files\Maxis
2007-09-07 03:08 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-09-07 03:07 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-09-07 00:23 --------- d-----w C:\Program Files\MSXML 4.0
2007-09-06 20:26 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Authentium
2007-09-06 20:25 --------- d-----w C:\Program Files\Common Files\Authentium
2007-09-06 20:25 --------- d-----w C:\Program Files\Common Files\Aluria
2007-09-05 12:09 --------- d-----w C:\Program Files\Sierra Entertainment
2007-09-03 18:34 --------- d-----w C:\Program Files\CENEGA
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-17 03:31 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-07-31 00:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 00:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-31 00:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 00:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 00:19 43,352 ----a-w C:\WINDOWS\system32\wups2(2)(3).dll
2007-07-31 00:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-31 00:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-31 00:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 00:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-31 00:18 33,624 ----a-w C:\WINDOWS\system32\wups(2)(3).dll
2005-05-19 00:43 21,648 ----a-w C:\Documents and Settings\Michael\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot_2007-10-14_ 9.10.43.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-09-28 14

08 135,168 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-26 14:51:17 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2006-08-24 13:28:54 141,424 ----a-w C:\WINDOWS\Downloaded Program Files\asinst.dll
- 2004-09-22 23:45:36 480,768 ----a-w C:\WINDOWS\system32\Audiodev.dll
+ 2006-10-19 02:47:08 276,992 ----a-w C:\WINDOWS\system32\audiodev.dll
- 2004-09-22 23:45:38 233,472 ----a-w C:\WINDOWS\system32\blackbox.dll
+ 2006-10-19 02:47:10 542,720 ----a-w C:\WINDOWS\system32\blackbox.dll
- 2004-09-22 23:45:38 161,792 ----a-w C:\WINDOWS\system32\cewmdm.dll
+ 2006-10-19 02:47:10 229,376 ----a-w C:\WINDOWS\system32\cewmdm.dll
- 2004-09-22 23:45:38 233,472 -c--a-w C:\WINDOWS\system32\dllcache\blackbox.dll
+ 2006-10-19 02:47:10 542,720 -c--a-w C:\WINDOWS\system32\dllcache\blackbox.dll
- 2004-09-22 23:45:38 161,792 -c--a-w C:\WINDOWS\system32\dllcache\cewmdm.dll
+ 2006-10-19 02:47:10 229,376 -c--a-w C:\WINDOWS\system32\dllcache\cewmdm.dll
- 2004-09-22 23:45:42 527,360 -c--a-w C:\WINDOWS\system32\dllcache\drmv2clt.dll
+ 2006-10-19 02:47:10 991,744 -c--a-w C:\WINDOWS\system32\dllcache\drmv2clt.dll
- 2004-09-22 23:45:44 6,656 -c--a-w C:\WINDOWS\system32\dllcache\laprxy.dll
+ 2006-10-19 02:47:14 11,264 -c--a-w C:\WINDOWS\system32\dllcache\LAPRXY.dll
- 2004-09-22 23:45:44 96,768 -c--a-w C:\WINDOWS\system32\dllcache\logagent.exe
+ 2006-10-19 01:03:58 100,864 -c--a-w C:\WINDOWS\system32\dllcache\logagent.exe
- 2004-10-08 12:01:47 310,272 -c--a-w C:\WINDOWS\system32\dllcache\mp43dmod.dll
+ 2006-10-19 02:47:14 4,096 -c--a-w C:\WINDOWS\system32\dllcache\MP43DMOD.dll
- 2004-10-08 12:01:47 384,512 -c--a-w C:\WINDOWS\system32\dllcache\mp4sdmod.dll
+ 2006-10-19 02:47:14 4,096 -c--a-w C:\WINDOWS\system32\dllcache\MP4SDMOD.dll
- 2004-10-08 12:01:47 240,640 -c--a-w C:\WINDOWS\system32\dllcache\mpg4dmod.dll
+ 2006-10-19 02:47:14 4,096 -c--a-w C:\WINDOWS\system32\dllcache\MPG4DMOD.dll
- 2004-09-22 23:45:52 141,312 -c--a-w C:\WINDOWS\system32\dllcache\msnetobj.dll
+ 2006-10-19 02:47:16 179,712 -c--a-w C:\WINDOWS\system32\dllcache\msnetobj.dll
- 2004-09-22 23:45:54 25,088 -c--a-w C:\WINDOWS\system32\dllcache\mspmsnsv.dll
+ 2006-10-19 02:47:16 27,136 -c--a-w C:\WINDOWS\system32\dllcache\mspmsnsv.dll
- 2004-09-22 23:45:54 169,472 -c--a-w C:\WINDOWS\system32\dllcache\mspmsp.dll
+ 2006-10-19 02:47:16 175,616 -c--a-w C:\WINDOWS\system32\dllcache\mspmsp.dll
- 2004-09-22 23:45:56 360,176 -c--a-w C:\WINDOWS\system32\dllcache\msscp.dll
+ 2006-12-04 21:21:50 414,720 -c--a-w C:\WINDOWS\system32\dllcache\msscp.dll
- 2004-09-22 23:45:56 311,296 -c--a-w C:\WINDOWS\system32\dllcache\mswmdm.dll
+ 2006-10-19 02:47:16 321,536 -c--a-w C:\WINDOWS\system32\dllcache\mswmdm.dll
- 2004-09-22 23:46:02 221,184 -c--a-w C:\WINDOWS\system32\dllcache\qasf.dll
+ 2006-10-19 02:47:18 211,456 -c--a-w C:\WINDOWS\system32\dllcache\qasf.dll
- 2004-09-22 23:46:10 380,144 -c--a-w C:\WINDOWS\system32\dllcache\wmadmod.dll
+ 2006-10-19 02:47:18 757,248 -c--a-w C:\WINDOWS\system32\dllcache\WMADMOD.dll
- 2004-09-22 23:46:10 712,704 -c--a-w C:\WINDOWS\system32\dllcache\wmadmoe.dll
+ 2006-10-19 02:47:18 1,117,696 -c--a-w C:\WINDOWS\system32\dllcache\WMADMOE.dll
- 2004-09-22 23:46:12 229,376 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
+ 2006-10-19 02:47:18 222,208 -c--a-w C:\WINDOWS\system32\dllcache\WMASF.dll
- 2004-09-22 23:46:12 30,208 -c--a-w C:\WINDOWS\system32\dllcache\wmdmlog.dll
+ 2006-10-19 02:47:18 33,792 -c--a-w C:\WINDOWS\system32\dllcache\wmdmlog.dll
- 2004-09-22 23:46:12 34,304 -c--a-w C:\WINDOWS\system32\dllcache\wmdmps.dll
+ 2006-10-19 02:47:18 37,376 -c--a-w C:\WINDOWS\system32\dllcache\wmdmps.dll
- 2004-09-22 23:46:14 150,016 -c--a-w C:\WINDOWS\system32\dllcache\wmidx.dll
+ 2006-10-19 02:47:20 157,184 -c--a-w C:\WINDOWS\system32\dllcache\wmidx.dll
- 2004-09-22 23:46:16 1,027,072 -c--a-w C:\WINDOWS\system32\dllcache\wmnetmgr.dll
+ 2006-10-19 02:47:20 937,984 -c--a-w C:\WINDOWS\system32\dllcache\WMNetMgr.dll
- 2004-09-22 23:46:26 773,368 -c--a-w C:\WINDOWS\system32\dllcache\wmsdmod.dll
+ 2006-10-19 02:47:22 4,096 -c--a-w C:\WINDOWS\system32\dllcache\wmsdmod.dll
- 2004-09-22 23:46:26 1,116,160 -c--a-w C:\WINDOWS\system32\dllcache\wmsdmoe2.dll
+ 2006-10-19 02:47:22 4,096 -c--a-w C:\WINDOWS\system32\dllcache\wmsdmoe2.dll
- 2004-09-22 23:46:30 531,192 -c--a-w C:\WINDOWS\system32\dllcache\wmspdmod.dll
+ 2006-10-19 02:47:22 603,648 -c--a-w C:\WINDOWS\system32\dllcache\WMSPDMOD.dll
- 2004-09-22 23:46:30 936,960 -c--a-w C:\WINDOWS\system32\dllcache\wmspdmoe.dll
+ 2006-10-19 02:47:22 1,329,152 -c--a-w C:\WINDOWS\system32\dllcache\WMSPDMOE.dll
- 2006-12-07 06:40:49 2,362,184 -c--a-w C:\WINDOWS\system32\dllcache\wmvcore.dll
+ 2006-10-19 02:47:22 2,450,944 -c--a-w C:\WINDOWS\system32\dllcache\wmvcore.dll
- 2004-09-22 23:46:34 871,160 -c--a-w C:\WINDOWS\system32\dllcache\wmvdmod.dll
+ 2006-10-19 02:47:22 4,096 -c--a-w C:\WINDOWS\system32\dllcache\wmvdmod.dll
- 2004-09-22 23:46:34 999,424 -c--a-w C:\WINDOWS\system32\dllcache\wmvdmoe2.dll
+ 2006-10-19 02:47:22 4,096 -c--a-w C:\WINDOWS\system32\dllcache\wmvdmoe2.dll
+ 2006-10-19 02:47:22 671,232 ------w C:\WINDOWS\system32\drivers\UMDF\wpdmtpdr.dll
- 2004-09-22 23:46:38 18,944 ----a-w C:\WINDOWS\system32\drivers\wpdusb.sys
+ 2006-10-19 01:00:00 38,528 ----a-w C:\WINDOWS\system32\drivers\wpdusb.sys
+ 2006-09-28 23:55:50 77,568 ------w C:\WINDOWS\system32\drivers\WudfPf.sys
+ 2006-09-29 00:00:34 82,944 ------w C:\WINDOWS\system32\drivers\WudfRd.sys
+ 2006-10-19 01:00:46 249,856 ------w C:\WINDOWS\system32\drmupgds.exe
- 2004-09-22 23:45:42 527,360 ----a-w C:\WINDOWS\system32\drmv2clt.dll
+ 2006-10-19 02:47:10 991,744 ----a-w C:\WINDOWS\system32\drmv2clt.dll
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2004-09-22 23:45:44 6,656 ----a-w C:\WINDOWS\system32\laprxy.dll
+ 2006-10-19 02:47:14 11,264 ----a-w C:\WINDOWS\system32\LAPRXY.dll
- 2004-09-22 23:45:44 96,768 ----a-w C:\WINDOWS\system32\logagent.exe
+ 2006-10-19 01:03:58 100,864 ----a-w C:\WINDOWS\system32\logagent.exe
+ 2006-10-19 02:47:14 212,992 ------w C:\WINDOWS\system32\MFPLAT.dll
+ 2006-10-19 02:47:14 259,072 ------w C:\WINDOWS\system32\MP43DECD.dll
- 2004-10-08 12:01:47 310,272 ----a-w C:\WINDOWS\system32\mp43dmod.dll
+ 2006-10-19 02:47:14 4,096 ----a-w C:\WINDOWS\system32\MP43DMOD.dll
+ 2006-10-19 02:47:14 317,440 ------w C:\WINDOWS\system32\MP4SDECD.dll
- 2004-10-08 12:01:47 384,512 ----a-w C:\WINDOWS\system32\mp4sdmod.dll
+ 2006-10-19 02:47:14 4,096 ----a-w C:\WINDOWS\system32\MP4SDMOD.dll
+ 2006-10-19 02:47:14 259,072 ------w C:\WINDOWS\system32\MPG4DECD.dll
- 2004-10-08 12:01:47 240,640 ----a-w C:\WINDOWS\system32\mpg4dmod.dll
+ 2006-10-19 02:47:14 4,096 ----a-w C:\WINDOWS\system32\MPG4DMOD.dll
- 2004-09-22 23:45:52 141,312 ----a-w C:\WINDOWS\system32\msnetobj.dll
+ 2006-10-19 02:47:16 179,712 ----a-w C:\WINDOWS\system32\msnetobj.dll
- 2004-09-22 23:45:54 25,088 ----a-w C:\WINDOWS\system32\MsPMSNSv.dll
+ 2006-10-19 02:47:16 27,136 ----a-w C:\WINDOWS\system32\mspmsnsv.dll
- 2004-09-22 23:45:54 169,472 ----a-w C:\WINDOWS\system32\MsPMSP.dll
+ 2006-10-19 02:47:16 175,616 ----a-w C:\WINDOWS\system32\mspmsp.dll
- 2004-09-22 23:45:56 360,176 ----a-w C:\WINDOWS\system32\MSSCP.dll
+ 2006-12-04 21:21:50 414,720 ----a-w C:\WINDOWS\system32\msscp.dll
- 2004-09-22 23:45:56 311,296 ----a-w C:\WINDOWS\system32\MSWMDM.dll
+ 2006-10-19 02:47:16 321,536 ----a-w C:\WINDOWS\system32\mswmdm.dll
+ 2006-10-19 02:47:18 284,160 ------w C:\WINDOWS\system32\PortableDeviceApi.dll
+ 2006-10-19 02:47:18 101,888 ------w C:\WINDOWS\system32\PortableDeviceClassExtension.dll
+ 2006-10-19 02:47:18 166,912 ------w C:\WINDOWS\system32\PortableDeviceTypes.dll
+ 2006-10-19 02:47:18 132,096 ------w C:\WINDOWS\system32\PortableDeviceWiaCompat.dll
+ 2006-10-19 02:47:18 199,168 ------w C:\WINDOWS\system32\PortableDeviceWMDRM.dll
- 2004-09-22 23:46:02 221,184 ----a-w C:\WINDOWS\system32\qasf.dll
+ 2006-10-19 02:47:18 211,456 ----a-w C:\WINDOWS\system32\qasf.dll
- 2006-11-17 21:14:30 14,640 ------w C:\WINDOWS\system32\spmsg.dll
+ 2005-06-28 15:20:24 13,536 ------w C:\WINDOWS\system32\spmsg.dll
- 2006-09-06 21:43:16 22,752 ----a-w C:\WINDOWS\system32\spupdsvc.exe
+ 2006-09-16 06:05:22 23,856 ----a-w C:\WINDOWS\system32\spupdsvc.exe
- 2007-10-05 15:07:31 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-07-22 23:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
- 2004-09-22 23:46:10 47,104 ----a-w C:\WINDOWS\system32\uwdf.exe
+ 2006-10-19 02:58:00 8,704 ----a-w C:\WINDOWS\system32\uwdf.exe
- 2004-09-22 23:46:10 15,872 ----a-w C:\WINDOWS\system32\wdfapi.dll
+ 2006-10-19 02:47:18 4,096 ----a-w C:\WINDOWS\system32\wdfapi.dll
- 2004-09-22 23:46:10 38,912 ----a-w C:\WINDOWS\system32\wdfmgr.exe
+ 2006-10-19 02:58:00 8,704 ----a-w C:\WINDOWS\system32\wdfmgr.exe
- 2004-09-22 23:46:10 380,144 ----a-w C:\WINDOWS\system32\wmadmod.dll
+ 2006-10-19 02:47:18 757,248 ----a-w C:\WINDOWS\system32\WMADMOD.dll
- 2004-09-22 23:46:10 712,704 ----a-w C:\WINDOWS\system32\wmadmoe.dll
+ 2006-10-19 02:47:18 1,117,696 ----a-w C:\WINDOWS\system32\WMADMOE.dll
- 2004-09-22 23:46:12 229,376 ----a-w C:\WINDOWS\system32\wmasf.dll
+ 2006-10-19 02:47:18 222,208 ----a-w C:\WINDOWS\system32\WMASF.dll
- 2004-09-22 23:46:12 30,208 ----a-w C:\WINDOWS\system32\WMDMLOG.dll
+ 2006-10-19 02:47:18 33,792 ----a-w C:\WINDOWS\system32\wmdmlog.dll
- 2004-09-22 23:46:12 34,304 ----a-w C:\WINDOWS\system32\WMDMPS.dll
+ 2006-10-19 02:47:18 37,376 ----a-w C:\WINDOWS\system32\wmdmps.dll
- 2004-09-22 23:46:12 344,064 ----a-w C:\WINDOWS\system32\WMDRMdev.dll
+ 2006-10-19 02:47:18 429,056 ----a-w C:\WINDOWS\system32\wmdrmdev.dll
- 2004-09-22 23:46:14 290,816 ----a-w C:\WINDOWS\system32\WMDRMNet.dll
+ 2006-10-19 02:47:20 348,672 ----a-w C:\WINDOWS\system32\wmdrmnet.dll
+ 2006-10-19 02:47:20 535,040 ------w C:\WINDOWS\system32\wmdrmsdk.dll
- 2004-09-22 23:46:14 150,016 ----a-w C:\WINDOWS\system32\wmidx.dll
+ 2006-10-19 02:47:20 157,184 ----a-w C:\WINDOWS\system32\wmidx.dll
- 2004-09-22 23:46:16 1,027,072 ----a-w C:\WINDOWS\system32\wmnetmgr.dll
+ 2006-10-19 02:47:20 937,984 ----a-w C:\WINDOWS\system32\WMNetMgr.dll
- 2004-09-22 23:46:26 773,368 ----a-w C:\WINDOWS\system32\wmsdmod.dll
+ 2006-10-19 02:47:22 4,096 ----a-w C:\WINDOWS\system32\wmsdmod.dll
- 2004-09-22 23:46:26 1,116,160 ----a-w C:\WINDOWS\system32\wmsdmoe2.dll
+ 2006-10-19 02:47:22 4,096 ----a-w C:\WINDOWS\system32\wmsdmoe2.dll
- 2004-09-22 23:46:30 531,192 ----a-w C:\WINDOWS\system32\wmspdmod.dll
+ 2006-10-19 02:47:22 603,648 ----a-w C:\WINDOWS\system32\WMSPDMOD.dll
- 2004-09-22 23:46:30 936,960 ----a-w C:\WINDOWS\system32\wmspdmoe.dll
+ 2006-10-19 02:47:22 1,329,152 ----a-w C:\WINDOWS\system32\WMSPDMOE.dll
- 2004-09-22 23:46:32 1,181,944 ----a-w C:\WINDOWS\system32\wmvadvd.dll
+ 2006-10-19 02:47:22 4,096 ----a-w C:\WINDOWS\system32\WMVADVD.dll
- 2004-09-22 23:46:32 1,509,376 ----a-w C:\WINDOWS\system32\WMVADVE.DLL
+ 2006-10-19 02:47:22 4,096 ----a-w C:\WINDOWS\system32\WMVADVE.DLL
- 2006-12-07 06:40:49 2,362,184 ----a-w C:\WINDOWS\system32\wmvcore.dll
+ 2006-10-19 02:47:22 2,450,944 ----a-w C:\WINDOWS\system32\wmvcore.dll
+ 2006-10-19 02:47:22 1,543,680 ------w C:\WINDOWS\system32\WMVDECOD.dll
- 2004-09-22 23:46:34 871,160 ----a-w C:\WINDOWS\system32\wmvdmod.dll
+ 2006-10-19 02:47:22 4,096 ----a-w C:\WINDOWS\system32\wmvdmod.dll
- 2004-09-22 23:46:34 999,424 ----a-w C:\WINDOWS\system32\wmvdmoe2.dll
+ 2006-10-19 02:47:22 4,096 ----a-w C:\WINDOWS\system32\wmvdmoe2.dll
+ 2006-10-19 02:47:22 1,574,912 ------w C:\WINDOWS\system32\WMVENCOD.dll
+ 2006-10-19 02:47:22 1,382,912 ------w C:\WINDOWS\system32\WMVSDECD.dll
+ 2006-10-19 02:47:22 767,488 ------w C:\WINDOWS\system32\WMVSENCD.dll
+ 2006-10-19 02:47:22 656,896 ------w C:\WINDOWS\system32\WMVXENCD.dll
- 2004-09-22 23:46:38 38,912 ----a-w C:\WINDOWS\system32\wpd_ci.dll
+ 2006-10-19 02:47:22 629,760 ----a-w C:\WINDOWS\system32\wpd_ci.dll
- 2004-09-22 23:46:36 61,952 ----a-w C:\WINDOWS\system32\wpdconns.dll
+ 2006-10-19 02:47:22 35,840 ----a-w C:\WINDOWS\system32\wpdconns.dll
- 2004-09-22 23:46:36 114,176 ----a-w C:\WINDOWS\system32\wpdmtp.dll
+ 2006-10-19 02:47:22 154,624 ----a-w C:\WINDOWS\system32\wpdmtp.dll
- 2004-09-22 23:46:36 66,560 ----a-w C:\WINDOWS\system32\wpdmtpus.dll
+ 2006-10-19 02:47:22 63,488 ----a-w C:\WINDOWS\system32\wpdmtpus.dll
+ 2006-10-19 02:47:22 2,603,008 ------w C:\WINDOWS\system32\WpdShext.dll
+ 2006-10-19 01:00:14 17,408 ------w C:\WINDOWS\system32\wpdshextautoplay.exe
+ 2006-10-19 02:47:22 38,400 ------w C:\WINDOWS\system32\wpdshextres.dll
+ 2006-10-19 02:47:22 133,632 ------w C:\WINDOWS\system32\WPDShServiceObj.dll
- 2004-09-22 23:46:36 327,680 ----a-w C:\WINDOWS\system32\wpdsp.dll
+ 2006-10-19 02:47:22 356,352 ----a-w C:\WINDOWS\system32\wpdsp.dll
+ 2006-09-29 01:13:26 95,344 ------w C:\WINDOWS\system32\WUDFCoinstaller.dll
+ 2006-09-28 23:56:38 146,432 ------w C:\WINDOWS\system32\WudfHost.exe
+ 2006-09-28 23:56:16 165,376 ------w C:\WINDOWS\system32\WudfPlatform.dll
+ 2006-09-28 23:56:14 55,808 ------w C:\WINDOWS\system32\WudfSvc.dll
+ 2006-09-28 23:56:38 316,416 ------w C:\WINDOWS\system32\WUDFx.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2004-03-19 03:33 C:\WINDOWS\system32\CTHELPER.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-05 20:58]
"ESP"="C:\Program Files\Cox\Applications\app\start.exe" [2007-05-09 13:40]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-10-08 07:01]

C:\Documents and Settings\Michael Magee\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2006-08-17 17:00:47]

R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys

.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-27 20:20:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-27 20:24:04 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-09 20:39
C:\ComboFix2.txt ... 2007-10-15 11:10
.
--- E O F ---

forhockey · 10-28-2007, 10:29 AM

Please do an online virus scan with BitDefender:

http://www.bitdefender.com/scan8/ie.html

Click "I Agree" to agree to the EULA.
Allow the ActiveX control to install when prompted.
Leave the scanning options at default and press "Click here to scan" to begin the scan.
Please refrain from using the computer until the scan is finished.
When the scan is finished, click on "Click here to export the scan results"
Save the report to your desktop then come back here and post it in your next reply along with a new Hijack This log

CamwynF · 11-03-2007, 12:43 PM

Quote:

BitDefender Online Scanner

Scan report generated at: Wed, Oct 31, 2007 - 03:30:25

Scan path: A:\;C:\;D:\;E:\;F:\;

Statistics

Time
02:53:36

Files
303318

Folders
8038

Boot Sectors
4

Archives
3333

Packed Files
17812

Results

Identified Viruses
16

Infected Files
18

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
18

Engines Info

Virus Definitions
859269

Engine build
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins
14

Archive plugins
38

Unpack plugins
7

E-mail plugins
6

System plugins
1

Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions

Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes

Scanned File
Status

C:\qoobox\Quarantine\C\Program Files\Common Files\fqfw\fqfwa.exe.vir
Infected with: Trojan.Generic.50695

C:\qoobox\Quarantine\C\Program Files\Common Files\fqfw\fqfwa.exe.vir
Disinfection failed

C:\qoobox\Quarantine\C\Program Files\Common Files\fqfw\fqfwa.exe.vir
Deleted

C:\qoobox\Quarantine\C\Program Files\Common Files\fqfw\fqfwl.exe.vir
Infected with: Trojan.Downloader.Tsupdate.R

C:\qoobox\Quarantine\C\Program Files\Common Files\fqfw\fqfwl.exe.vir
Disinfection failed

C:\qoobox\Quarantine\C\Program Files\Common Files\fqfw\fqfwl.exe.vir
Deleted

C:\qoobox\Quarantine\C\Program Files\Common Files\fqfw\fqfwm.exe.vir
Infected with: Trojan.Downloader.Tsupdate.N

C:\qoobox\Quarantine\C\Program Files\Common Files\fqfw\fqfwm.exe.vir
Disinfection failed

C:\qoobox\Quarantine\C\Program Files\Common Files\fqfw\fqfwm.exe.vir
Deleted

C:\qoobox\Quarantine\C\Program Files\Common Files\fqfw\fqfwp.exe.vir
Infected with: Trojan.Downloader.TSUpdate.Q

C:\qoobox\Quarantine\C\Program Files\Common Files\fqfw\fqfwp.exe.vir
Disinfection failed

C:\qoobox\Quarantine\C\Program Files\Common Files\fqfw\fqfwp.exe.vir
Deleted

C:\qoobox\Quarantine\C\Program Files\InetGet2\install.exe.vir
Infected with: Rootkit.Agent.EV

C:\qoobox\Quarantine\C\Program Files\InetGet2\install.exe.vir
Disinfection failed

C:\qoobox\Quarantine\C\Program Files\InetGet2\install.exe.vir
Deleted

C:\qoobox\Quarantine\C\Program Files\Network Monitor\netmon.exe.vir
Infected with: Trojan.Dnschange.F

C:\qoobox\Quarantine\C\Program Files\Network Monitor\netmon.exe.vir
Disinfection failed

C:\qoobox\Quarantine\C\Program Files\Network Monitor\netmon.exe.vir
Deleted

C:\qoobox\Quarantine\C\WINDOWS\b104.exe.vir=>(NSIS o)=>lzma_solid_nsis0002
Infected with: Trojan.Downloader.Small.BUY

C:\qoobox\Quarantine\C\WINDOWS\b104.exe.vir=>(NSIS o)=>lzma_solid_nsis0002
Disinfection failed

C:\qoobox\Quarantine\C\WINDOWS\b104.exe.vir=>(NSIS o)=>lzma_solid_nsis0002
Deleted

C:\qoobox\Quarantine\C\WINDOWS\b104.exe.vir=>(NSIS o)
Update failed

C:\qoobox\Quarantine\C\WINDOWS\b122.exe.vir
Infected with: Trojan.Agent.AFNF

C:\qoobox\Quarantine\C\WINDOWS\b122.exe.vir
Disinfection failed

C:\qoobox\Quarantine\C\WINDOWS\b122.exe.vir
Deleted

C:\qoobox\Quarantine\C\WINDOWS\b128.exe.vir=>(NSIS o)=>lzma_solid_nsis0002
Infected with: Trojan.Downloader.Purityscan.EH

C:\qoobox\Quarantine\C\WINDOWS\b128.exe.vir=>(NSIS o)=>lzma_solid_nsis0002
Disinfection failed

C:\qoobox\Quarantine\C\WINDOWS\b128.exe.vir=>(NSIS o)=>lzma_solid_nsis0002
Deleted

C:\qoobox\Quarantine\C\WINDOWS\b128.exe.vir=>(NSIS o)
Update failed

C:\qoobox\Quarantine\C\WINDOWS\b136.exe.vir=>(NSIS o)=>lzma_solid_nsis0002
Infected with: Rootkit.Agent.EV

C:\qoobox\Quarantine\C\WINDOWS\b136.exe.vir=>(NSIS o)=>lzma_solid_nsis0002
Disinfection failed

C:\qoobox\Quarantine\C\WINDOWS\b136.exe.vir=>(NSIS o)=>lzma_solid_nsis0002
Deleted

C:\qoobox\Quarantine\C\WINDOWS\b136.exe.vir=>(NSIS o)
Update failed

C:\qoobox\Quarantine\C\WINDOWS\b138.exe.vir
Infected with: Trojan.Downloader.Agent.BHU

C:\qoobox\Quarantine\C\WINDOWS\b138.exe.vir
Disinfection failed

C:\qoobox\Quarantine\C\WINDOWS\b138.exe.vir
Deleted

C:\qoobox\Quarantine\C\WINDOWS\retadpu11.exe.vir
Infected with: Trojan.Downloader.Agent.YHX

C:\qoobox\Quarantine\C\WINDOWS\retadpu11.exe.vir
Disinfection failed

C:\qoobox\Quarantine\C\WINDOWS\retadpu11.exe.vir
Deleted

C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\etc\hosts.20071011-081522.backup.vir
Infected with: Generic.Qhost.60FEA05A

C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\etc\hosts.20071011-081522.backup.vir
Disinfection failed

C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\etc\hosts.20071011-081522.backup.vir
Deleted

C:\qoobox\Quarantine\C\WINDOWS\tsitra11.exe.vir
Infected with: Trojan.Downloader.Agent.ECZ

C:\qoobox\Quarantine\C\WINDOWS\tsitra11.exe.vir
Disinfection failed

C:\qoobox\Quarantine\C\WINDOWS\tsitra11.exe.vir
Deleted

C:\qoobox\Quarantine\C\WINDOWS\uninstall_nmon.vbs.vir
Infected with: Trojan.Small.WY

C:\qoobox\Quarantine\C\WINDOWS\uninstall_nmon.vbs.vir
Disinfection failed

C:\qoobox\Quarantine\C\WINDOWS\uninstall_nmon.vbs.vir
Deleted

C:\qoobox\Quarantine\catchme2007-09-09_203643.50.zip=>core.sys
Infected with: Rootkit.Agent.EV

C:\qoobox\Quarantine\catchme2007-09-09_203643.50.zip=>core.sys
Disinfection failed

C:\qoobox\Quarantine\catchme2007-09-09_203643.50.zip=>core.sys
Deleted

C:\qoobox\Quarantine\catchme2007-09-09_203643.50.zip
Updated

C:\WINDOWS\system32\drivers\etc\hosts.20071011-081523.backup
Infected with: Generic.Qhost.16934822

C:\WINDOWS\system32\drivers\etc\hosts.20071011-081523.backup
Disinfection failed

C:\WINDOWS\system32\drivers\etc\hosts.20071011-081523.backup
Deleted

C:\WINDOWS\system32\drivers\etc\hosts.20071011-081524.backup
Infected with: Generic.Qhost.CD01982A

C:\WINDOWS\system32\drivers\etc\hosts.20071011-081524.backup
Disinfection failed

C:\WINDOWS\system32\drivers\etc\hosts.20071011-081524.backup
Deleted

Quote:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:40:40 PM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Cox\Applications\App\syssvcnt.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Cox\Applications\app\WFRMailer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Cox\Applications\app\WFRMailer.exe
C:\Program Files\Cox\Applications\app\WFRMailer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Cox\Applications\app\WFRMailer.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\Program Files\CDisplay\CDISPLAY.EXE
C:\Program Files\Cox\Applications\app\WFRMailer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\Michael Magee\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slashdot.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - C:\Program Files\Cox\Applications\App\popupbho01.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - C:\Program Files\Cox\Applications\App\popupbho01.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ESP] C:\Program Files\Cox\Applications\app\start.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: New Folder
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://chat.goarmy.com:8563/Java/cfs40320.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_2.2.2.89.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA} (Java Plug-in 1.4.2_13) -
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\Cox\Applications\App\syssvcnt.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--
End of file - 6327 bytes

forhockey · 11-03-2007, 09:42 PM

Hi CamwynF,

I'm only seeing a few entries in your logs.

Can you navigate to the following folder and tell me if exists and what is in it?

C:\Documents and Settings\Michael Magee\Start Menu\Programs\Startup\New Folder

--------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

O16 - DPF: {CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA} (Java Plug-in 1.4.2_13) -

Please remember to close all other windows, including browsers then click Fix checked.

CamwynF · 11-06-2007, 06:34 PM

C:\Documents and Settings\Michael Magee\Start Menu\Programs\Startup\New Folder

It exists and is empty. It also pops up every time I restart my pc.

Quote:

O16 - DPF: {CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA} (Java Plug-in 1.4.2_13) -

Fixed.

10-13-2007, 08:13 AM	#2 (permalink)
CamwynF Registered User Join Date: Sep 2007 Posts: 16 OS: XP	Re: Malware has taken over! Hijackthis logfile follows.. Bump.

10-13-2007, 01:44 PM	#3 (permalink)
CamwynF Registered User Join Date: Sep 2007 Posts: 16 OS: XP	Re: Malware has taken over! Hijackthis logfile follows.. Bump.

10-13-2007, 04:00 PM	#4 (permalink)
forhockey Analyst, Security Team Join Date: Sep 2006 Location: Ontario, Canada Posts: 2,940 OS: Windows 7 Ultimate	Re: Malware has taken over! Hijackthis logfile follows.. Hello, Are you going to stick with me until the end? Seems you abandoned your last thread started.... http://www.techsupportforum.com/secu...opping-up.html If you have the intent to stick with it until the end then please following the below instructions -------------------------------------------------------------- Please subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription. -------------------------------------------------------------- Please download SmitfraudFix (by S!Ri) to your Desktop. Double-click smitfraudfix.exe to start the tool. Select option #1 - Search by typing 1 and press "Enter" and a text file will appear which lists infected files (if present). Please copy/paste the content of that report into your next reply. Do not run option #2 unless instructed to!! -------------------------------------------------------------- Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges. Close all applications and windows. Double-click on dss.exe to run it, and follow the prompts. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here. Please attach extra.txt to your post. To attach a file to a new post, simply Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and copy and paste the following into the "Upload File from your Computer" box: C:\Deckard\System Scanner\extra.txt Click Upload. What DSS will do: create a new System Restore point in Windows XP and Vista. clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives. check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed. -------------------------------------------------------------- Please include the following in your next reply: SmitfraudFix Report C:\Deckard\System Scanner\main.txt C:\Deckard\System Scanner\extra.txt - Attached please __________________ Proud Member of ASAP Proud Member of UNITE Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum Last edited by forhockey; 10-13-2007 at 04:05 PM.

10-13-2007, 07:52 PM	#6 (permalink)
CamwynF Registered User Join Date: Sep 2007 Posts: 16 OS: XP	Re: Malware has taken over! Hijackthis logfile follows.. After running DSS, I've got access to my Control Panel back, but still using a lot of CPU (~50-60%) and the keystrokes are still delayed/skipping.

10-13-2007, 09:36 PM	#7 (permalink)
forhockey Analyst, Security Team Join Date: Sep 2006 Location: Ontario, Canada Posts: 2,940 OS: Windows 7 Ultimate	Re: Malware has taken over! Hijackthis logfile follows.. Hi CamwynF, Before beginning the proposed fix, read this post completely. Any questions should be kindly asked before proceeding. Ensure that there are no open browsers when carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. -------------------------------------------------------------- Please download SmitfraudFix to your Desktop. Do not run it yet. We will shortly Restart your computer in Safe Mode After hearing your computer beep once during startup, but before the Windows icon appears, press F8 Instead of Windows loading as normal, a menu should appear Use the up arrow key to highlight Safe Mode and press Enter. Login with your usual account Once you have logged in, a warning message will appear regarding starting windows in Safe mode, click OK and windows will load your desktop environment Note: Some systems, this may be the F5 key, so try that if F8 doesn't work. Double-click on SmitfraudFix.exe to start the tool. Select option #2 - Clean by typing 2 and press Enter. Wait for the tool to complete and disk cleanup to finish. You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot into Normal Windows. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply. Next, go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present: · "Security Info" · "Warning Message" · "Security Desktop" · "Warning Homepage" · "Desktop Uninstall" Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK. Restart your computer in Normal Mode -------------------------------------------------------------- Double-click on SmitfraudFix.exe to start the tool. Select option #3 - Delete Trusted zone by typing 3 and press Enter Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter. Note: if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. -------------------------------------------------------------- Delete your old copy of ComboFix and download a new copy. Download combofix.exe to your desktop. Disconnect from the internet....pull the plug! Disable your real time protection of your Anti-Virus. Exit the program via the SystemTray icon. Double click on combofix.exe & follow the prompts. Type "1" and press Enter to begin the scan. When finished, it shall produce a log for you ( C:\ComboFix.txt ). Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall -------------------------------------------------------------- Re-enable your Anti-Virus if it is not active...a reboot should have re-activated it. Re-establish an internet connection. Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. -------------------------------------------------------------- Please download HijackThis. This program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded. Click on the "Install" button. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis Double click on HijackThis.exe to run the program. 1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'. 2. If you don't get the intro screen, just hit Scan and then click on Save log. 3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless. -------------------------------------------------------------- Please reply back with the following logs: C:\rapport.txt C:\ComboFix.txt HiJackThis log __________________ Proud Member of ASAP Proud Member of UNITE Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum

10-18-2007, 10:22 PM	#13 (permalink)
forhockey Analyst, Security Team Join Date: Sep 2006 Location: Ontario, Canada Posts: 2,940 OS: Windows 7 Ultimate	Re: Malware has taken over! Hijackthis logfile follows.. Lets try another online scan from Kaspersky. By the way, how is your system behaving now? Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan __________________ Proud Member of ASAP Proud Member of UNITE Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum

10-28-2007, 10:29 AM	#17 (permalink)
forhockey Analyst, Security Team Join Date: Sep 2006 Location: Ontario, Canada Posts: 2,940 OS: Windows 7 Ultimate	Re: Malware has taken over! Hijackthis logfile follows.. Please do an online virus scan with BitDefender: http://www.bitdefender.com/scan8/ie.html Click "I Agree" to agree to the EULA. Allow the ActiveX control to install when prompted. Leave the scanning options at default and press "Click here to scan" to begin the scan. Please refrain from using the computer until the scan is finished. When the scan is finished, click on "Click here to export the scan results" Save the report to your desktop then come back here and post it in your next reply along with a new Hijack This log __________________ Proud Member of ASAP Proud Member of UNITE Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum

11-03-2007, 09:42 PM	#19 (permalink)
forhockey Analyst, Security Team Join Date: Sep 2006 Location: Ontario, Canada Posts: 2,940 OS: Windows 7 Ultimate	Re: Malware has taken over! Hijackthis logfile follows.. Hi CamwynF, I'm only seeing a few entries in your logs. Can you navigate to the following folder and tell me if exists and what is in it? C:\Documents and Settings\Michael Magee\Start Menu\Programs\Startup\New Folder -------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any) O16 - DPF: {CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA} (Java Plug-in 1.4.2_13) - *Please remember to close all other windows, including browsers then click Fix checked.* __________________ Proud Member of ASAP Proud Member of UNITE Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum