Forced to download Firefox

menk · 11-28-2007, 07:41 AM

Hello

Someone has inserted a popup saying that my IE is outdated and that I should install Firefox. With this popup I'm unable to continue to browse. Here is my log:
Logfile of HijackThis v1.99.1
Scan saved at 9:37:41 PM, on 11/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
D:\About Computer\Exe files\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: sosHlpr Class - {00C104F7-0F5C-470C-ABCF-A5B2E70752F1} - C:\WINDOWS\system32\ll2t.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {242F800B-2172-4659-A381-476B66E3DE2A} - C:\WINDOWS\system32\evxluuuxvnfpu.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Vmlist] regsvr32 /s apphelps.dll
O4 - HKLM\..\RunOnce: [uninsrest] C:\DOCUME~1\yangyq\LOCALS~1\Temp\uninrest.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1106318163126
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1130988789699
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37940.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/...dsolutions.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thi...wnloadCtrl.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

tetonbob · 12-02-2007, 06:33 PM

Hello and Welcome.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

I need more information before continuing, please.

For now, I'd like a more comprehensive set of logs from Deckard's System Scanner.

---------------------------------------------------------------------------------------------

You are using an outdated version of HijackThis. Please uninstall from Add/Remove programs, and delete your current version.

Next, download HijackThis to your desktop

Alternate link

Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.

When it does, just close it, please. Next....
---------------------------------------------------------------------------------------------

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
Please attach extra.txt to your post.

To attach a file to a new post, simply

Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:
C:\Deckard\System Scanner\extra.txt
Click Upload.

What DSS will do:

create a new System Restore point in Windows XP and Vista.
clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

---------------------------------------------------------------------------------------------

Please post in your reply:

main.txt

Please attach to your reply:

extra.txt

menk · 12-02-2007, 10:40 PM

Hello ttbob

Good to hear from you.

During my head bashing on my pc

, I've come across this malware (among others) AKQFNP12.DLL in my system32 which could not be deleted or moved by avast. This must be the main culprit giving me that migraine.

Deckard's System Scanner v20071014.68
Run by yangyq on 2007-12-03 13:12:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 3 Restore Point(s) --
3: 2007-12-03 05:12:38 UTC - RP3 - Deckard's System Scanner Restore Point
2: 2007-12-02 16:09:21 UTC - RP2 - ??? Symantec AntiVirus
1: 2007-12-02 13:38:14 UTC - RP1 - System Checkpoint

Performed disk cleanup.

-- HijackThis (run as yangyq.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:15:09 PM, on 12/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\yangyq\Desktop\dss.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\yangyq.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R3 - Default URLSearchHook is missing
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {242F800B-2172-4659-A381-476B66E3DE2A} - C:\WINDOWS\system32\evxluuuxvnfpu.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {956D977E-3EE4-460F-8CD2-23CDEABBDC94} - C:\WINDOWS\system32\wseqxvis.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Vmlist] regsvr32 /s apphelps.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1106318163126
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1130988789699
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37940.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/...dsolutions.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thi...wnloadCtrl.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8877 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20070729-223547-173 O15 - Trusted Zone: http://aolmusicnow.122.2o7.net
backup-20070729-223547-497 O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
backup-20070729-223550-904 O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
backup-20070729-223552-891 O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
backup-20070729-223554-484 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
backup-20070729-223555-402 O16 - DPF: {90F7E144-984F-4FA6-83A7-C9C8DCB9974C} (RSActiveXObj Control) - http://cnet.radarsync.com/RSActiveX.ocx
backup-20070729-223557-529 O16 - DPF: {97AFC0D9-660E-4ACE-B025-46FD64AE335A} (EmailImport.EmailImportControl) - http://www.friendster.com/emailimpor...mailimport.cab
backup-20070729-223558-449 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
backup-20070729-223600-211 O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
backup-20070729-223601-473 O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
backup-20070729-223602-279 O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - unable to read value
.js - JSFile - shell\open\command - unable to read value

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 akqfnp12 (akqfnp1) - c:\windows\system32\drivers\akqfnp12.sys
R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 SSI - c:\windows\system32\drivers\ssi.sys <Not Verified; Webroot Software (www.webroot.com); SpySweeper>
R2 ANIO (ANIO Service) - c:\windows\system32\anio.sys <Not Verified; Alpha Networks Inc.; ANIO (NT5) Driver>
R2 BaseTDI (Rising TDI Base Driver) - c:\windows\system32\drivers\basetdi.sys <Not Verified; Beijing Rising Technology Co., Ltd.; Rising PFW>

S0 kl1 - c:\windows\system32\drivers\kl1.sys (file missing)
S3 AvFlt (Antivirus Filter Driver) - c:\windows\system32\drivers\av5flt.sys (file missing)
S3 catchme - c:\docume~1\yangyq\locals~1\temp\catchme.sys (file missing)
S3 cwbwdm_device (Crystal WDM Audio Codec Driver) - c:\windows\system32\drivers\cwbwdm.sys <Not Verified; Crystal Semiconductor Corporation; Crystal ISA WDM Driver>
S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 ANIWZCSdService (ANIWZCSd Service) - c:\program files\ani\aniwzcs2 service\aniwzcsds.exe <Not Verified; Alpha Networks Inc.; ANIWZCS2 Service Launcher (NT)>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Files created between 2007-11-03 and 2007-12-03 -----------------------------

2007-12-03 00:17:45 0 d-------- C:\Program Files\Alwil Software
2007-12-02 16:12:40 476160 --a------ C:\WINDOWS\system32\wseqxvis.dll
2007-12-02 16:12:32 229376 --a------ C:\WINDOWS\inituusee.exe
2007-11-28 18:53:22 0 --a------ C:\WINDOWS\system\LVL
2007-11-28 18:37:44 8 --a------ C:\WINDOWS\ocinfo.dat
2007-11-28 18:36:17 20541 --a------ C:\WINDOWS\system32\detoured.dll <Not Verified; Microsoft Corporation; Microsoft Research Detours Package>
2007-11-28 18:36:17 0 d-------- C:\Program Files\Windows Live
2007-11-28 18:36:07 449024 --a------ C:\WINDOWS\SlientInstall2143.exe
2007-11-28 18:33:48 285800 --a------ C:\WINDOWS\dodolook324.exe
2007-11-28 18:33:12 0 --a------ C:\WINDOWS\system\DVL
2007-11-28 18:33:06 14848 -----n--- C:\WINDOWS\system32\akqfnp12.dll
2007-11-28 18:00:26 0 --a------ C:\WINDOWS\askerserkb.dll
2007-11-28 17:59:55 601600 --a------ C:\WINDOWS\system32\evxluuuxvnfpu.dll
2007-11-27 20:38:50 0 d-------- C:\Program Files\Hewlett-Packard
2007-11-27 19:48:18 1470 -----n--- C:\WINDOWS\hpomdl12.dat
2007-11-27 19:48:18 130920 --a------ C:\WINDOWS\hpoins12.dat
2007-11-27 19:40:47 2000 -----n--- C:\WINDOWS\hpomdl14.dat
2007-11-27 19:40:47 154010 -----n--- C:\WINDOWS\hpoins14.dat
2007-11-27 18:35:54 0 d-------- C:\Documents and Settings\yangyq\Application Data\HPAppData
2007-11-21 22:39:38 0 d-------- C:\WINDOWS\network diagnostic
2007-11-21 15:25:23 0 d--h----- C:\Documents and Settings\Administrator.YANG\NetHood
2007-11-21 15:25:23 0 dr------- C:\Documents and Settings\Administrator.YANG\My Documents
2007-11-14 21:23:51 0 d-------- C:\WINDOWS\system32\URTTemp
2007-11-09 18:50:57 11796480 --a------ C:\Documents and Settings\yangyq\ntuser.dat
2007-11-09 18:50:56 417792 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2007-11-04 18:35:10 0 d-------- C:\Program Files\Common Files\HP
2007-11-03 09:35:50 0 d-------- C:\Documents and Settings\yangyq\Application Data\Printer Info Cache
2007-11-03 09:35:48 0 d-------- C:\Documents and Settings\yangyq\Application Data\Image Zone Express

-- Find3M Report ---------------------------------------------------------------

2007-12-03 00:11:26 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-03 00:11:24 0 d-------- C:\Program Files\Symantec
2007-12-03 00:11:14 0 d-------- C:\Program Files\Symantec AntiVirus
2007-11-28 18:36:17 0 d-------- C:\Program Files\MSN Messenger
2007-11-28 14:26:39 0 d-------- C:\Documents and Settings\yangyq\Application Data\Creative
2007-11-28 12:48:06 0 d-------- C:\Program Files\Creative
2007-11-27 21:39:56 0 d-------- C:\Program Files\HP
2007-11-25 19:11:37 0 d-------- C:\Program Files\Common Files
2007-11-25 13:37:34 0 d-------- C:\Program Files\Common Files\Adobe
2007-11-25 13:34:31 0 d-------- C:\Program Files\Google
2007-11-25 13:26:35 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-25 13:25:41 0 d-------- C:\Documents and Settings\yangyq\Application Data\Samsung
2007-11-25 13:20:51 0 d-------- C:\Program Files\Common Files\Macromedia
2007-11-24 13:56:57 1744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-11-22 23:05:21 1632 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-11-22 20:43:41 0 d-------- C:\Program Files\Windows Live Toolbar
2007-11-07 14:57:33 0 d-------- C:\Documents and Settings\yangyq\Application Data\Identities
2007-11-07 11:10:16 1901 --a------ C:\WINDOWS\panose.bin
2007-11-06 14:07:18 0 d-------- C:\Documents and Settings\yangyq\Application Data\HP
2007-11-02 16:58:09 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-10-15 21:35:01 0 d-------- C:\Documents and Settings\yangyq\Application Data\NCH Swift Sound
2007-10-11 12:48:26 0 d-------- C:\Program Files\ANI
2007-09-20 09:53:54 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-09-06 23:21:45 3284 --a------ C:\WINDOWS\system32\ANIWZCS{0B3DD009-49F8-423F-B66C-DBEFB4AA537B}
2007-09-06 12:31:17 3284 --a------ C:\WINDOWS\system32\ANIWZCS{403864F0-84AB-4886-AF33-398E8D7C30D1}

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
03/02/2007 04:52 PM 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
03/02/2007 04:52 PM 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{242F800B-2172-4659-A381-476B66E3DE2A}]
11/28/2007 05:59 PM 601600 --a------ C:\WINDOWS\system32\evxluuuxvnfpu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{956D977E-3EE4-460F-8CD2-23CDEABBDC94}]
12/02/2007 04:12 PM 476160 --a------ C:\WINDOWS\system32\wseqxvis.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [09/06/2007 04:14 PM]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [10/19/2005 06:19 PM]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [11/11/2005 04:04 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [12/10/2006 09:52 PM]
"Vmlist"="regsvr32 /s apphelps.dll" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/27/2007 09:41 AM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [09/06/2007 06:06 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 PM]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [12/02/2004 06:23 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{439c65c8-52e5-11dc-8fc4-00e05e394056}]
Auto\command- RavMonE.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{439c65c9-52e5-11dc-8fc4-00e05e394056}]
Auto\command- RavMonE.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

-- End of Deckard's System Scanner: finished at 2007-12-03 13:17:41 ------------

tetonbob · 12-02-2007, 10:56 PM

You've got a small pile of nasties on there....

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Download this file - http://download.bleepingcomputer.com...a/ComboFix.exe

* IMPORTANT !!! Place combofix.exe on your Desktop
Go to -> Run -> paste in the following single line command & click OK

"%userprofile%\desktop\combofix.exe" /killall
Follow the prompts. Type "1" and press Enter to begin the scan.
Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------
Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

menk · 12-03-2007, 03:31 AM

ComboFix 07-12-02.7 - yangyq 2007-12-03 16:43:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.185 [GMT 8:00]
Running from: C:\Documents and Settings\yangyq\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\yangyq\Application Data\macromedia\Flash Player\#SharedObjects\HJ3WBLTR\www.inter-focus.cn
C:\Documents and Settings\yangyq\Application Data\macromedia\Flash Player\#SharedObjects\HJ3WBLTR\www.inter-focus.cn\IFFLASHAD_PLAYER.sol
C:\Documents and Settings\yangyq\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn
C:\Documents and Settings\yangyq\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn\settings.sol
C:\WINDOWS\dodolook324.exe
C:\WINDOWS\fn00321.log
C:\WINDOWS\ocinfo.dat
C:\WINDOWS\system\dvl
C:\WINDOWS\system\lvl
C:\WINDOWS\system32\akqfnp12.dll
C:\WINDOWS\system32\akqfnp12.dllmmc.pkm
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\C2
C:\WINDOWS\system32\C2\DOCUMEr1\yangyq\LOCALSz1\Temp\Cookies\index.dat
C:\WINDOWS\system32\C2\DOCUMEr1\yangyq\LOCALSz1\Temp\History\History.IE5\index.dat
C:\WINDOWS\system32\C2\DOCUMEr1\yangyq\LOCALSz1\Temp\Temporary Internet Files\Content.IE5\index.dat
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\drivers\akqfnp12.sys
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_AKQFNP12
-------\LEGACY_IPRIP
-------\akqfnp12
-------\Iprip

((((((((((((((((((((((((( Files Created from 2007-11-03 to 2007-12-03 )))))))))))))))))))))))))))))))
.

2007-12-03 15:14 . 2007-12-03 15:15 266,060 --a------ C:\WINDOWS\mhqq.exe
2007-12-03 13:12 . 2007-12-03 13:12 <DIR> d-------- C:\Deckard
2007-12-03 00:18 . 2007-10-25 23:14 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-12-03 00:18 . 2007-10-26 00:05 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-03 00:18 . 2007-10-26 00:05 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-03 00:18 . 2007-10-26 00:01 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-03 00:18 . 2007-10-25 23:58 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-03 00:18 . 2007-10-26 00:03 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-03 00:17 . 2007-12-03 00:17 <DIR> d-------- C:\Program Files\Alwil Software
2007-12-03 00:17 . 2007-10-25 23:24 815,480 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-12-03 00:17 . 2004-01-09 18:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-12-02 16:12 . 2007-12-02 16:12 476,160 --a------ C:\WINDOWS\system32\wseqxvis.dll
2007-12-02 16:12 . 2007-12-02 16:12 229,376 --a------ C:\WINDOWS\inituusee.exe
2007-11-28 18:37 . 2007-11-28 18:38 209 --a------ C:\WINDOWS\ie.ini
2007-11-28 18:36 . 2007-11-28 18:36 <DIR> d-------- C:\Program Files\Windows Live
2007-11-28 18:36 . 2007-11-28 18:36 449,024 --a------ C:\WINDOWS\SlientInstall2143.exe
2007-11-28 18:36 . 2007-11-28 18:36 20,541 --a------ C:\WINDOWS\system32\detoured.dll
2007-11-28 18:00 . 2007-11-28 18:00 0 --a------ C:\WINDOWS\askerserkb.dll
2007-11-28 17:59 . 2007-11-28 17:59 601,600 --a------ C:\WINDOWS\system32\evxluuuxvnfpu.dll
2007-11-28 17:59 . 2007-12-03 15:15 226 --a------ C:\WINDOWS\system32\rsfunser.ini
2007-11-28 13:34 . 2000-05-22 16:58 647,872 --------- C:\WINDOWS\system32\Mscomct2.ocx
2007-11-27 21:08 . 2006-12-16 00:04 258,048 -ra------ C:\WINDOWS\system32\SET277.tmp
2007-11-27 20:38 . 2007-11-27 20:38 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-11-27 19:48 . 2007-11-27 21:24 130,920 --a------ C:\WINDOWS\hpoins12.dat
2007-11-27 19:48 . 2007-01-23 00:05 1,470 --------- C:\WINDOWS\hpomdl12.dat
2007-11-27 19:40 . 2007-11-27 19:15 154,010 --------- C:\WINDOWS\hpoins14.dat
2007-11-27 19:40 . 2007-09-20 23:56 2,000 --------- C:\WINDOWS\hpomdl14.dat
2007-11-27 18:35 . 2007-11-27 18:35 <DIR> d-------- C:\Documents and Settings\yangyq\Application Data\HPAppData
2007-11-27 15:57 . 2004-08-03 23:08 17,024 --a------ C:\WINDOWS\system32\drivers\usbohci.sys
2007-11-27 15:57 . 2004-08-03 23:08 17,024 --a--c--- C:\WINDOWS\system32\dllcache\usbohci.sys
2007-11-24 14:41 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2007-11-24 14:41 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2007-11-14 21:23 . 2007-11-21 17:59 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-11-04 18:35 . 2007-11-27 20:46 <DIR> d-------- C:\Program Files\Common Files\HP
2007-11-04 18:31 . 2007-03-28 14:01 117,760 --a------ C:\WINDOWS\system32\hpzll5ha.dll
2007-11-03 09:35 . 2007-11-03 09:35 <DIR> d-------- C:\Documents and Settings\yangyq\Application Data\Printer Info Cache
2007-11-03 09:35 . 2007-11-27 20:56 <DIR> d-------- C:\Documents and Settings\yangyq\Application Data\Image Zone Express

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-03 08:57 17,805,344 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-03 08:54 209,660 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-02 16:11 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-12-02 16:11 --------- d-----w C:\Program Files\Symantec
2007-12-02 16:11 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-02 16:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-28 10:36 --------- d-----w C:\Program Files\MSN Messenger
2007-11-28 06:26 --------- d-----w C:\Documents and Settings\yangyq\Application Data\Creative
2007-11-28 04:48 --------- d-----w C:\Program Files\Creative
2007-11-27 13:39 --------- d-----w C:\Program Files\HP
2007-11-27 12:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2007-11-25 05:37 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-25 05:34 --------- d-----w C:\Program Files\Google
2007-11-25 05:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-25 05:25 --------- d-----w C:\Documents and Settings\yangyq\Application Data\Samsung
2007-11-25 05:20 --------- d-----w C:\Program Files\Common Files\Macromedia
2007-11-22 12:43 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-11-06 06:07 --------- d-----w C:\Documents and Settings\yangyq\Application Data\HP
2007-11-02 09:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\WEBREG
2007-11-02 08:58 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2007-11-02 08:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-10-15 13:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-10-15 13:35 --------- d-----w C:\Documents and Settings\yangyq\Application Data\NCH Swift Sound
2007-10-11 04:48 --------- d-----w C:\Program Files\ANI
2007-10-10 00:41 20,912,795 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_10_09_22_36_25_full.dmp.zip
2007-10-09 14:06 17,951,872 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_10_09_20_56_05_full.dmp.zip
2007-10-01 02:50 20,925,876 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_10_01_10_46_50_full.dmp.zip
2007-09-10 01:17 2,257,783 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-09-06 08:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-09-06 08:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-07-17 15:34 34 --sh--w C:\Program Files\DLD.DAT
2005-04-29 09:27 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
2007-03-02 16:52 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
2007-03-02 16:52 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{242F800B-2172-4659-A381-476B66E3DE2A}]
2007-11-28 17:59 601600 --a------ C:\WINDOWS\system32\evxluuuxvnfpu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{956D977E-3EE4-460F-8CD2-23CDEABBDC94}]
2007-12-02 16:12 476160 --a------ C:\WINDOWS\system32\wseqxvis.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 18:19]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-11-11 16:04]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 21:52]
"Vmlist"="regsvr32 /s apphelps.dll" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-10-25 23:20]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00]
"Spyware Doctor"="" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 20:00 C:\WINDOWS\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-10 21:52 49152 --a------ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

R0 SSI;SSI;C:\WINDOWS\system32\Drivers\SSI.SYS
R2 BaseTDI;Rising TDI Base Driver;C:\WINDOWS\system32\DRIVERS\BaseTDI.SYS
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe
S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys
S3 cwbwdm_device;Crystal WDM Audio Codec Driver;C:\WINDOWS\system32\drivers\cwbwdm.sys
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 SRS_SSCFilter;SRS Labs Audio Sandbox (WDM);C:\WINDOWS\system32\drivers\srs_sscfilter.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-03 16:58:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-03 17:01:06 - machine was rebooted
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:04:51 PM, on 12/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {242F800B-2172-4659-A381-476B66E3DE2A} - C:\WINDOWS\system32\evxluuuxvnfpu.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {956D977E-3EE4-460F-8CD2-23CDEABBDC94} - C:\WINDOWS\system32\wseqxvis.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Vmlist] regsvr32 /s apphelps.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1106318163126
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1130988789699
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37940.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/...dsolutions.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thi...wnloadCtrl.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8926 bytes

menk · 12-03-2007, 04:04 AM

Now, the IE is not running with add-on disabled, which is ok if it was done purposely during the combofix scan.

tetonbob · 12-03-2007, 09:10 AM

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

http://www.techsupportforum.com/security-center/hijackthis-log-help/198207-forced-download-firefox-post1193585.html#post1193585

Killall::

File::
C:\WINDOWS\askerserkb.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{242F800B-2172-4659-A381-476B66E3DE2A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{956D977E-3EE4-460F-8CD2-23CDEABBDC94}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Vmlist"=-

Collect::
C:\WINDOWS\system32\evxluuuxvnfpu.dll
C:\WINDOWS\mhqq.exe
C:\WINDOWS\system32\wseqxvis.dll
C:\WINDOWS\inituusee.exe

Suspect::
C:\WINDOWS\SlientInstall2143.exe
C:\WINDOWS\system32\detoured.dll
C:\WINDOWS\ie.ini

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

menk · 12-03-2007, 07:14 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10

04 AM, on 12/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1106318163126
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1130988789699
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37940.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/...dsolutions.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thi...wnloadCtrl.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8045 bytes

tetonbob · 12-03-2007, 07:17 PM

Quote:

....it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Please also post the ComboFix log.

menk · 12-03-2007, 07:20 PM

The zipped file for submission has also been sent.

tetonbob · 12-03-2007, 07:26 PM

Quote:

Originally Posted by menk

The zipped file for submission has also been sent.

Thank you.

We may have cross posted. I require the log from ComboFix also, please. It's located at C:\ComboFix.txt if it's been closed.

tetonbob · 12-03-2007, 07:35 PM

Also....what happened to your AntiVirus program, Avast?

menk · 12-03-2007, 07:44 PM

For a moment I thought I had lost it!

I also thought you would ask about avast; I uninstalled it since it couldn't remove the malware. I'll install another asap. Appreciate your concern.

ComboFix 07-12-02.7 - yangyq 2007-12-04 9:44:22.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.231 [GMT 8:00]
Running from: C:\Documents and Settings\yangyq\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\yangyq\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\askerserkb.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\askerserkb.dll
C:\WINDOWS\inituusee.exe
C:\WINDOWS\mhqq.exe
C:\WINDOWS\system32\evxluuuxvnfpu.dll
C:\WINDOWS\system32\wseqxvis.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 )))))))))))))))))))))))))))))))
.

2007-12-03 17:54 . 2007-12-03 17:54 24,576 --a------ C:\WINDOWS\my_70201.exe
2007-12-03 13:12 . 2007-12-03 13:12 <DIR> d-------- C:\Deckard
2007-12-03 00:17 . 2007-12-03 00:17 <DIR> d-------- C:\Program Files\Alwil Software
2007-11-28 18:37 . 2007-11-28 18:38 209 --a------ C:\WINDOWS\ie.ini
2007-11-28 18:36 . 2007-11-28 18:36 <DIR> d-------- C:\Program Files\Windows Live
2007-11-28 18:36 . 2007-11-28 18:36 449,024 --a------ C:\WINDOWS\SlientInstall2143.exe
2007-11-28 18:36 . 2007-11-28 18:36 20,541 --a------ C:\WINDOWS\system32\detoured.dll
2007-11-28 17:59 . 2007-12-03 17:54 239 --a------ C:\WINDOWS\system32\rsfunser.ini
2007-11-28 13:34 . 2000-05-22 16:58 647,872 --------- C:\WINDOWS\system32\Mscomct2.ocx
2007-11-27 21:08 . 2006-12-16 00:04 258,048 -ra------ C:\WINDOWS\system32\SET277.tmp
2007-11-27 20:38 . 2007-11-27 20:38 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-11-27 19:48 . 2007-11-27 21:24 130,920 --a------ C:\WINDOWS\hpoins12.dat
2007-11-27 19:48 . 2007-01-23 00:05 1,470 --------- C:\WINDOWS\hpomdl12.dat
2007-11-27 19:40 . 2007-11-27 19:15 154,010 --------- C:\WINDOWS\hpoins14.dat
2007-11-27 19:40 . 2007-09-20 23:56 2,000 --------- C:\WINDOWS\hpomdl14.dat
2007-11-27 18:35 . 2007-11-27 18:35 <DIR> d-------- C:\Documents and Settings\yangyq\Application Data\HPAppData
2007-11-27 15:57 . 2004-08-03 23:08 17,024 --a------ C:\WINDOWS\system32\drivers\usbohci.sys
2007-11-27 15:57 . 2004-08-03 23:08 17,024 --a--c--- C:\WINDOWS\system32\dllcache\usbohci.sys
2007-11-24 14:41 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2007-11-24 14:41 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2007-11-14 21:23 . 2007-11-21 17:59 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-11-04 18:35 . 2007-11-27 20:46 <DIR> d-------- C:\Program Files\Common Files\HP
2007-11-04 18:31 . 2007-03-28 14:01 117,760 --a------ C:\WINDOWS\system32\hpzll5ha.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 01:53 18,042,912 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-04 01:52 5,063,851 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-04 01:51 212,468 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-02 16:11 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-12-02 16:11 --------- d-----w C:\Program Files\Symantec
2007-12-02 16:11 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-02 16:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-28 10:36 --------- d-----w C:\Program Files\MSN Messenger
2007-11-28 06:26 --------- d-----w C:\Documents and Settings\yangyq\Application Data\Creative
2007-11-28 04:48 --------- d-----w C:\Program Files\Creative
2007-11-27 13:39 --------- d-----w C:\Program Files\HP
2007-11-27 12:56 --------- d-----w C:\Documents and Settings\yangyq\Application Data\Image Zone Express
2007-11-27 12:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2007-11-25 05:37 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-25 05:34 --------- d-----w C:\Program Files\Google
2007-11-25 05:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-25 05:25 --------- d-----w C:\Documents and Settings\yangyq\Application Data\Samsung
2007-11-25 05:20 --------- d-----w C:\Program Files\Common Files\Macromedia
2007-11-22 12:43 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-11-06 06:07 --------- d-----w C:\Documents and Settings\yangyq\Application Data\HP
2007-11-03 01:35 --------- d-----w C:\Documents and Settings\yangyq\Application Data\Printer Info Cache
2007-11-02 09:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\WEBREG
2007-11-02 08:58 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2007-11-02 08:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-10-15 13:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-10-15 13:35 --------- d-----w C:\Documents and Settings\yangyq\Application Data\NCH Swift Sound
2007-10-11 04:48 --------- d-----w C:\Program Files\ANI
2007-10-10 00:41 20,912,795 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_10_09_22_36_25_full.dmp.zip
2007-10-09 14:06 17,951,872 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_10_09_20_56_05_full.dmp.zip
2007-10-01 02:50 20,925,876 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_10_01_10_46_50_full.dmp.zip
2007-09-06 08:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-09-06 08:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-07-17 15:34 34 --sh--w C:\Program Files\DLD.DAT
2005-04-29 09:27 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2007-12-03_16.59.16.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-03 08:57:25 214,365 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2007-12-04 01:53:30 214,365 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2007-12-04 01:53:34 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_6a0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
2007-03-02 16:52 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
2007-03-02 16:52 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 18:19]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-11-11 16:04]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 21:52]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00]
"Spyware Doctor"="" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 20:00 C:\WINDOWS\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-10 21:52 49152 --a------ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

R0 SSI;SSI;C:\WINDOWS\system32\Drivers\SSI.SYS
R2 BaseTDI;Rising TDI Base Driver;C:\WINDOWS\system32\DRIVERS\BaseTDI.SYS
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe
S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys
S3 cwbwdm_device;Crystal WDM Audio Codec Driver;C:\WINDOWS\system32\drivers\cwbwdm.sys
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 SRS_SSCFilter;SRS Labs Audio Sandbox (WDM);C:\WINDOWS\system32\drivers\srs_sscfilter.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-04 09:54:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-04 9:56:49 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-03 17:01
.
--- E O F ---

tetonbob · 12-03-2007, 07:45 PM

I'll be back with instructions in a little while. In the meantime...

You may want to try this one. It's very good.

Install this FREE AntiVirus program, update it, and run a full system scan.

Avira PersonalEdition Classic

Here is a tutorial on it's setup and use:

http://www.techsupportforum.com/cont...ticles/64.html

Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

---------------------------------------------------------------------------------------------

tetonbob · 12-03-2007, 07:50 PM

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

http://www.techsupportforum.com/security-center/hijackthis-log-help/198207-forced-download-firefox.html#post1194784

File::
C:\WINDOWS\ie.ini
C:\WINDOWS\SlientInstall2143.exe
C:\WINDOWS\system32\detoured.dll
C:\WINDOWS\system32\rsfunser.ini

Collect::
C:\WINDOWS\my_70201.exe

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

---------------------------------------------------------------------------------------------

Run a full system scan with your new AV, whatever you choose.

Connecting to the Internet without antivirus protection is a "Welcome" doormat for malware. It can take as little as eight seconds to infect an unprotected computer.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

menk · 12-04-2007, 12:00 AM

Hello tt

File for analysis sent. Below are the logs. I'm also including the avscan log which indicates that there are 2 files--C:\hiberfil.sys & C:\pagefile.sys--which could not be opened. Is this acceptable? Avira has quarantined a few files, would it be safe to delete all of them?

ComboFix 07-12-02.7 - yangyq 2007-12-04 11:58:12.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.150 [GMT 8:00]
Running from: C:\Documents and Settings\yangyq\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\yangyq\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\ie.ini
C:\WINDOWS\SlientInstall2143.exe
C:\WINDOWS\system32\detoured.dll
C:\WINDOWS\system32\rsfunser.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\ie.ini
C:\WINDOWS\my_70201.exe
C:\WINDOWS\SlientInstall2143.exe
C:\WINDOWS\system32\detoured.dll
C:\WINDOWS\system32\rsfunser.ini

.
((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 )))))))))))))))))))))))))))))))
.

2007-12-04 11:14 . 2007-12-04 11:14 <DIR> d-------- C:\Program Files\Avira
2007-12-04 11:14 . 2007-12-04 11:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-12-03 13:12 . 2007-12-03 13:12 <DIR> d-------- C:\Deckard
2007-11-28 18:36 . 2007-11-28 18:36 <DIR> d-------- C:\Program Files\Windows Live
2007-11-28 13:34 . 2000-05-22 16:58 647,872 --------- C:\WINDOWS\system32\Mscomct2.ocx
2007-11-27 21:08 . 2006-12-16 00:04 258,048 -ra------ C:\WINDOWS\system32\SET277.tmp
2007-11-27 20:38 . 2007-11-27 20:38 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-11-27 19:48 . 2007-11-27 21:24 130,920 --a------ C:\WINDOWS\hpoins12.dat
2007-11-27 19:48 . 2007-01-23 00:05 1,470 --------- C:\WINDOWS\hpomdl12.dat
2007-11-27 19:40 . 2007-11-27 19:15 154,010 --------- C:\WINDOWS\hpoins14.dat
2007-11-27 19:40 . 2007-09-20 23:56 2,000 --------- C:\WINDOWS\hpomdl14.dat
2007-11-27 18:35 . 2007-11-27 18:35 <DIR> d-------- C:\Documents and Settings\yangyq\Application Data\HPAppData
2007-11-27 15:57 . 2004-08-03 23:08 17,024 --a------ C:\WINDOWS\system32\drivers\usbohci.sys
2007-11-27 15:57 . 2004-08-03 23:08 17,024 --a--c--- C:\WINDOWS\system32\dllcache\usbohci.sys
2007-11-24 14:41 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2007-11-24 14:41 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2007-11-14 21:23 . 2007-11-21 17:59 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-11-04 18:35 . 2007-11-27 20:46 <DIR> d-------- C:\Program Files\Common Files\HP
2007-11-04 18:31 . 2007-03-28 14:01 117,760 --a------ C:\WINDOWS\system32\hpzll5ha.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 04:09 18,714,656 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-04 04:05 220,340 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-04 01:52 5,063,851 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-02 16:11 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-12-02 16:11 --------- d-----w C:\Program Files\Symantec
2007-12-02 16:11 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-02 16:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-28 10:36 --------- d-----w C:\Program Files\MSN Messenger
2007-11-28 06:26 --------- d-----w C:\Documents and Settings\yangyq\Application Data\Creative
2007-11-28 04:48 --------- d-----w C:\Program Files\Creative
2007-11-27 13:39 --------- d-----w C:\Program Files\HP
2007-11-27 12:56 --------- d-----w C:\Documents and Settings\yangyq\Application Data\Image Zone Express
2007-11-27 12:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2007-11-25 05:37 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-25 05:34 --------- d-----w C:\Program Files\Google
2007-11-25 05:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-25 05:25 --------- d-----w C:\Documents and Settings\yangyq\Application Data\Samsung
2007-11-25 05:20 --------- d-----w C:\Program Files\Common Files\Macromedia
2007-11-22 12:43 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-11-06 06:07 --------- d-----w C:\Documents and Settings\yangyq\Application Data\HP
2007-11-03 01:35 --------- d-----w C:\Documents and Settings\yangyq\Application Data\Printer Info Cache
2007-11-02 09:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\WEBREG
2007-11-02 08:58 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2007-11-02 08:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-10-15 13:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-10-15 13:35 --------- d-----w C:\Documents and Settings\yangyq\Application Data\NCH Swift Sound
2007-10-11 04:48 --------- d-----w C:\Program Files\ANI
2007-10-10 00:41 20,912,795 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_10_09_22_36_25_full.dmp.zip
2007-10-09 14:06 17,951,872 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_10_09_20_56_05_full.dmp.zip
2007-10-01 02:50 20,925,876 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_10_01_10_46_50_full.dmp.zip
2007-09-06 08:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-09-06 08:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-07-17 15:34 34 --sh--w C:\Program Files\DLD.DAT
2005-04-29 09:27 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2007-12-03_16.59.16.98 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-08-09 05:04:11 40,768 ----a-w C:\WINDOWS\system32\drivers\avgntdd.sys
+ 2007-07-18 06:22:19 21,312 ----a-w C:\WINDOWS\system32\drivers\avgntmgr.sys
+ 2007-12-04 03:36:01 61,632 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2007-03-01 02:34:36 28,352 ----a-w C:\WINDOWS\system32\drivers\ssmdrv.sys
- 2007-12-03 08:57:25 214,365 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2007-12-04 04:08:39 214,364 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2007-12-04 04:08:44 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_82c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
2007-03-02 16:52 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
2007-03-02 16:52 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 18:19]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-11-11 16:04]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 21:52]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-12-04 11:35]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00]
"Spyware Doctor"="" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 20:00 C:\WINDOWS\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-10 21:52 49152 --a------ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

R0 SSI;SSI;C:\WINDOWS\system32\Drivers\SSI.SYS
R2 BaseTDI;Rising TDI Base Driver;C:\WINDOWS\system32\DRIVERS\BaseTDI.SYS
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe
S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys
S3 cwbwdm_device;Crystal WDM Audio Codec Driver;C:\WINDOWS\system32\drivers\cwbwdm.sys
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 SRS_SSCFilter;SRS Labs Audio Sandbox (WDM);C:\WINDOWS\system32\drivers\srs_sscfilter.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

*Newly Created Service* - SSMDRV
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-04 12:09:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-04 12:11:53 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-04 09:56
C:\ComboFix3.txt ... 2007-12-03 17:01
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:49:30 PM, on 12/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1106318163126
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1130988789699
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37940.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/...dsolutions.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thi...wnloadCtrl.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8587 bytes

AntiVir PersonalEdition Classic
Report file date: Tuesday, December 04, 2007 12:14

Scanning for 958476 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: yangyq
Computer name: YANG

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 06:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 05:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 08:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 05:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 03:35:59
ANTIVIR1.VDF : 7.0.0.0 1640448 Bytes 9/13/2007 03:35:59
ANTIVIR2.VDF : 7.0.1.30 1575424 Bytes 11/30/2007 03:35:59
ANTIVIR3.VDF : 7.0.1.38 40448 Bytes 12/3/2007 03:35:59
AVEWIN32.DLL : 7.6.0.34 3125760 Bytes 12/4/2007 03:36:01
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 03:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 00:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 06:16:24
AVPACK32.DLL : 7.3.0.15 360488 Bytes 8/3/2007 01:46:00
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 00:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 05:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 00:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 04:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 05:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 05:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 02:37:21

Configuration settings for the scan:
Jobname..........................: Local Drives
Configuration file...............: c:\program files\avira\antivir personaledition classic\alldrives.avp
Logging..........................: low
Primary action...................: repair
Secondary action.................: quarantine
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: E:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: on
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Tuesday, December 04, 2007 12:14

Starting search for hidden objects.
'42600' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'snmp.exe' - '1' Module(s) have been scanned
Scan process 'tcpsvcs.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'inetinfo.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'CTDetect.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'AirGCFG.exe' - '1' Module(s) have been scanned
Scan process 'WZCSLDR2.exe' - '1' Module(s) have been scanned
Scan process 'zlclient.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'vsmon.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
34 processes with 34 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'D:\'
[NOTE] No virus was found!
Boot sector 'A:\'
[NOTE] In the drive 'A:\' no data medium is inserted!

Starting to scan the registry.
The registry was scanned ( '24' files ).

Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\qoobox\Quarantine\catchme2007-12-03_165628.75.zip
[0] Archive type: ZIP
--> akqfnp12.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
--> akqfnp12.dll
[DETECTION] Is the Trojan horse TR/Click.Agent.OA
[INFO] The file was moved to '47c8e88c.qua'!
C:\qoobox\Quarantine\C\WINDOWS\system32\akqfnp12.dll.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was moved to '47c5e899.qua'!
C:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP2\A0000275.dll
[DETECTION] Contains detection pattern of the Windows virus W95/Blumblebee.1738
[INFO] The file was moved to '4784e86f.qua'!
C:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP2\A0000284.exe
[DETECTION] Is the Trojan horse TR/Delphi.Downloader.Gen
[INFO] The file was moved to '4784e870.qua'!
C:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP4\A0000408.dll
[DETECTION] Is the Trojan horse TR/Click.Agent.OA
[INFO] The file was moved to '4784e880.qua'!
Begin scan in 'D:\'
Begin scan in 'A:\'
Search path A:\ could not be opened!
The device is not ready.

Begin scan in 'E:\' <Audio CD>

End of the scan: Tuesday, December 04, 2007 14:28
Used time: 2:13:55 min

The scan has been done completely.

6720 Scanning directories
280572 Files were scanned
6 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
5 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
280566 Files not concerned
4266 Archives were scanned
2 Warnings
2 Notes
42600 Objects were scanned with rootkit scan
0 Hidden objects were found

tetonbob · 12-04-2007, 08:17 AM

Thanks again for uploading the file. Both zip files can now be deleted from your desktop.

Quote:

there are 2 files--C:\hiberfil.sys & C:\pagefile.sys--which could not be opened. Is this acceptable?

Yes, these are locked system files, and not a concern.

Quote:

Avira has quarantined a few files, would it be safe to delete all of them?

They are safe in quarantine, but yes, also safe to finally delete items from quarantine once you're certain they are not falsely IDd. In this case, go right ahead.

System looks much better.

Though you just did a full system scan with Avira, it would be a good idea to run an online scan using another vendor's definitions. One may find what another misses.

Toward that end...

Please run this online scan to help look for remnants.

First, Go to Start>Control Panel>Add/Remove Programs and remove Kaspersky online scanner if present prior to downloading the most up-to-date one.

Next, establish an internet connection & perform an online scan using Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------------------------------------------------------------------------------------

Also let me know how the machine is behaving.

menk · 12-05-2007, 01:16 AM

Seems there is still some nonsense in there! Browsers are working properly though occasional links/bullets do not open up completely, showing just a red x in a square.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, December 05, 2007 3:39:32 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/12/2007
Kaspersky Anti-Virus database records: 472769
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 95070
Number of viruses found: 6
Number of infected objects: 32
Number of suspicious objects: 0
Duration of the scan process: 03:11:48

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\yangyq\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\yangyq\Local Settings\Application Data\Identities\{B150D80B-88E5-4CEA-9FDB-0F37D62D60C9}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx/[From "Microsoft Technical Services" <tmucrxfkp@updates.com>][Date 2 Dec 2007 03:04:27 -0800]/UNNAMED/installation94.exe Infected: Email-Worm.Win32.Swen skipped
C:\Documents and Settings\yangyq\Local Settings\Application Data\Identities\{B150D80B-88E5-4CEA-9FDB-0F37D62D60C9}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx/[From "Microsoft Technical Services" <tmucrxfkp@updates.com>][Date 2 Dec 2007 03:04:27 -0800]/UNNAMED Infected: Email-Worm.Win32.Swen skipped
C:\Documents and Settings\yangyq\Local Settings\Application Data\Identities\{B150D80B-88E5-4CEA-9FDB-0F37D62D60C9}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx/[From "Microsoft Technical Services" <tmucrxfkp@updates.com>][Date 2 Dec 2007 03:04:27 -0800]/UNNAMED/installation94.exe Infected: Email-Worm.Win32.Swen skipped
C:\Documents and Settings\yangyq\Local Settings\Application Data\Identities\{B150D80B-88E5-4CEA-9FDB-0F37D62D60C9}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx/[From "Microsoft Technical Services" <tmucrxfkp@updates.com>][Date 2 Dec 2007 03:04:27 -0800]/UNNAMED Infected: Email-Worm.Win32.Swen skipped
C:\Documents and Settings\yangyq\Local Settings\Application Data\Identities\{B150D80B-88E5-4CEA-9FDB-0F37D62D60C9}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx Mail MS Outlook 5: infected - 4 skipped
C:\Documents and Settings\yangyq\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\yangyq\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\yangyq\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\yangyq\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\yangyq\Local Settings\History\History.IE5\MSHist012007120520071206\index.dat Object is locked skipped
C:\Documents and Settings\yangyq\Local Settings\Temp\~DF6AFD.tmp Object is locked skipped
C:\Documents and Settings\yangyq\Local Settings\Temp\~DF6B21.tmp Object is locked skipped
C:\Documents and Settings\yangyq\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\yangyq\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\yangyq\ntuser.dat Object is locked skipped
C:\Documents and Settings\yangyq\ntuser.dat.LOG Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\dodolook324.exe.vir/stream/data0002/stream/data0002/data0003 Infected: not-a-virus:AdWare.Win32.Cinmus.acc skipped
C:\qoobox\Quarantine\C\WINDOWS\dodolook324.exe.vir/stream/data0002/stream/data0002/data0004 Infected: not-a-virus:AdWare.Win32.Cinmus.acc skipped
C:\qoobox\Quarantine\C\WINDOWS\dodolook324.exe.vir/stream/data0002/stream/data0002 Infected: not-a-virus:AdWare.Win32.Cinmus.acc skipped
C:\qoobox\Quarantine\C\WINDOWS\dodolook324.exe.vir/stream/data0002/stream Infected: not-a-virus:AdWare.Win32.Cinmus.acc skipped
C:\qoobox\Quarantine\C\WINDOWS\dodolook324.exe.vir/stream/data0002 Infected: not-a-virus:AdWare.Win32.Cinmus.acc skipped
C:\qoobox\Quarantine\C\WINDOWS\dodolook324.exe.vir/stream/data0003/stream/data0001 Infected: not-a-virus:AdWare.Win32.BHO.ia skipped
C:\qoobox\Quarantine\C\WINDOWS\dodolook324.exe.vir/stream/data0003/stream Infected: not-a-virus:AdWare.Win32.BHO.ia skipped
C:\qoobox\Quarantine\C\WINDOWS\dodolook324.exe.vir/stream/data0003 Infected: not-a-virus:AdWare.Win32.BHO.ia skipped
C:\qoobox\Quarantine\C\WINDOWS\dodolook324.exe.vir/stream Infected: not-a-virus:AdWare.Win32.BHO.ia skipped
C:\qoobox\Quarantine\C\WINDOWS\dodolook324.exe.vir NSIS: infected - 9 skipped
C:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP10\change.log Object is locked skipped
C:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP2\A0000287.dll Infected: not-a-virus:AdWare.Win32.Agent.wd skipped
C:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP4\A0000400.exe/stream/data0002/stream/data0002/data0003 Infected: not-a-virus:AdWare.Win32.Cinmus.acc skipped
C:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP4\A0000400.exe/stream/data0002/stream/data0002/data0004 Infected: not-a-virus:AdWare.Win32.Cinmus.acc skipped
C:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP4\A0000400.exe/stream/data0002/stream/data0002 Infected: not-a-virus:AdWare.Win32.Cinmus.acc skipped
C:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP4\A0000400.exe/stream/data0002/stream Infected: not-a-virus:AdWare.Win32.Cinmus.acc skipped
C:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP4\A0000400.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Cinmus.acc skipped
C:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP4\A0000400.exe/stream/data0003/stream/data0001 Infected: not-a-virus:AdWare.Win32.BHO.ia skipped
C:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP4\A0000400.exe/stream/data0003/stream Infected: not-a-virus:AdWare.Win32.BHO.ia skipped
C:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP4\A0000400.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.BHO.ia skipped
C:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP4\A0000400.exe/stream Infected: not-a-virus:AdWare.Win32.BHO.ia skipped
C:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP4\A0000400.exe NSIS: infected - 9 skipped
C:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP7\A0000809.dll Infected: not-a-virus:AdWare.Win32.Ejik.g skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\YANG.ldb Object is locked skipped
C:\WINDOWS\PCHealth\ErrorRep\UserDumps\svchost.exe.20050420-092745-00.hdmp Object is locked skipped
C:\WINDOWS\PCHealth\ErrorRep\UserDumps\svchost.exe.20050420-092745-00.mdmp Object is locked skipped
C:\WINDOWS\PCHealth\ErrorRep\UserDumps\svchost.exe.20050505-040308-00.hdmp Object is locked skipped
C:\WINDOWS\PCHealth\ErrorRep\UserDumps\svchost.exe.20050505-040308-00.mdmp Object is locked skipped
C:\WINDOWS\PCHealth\ErrorRep\UserDumps\svchost.exe.20050509-120801-00.hdmp Object is locked skipped
C:\WINDOWS\PCHealth\ErrorRep\UserDumps\svchost.exe.20050509-120801-00.mdmp Object is locked skipped
C:\WINDOWS\PCHealth\ErrorRep\UserDumps\svchost.exe.20050517-083043-00.hdmp Object is locked skipped
C:\WINDOWS\PCHealth\ErrorRep\UserDumps\svchost.exe.20050517-083043-00.mdmp Object is locked skipped
C:\WINDOWS\PCHealth\ErrorRep\UserDumps\svchost.exe.20050524-110622-00.hdmp Object is locked skipped
C:\WINDOWS\PCHealth\ErrorRep\UserDumps\svchost.exe.20050524-110622-00.mdmp Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\temp\Perflib_Perfdata_668.dat Object is locked skipped
C:\WINDOWS\temp\ZLT027b9.TMP Object is locked skipped
C:\WINDOWS\temp\ZLT03ad2.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP10\change.log Object is locked skipped
D:\XP & Other Downloads\Microsoft Windows XP Pro Corporate Edition with SP2.iso/updates/serial/keyfinder.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\XP & Other Downloads\Microsoft Windows XP Pro Corporate Edition with SP2.iso/updates/serial/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\XP & Other Downloads\Microsoft Windows XP Pro Corporate Edition with SP2.iso/updates/serial/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\XP & Other Downloads\Microsoft Windows XP Pro Corporate Edition with SP2.iso/updates/serial/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\XP & Other Downloads\Microsoft Windows XP Pro Corporate Edition with SP2.iso ISO image: infected - 4 skipped

Scan process completed.

tetonbob · 12-05-2007, 09:09 AM

Please empty your Outlook Express Deleted Items folder. To do so:

Open Outlook Express
Right click on Deleted Items
Select 'Empty Deleted Items folder'.
Click 'Yes' at the next popup box to succesfully empty the Deleted Items folder.

You may want to consider using these settings for your Outlook Express, which will automatically empty the deleted items folder upon exit:

Go to Tools > Options
Under the Maintenance Tab, checkmark the following boxes:

* Empty messages from 'Deleted item' folder on exit
* Purge deleted messages when leaving IMAP folders

The other items found by Kaspersky will be addressed by the following steps:

--------------------------------------------------------------------------------

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to

-> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and use the following free programs:

Microsoft Windows Update - http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SpywareBlaster to help prevent spyware from installing in the first place.
- Install & update SpywareBlaster with the latest definitions.
  After you have updated, click the button - enable protection for all unprotected items
SpywareGuard to catch and block spyware before it can execute.
SPYBOT - SEARCH & DESTROY
Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here

IE-SpyAd - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. An installation tutorial is available here.
MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
- Download Host.zip to your desktop.
- From your Desktop right-click (hosts.zip) and select:
  Extract All from the menu.
- Click Next, click Next, select the option:
  "Show Extracted files", click Finish
- This will open the newly created hosts folder on your Desktop.
- Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
- Once updated you should see another prompt that the task was completed.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

Do not install more than one AntiVirus program because they will conflict with each other.
FIREWALL
If you do not have a firewall, here are a couple of great free ones available for personal use. Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here

Do not install more than one firewall program because they will conflict with each other.

Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Here are some additional utilities that will further enhance your safety.

http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

menk · 12-06-2007, 08:49 PM

Hello tt

I've add a few tricks you've suggested. Before we close this, 1 last Q, what about those malwares found here such as - C:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP2\A0000287.dll Infected: not-a-virus:AdWare.Win32.Agent.wd skipped
C:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP4\A0000400.exe/stream/data0002/stream/data0002/data0003 Infected: not-a-virus:AdWare.Win32.Cinmus.acc skipped.

Can I get rid of them by turning off and on Restore System?

11-28-2007, 07:41 AM	#1 (permalink)
menk Registered User Join Date: Nov 2007 Posts: 10 OS: xp sp2	Forced to download Firefox Hello Someone has inserted a popup saying that my IE is outdated and that I should install Firefox. With this popup I'm unable to continue to browse. Here is my log: Logfile of HijackThis v1.99.1 Scan saved at 9:37:41 PM, on 11/28/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0013) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe C:\Program Files\D-Link\AirPlus G\AirGCFG.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe D:\About Computer\Exe files\hijackthis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR O2 - BHO: sosHlpr Class - {00C104F7-0F5C-470C-ABCF-A5B2E70752F1} - C:\WINDOWS\system32\ll2t.dll O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {242F800B-2172-4659-A381-476B66E3DE2A} - C:\WINDOWS\system32\evxluuuxvnfpu.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Vmlist] regsvr32 /s apphelps.dll O4 - HKLM\..\RunOnce: [uninsrest] C:\DOCUME~1\yangyq\LOCALS~1\Temp\uninrest.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1106318163126 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1130988789699 O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37940.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/...dsolutions.cab O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thi...wnloadCtrl.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

12-02-2007, 06:33 PM	#2 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,443 OS: 2000 Pro; XP Pro; XP Home	Re: Forced to download Firefox Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. I need more information before continuing, please. For now, I'd like a more comprehensive set of logs from Deckard's System Scanner. --------------------------------------------------------------------------------------------- You are using an outdated version of HijackThis. Please uninstall from Add/Remove programs, and delete your current version. Next, download HijackThis to your desktop Alternate link Double-click on the file you just downloaded. Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis Upon install, HijackThis should open for you. When it does, just close it, please. Next.... --------------------------------------------------------------------------------------------- Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges. Close all applications and windows. Double-click on dss.exe to run it, and follow the prompts. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here. Please attach extra.txt to your post. To attach a file to a new post, simply Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and copy and paste the following into the "Upload File from your Computer" box: C:\Deckard\System Scanner\extra.txt Click Upload. What DSS will do: create a new System Restore point in Windows XP and Vista. clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives. check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed. --------------------------------------------------------------------------------------------- Please post in your reply: main.txt Please attach to your reply: extra.txt __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

12-02-2007, 10:56 PM	#4 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,443 OS: 2000 Pro; XP Pro; XP Home	Re: Forced to download Firefox You've got a small pile of nasties on there.... Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- Download this file - http://download.bleepingcomputer.com...a/ComboFix.exe * IMPORTANT !!! Place combofix.exe on your Desktop Go to -> Run -> paste in the following single line command & click OK "%userprofile%\desktop\combofix.exe" /killall Follow the prompts. Type "1" and press Enter to begin the scan. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. --------------------------------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. --------------------------------------------------------------------------------------------- __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

12-03-2007, 03:31 AM	#5 (permalink)
menk Registered User Join Date: Nov 2007 Posts: 10 OS: xp sp2	Re: Forced to download Firefox ComboFix 07-12-02.7 - yangyq 2007-12-03 16:43:24.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.185 [GMT 8:00] Running from: C:\Documents and Settings\yangyq\desktop\combofix.exe Command switches used :: /killall * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\yangyq\Application Data\macromedia\Flash Player\#SharedObjects\HJ3WBLTR\www.inter-focus.cn C:\Documents and Settings\yangyq\Application Data\macromedia\Flash Player\#SharedObjects\HJ3WBLTR\www.inter-focus.cn\IFFLASHAD_PLAYER.sol C:\Documents and Settings\yangyq\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn C:\Documents and Settings\yangyq\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn\settings.sol C:\WINDOWS\dodolook324.exe C:\WINDOWS\fn00321.log C:\WINDOWS\ocinfo.dat C:\WINDOWS\system\dvl C:\WINDOWS\system\lvl C:\WINDOWS\system32\akqfnp12.dll C:\WINDOWS\system32\akqfnp12.dllmmc.pkm C:\WINDOWS\system32\AutoRun.inf C:\WINDOWS\system32\C2 C:\WINDOWS\system32\C2\DOCUMEr1\yangyq\LOCALSz1\Temp\Cookies\index.dat C:\WINDOWS\system32\C2\DOCUMEr1\yangyq\LOCALSz1\Temp\History\History.IE5\index.dat C:\WINDOWS\system32\C2\DOCUMEr1\yangyq\LOCALSz1\Temp\Temporary Internet Files\Content.IE5\index.dat C:\WINDOWS\system32\Cache C:\WINDOWS\system32\drivers\akqfnp12.sys D:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_AKQFNP12 -------\LEGACY_IPRIP -------\akqfnp12 -------\Iprip ((((((((((((((((((((((((( Files Created from 2007-11-03 to 2007-12-03 ))))))))))))))))))))))))))))))) . 2007-12-03 15:14 . 2007-12-03 15:15 266,060 --a------ C:\WINDOWS\mhqq.exe 2007-12-03 13:12 . 2007-12-03 13:12 <DIR> d-------- C:\Deckard 2007-12-03 00:18 . 2007-10-25 23:14 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr 2007-12-03 00:18 . 2007-10-26 00:05 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-12-03 00:18 . 2007-10-26 00:05 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-12-03 00:18 . 2007-10-26 00:01 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-12-03 00:18 . 2007-10-25 23:58 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-12-03 00:18 . 2007-10-26 00:03 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-12-03 00:17 . 2007-12-03 00:17 <DIR> d-------- C:\Program Files\Alwil Software 2007-12-03 00:17 . 2007-10-25 23:24 815,480 --a------ C:\WINDOWS\system32\aswBoot.exe 2007-12-03 00:17 . 2004-01-09 18:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx 2007-12-02 16:12 . 2007-12-02 16:12 476,160 --a------ C:\WINDOWS\system32\wseqxvis.dll 2007-12-02 16:12 . 2007-12-02 16:12 229,376 --a------ C:\WINDOWS\inituusee.exe 2007-11-28 18:37 . 2007-11-28 18:38 209 --a------ C:\WINDOWS\ie.ini 2007-11-28 18:36 . 2007-11-28 18:36 <DIR> d-------- C:\Program Files\Windows Live 2007-11-28 18:36 . 2007-11-28 18:36 449,024 --a------ C:\WINDOWS\SlientInstall2143.exe 2007-11-28 18:36 . 2007-11-28 18:36 20,541 --a------ C:\WINDOWS\system32\detoured.dll 2007-11-28 18:00 . 2007-11-28 18:00 0 --a------ C:\WINDOWS\askerserkb.dll 2007-11-28 17:59 . 2007-11-28 17:59 601,600 --a------ C:\WINDOWS\system32\evxluuuxvnfpu.dll 2007-11-28 17:59 . 2007-12-03 15:15 226 --a------ C:\WINDOWS\system32\rsfunser.ini 2007-11-28 13:34 . 2000-05-22 16:58 647,872 --------- C:\WINDOWS\system32\Mscomct2.ocx 2007-11-27 21:08 . 2006-12-16 00:04 258,048 -ra------ C:\WINDOWS\system32\SET277.tmp 2007-11-27 20:38 . 2007-11-27 20:38 <DIR> d-------- C:\Program Files\Hewlett-Packard 2007-11-27 19:48 . 2007-11-27 21:24 130,920 --a------ C:\WINDOWS\hpoins12.dat 2007-11-27 19:48 . 2007-01-23 00:05 1,470 --------- C:\WINDOWS\hpomdl12.dat 2007-11-27 19:40 . 2007-11-27 19:15 154,010 --------- C:\WINDOWS\hpoins14.dat 2007-11-27 19:40 . 2007-09-20 23:56 2,000 --------- C:\WINDOWS\hpomdl14.dat 2007-11-27 18:35 . 2007-11-27 18:35 <DIR> d-------- C:\Documents and Settings\yangyq\Application Data\HPAppData 2007-11-27 15:57 . 2004-08-03 23:08 17,024 --a------ C:\WINDOWS\system32\drivers\usbohci.sys 2007-11-27 15:57 . 2004-08-03 23:08 17,024 --a--c--- C:\WINDOWS\system32\dllcache\usbohci.sys 2007-11-24 14:41 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe 2007-11-24 14:41 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf 2007-11-14 21:23 . 2007-11-21 17:59 <DIR> d-------- C:\WINDOWS\system32\URTTemp 2007-11-04 18:35 . 2007-11-27 20:46 <DIR> d-------- C:\Program Files\Common Files\HP 2007-11-04 18:31 . 2007-03-28 14:01 117,760 --a------ C:\WINDOWS\system32\hpzll5ha.dll 2007-11-03 09:35 . 2007-11-03 09:35 <DIR> d-------- C:\Documents and Settings\yangyq\Application Data\Printer Info Cache 2007-11-03 09:35 . 2007-11-27 20:56 <DIR> d-------- C:\Documents and Settings\yangyq\Application Data\Image Zone Express . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-03 08:57 17,805,344 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat 2007-12-03 08:54 209,660 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2007-12-02 16:11 --------- d-----w C:\Program Files\Symantec AntiVirus 2007-12-02 16:11 --------- d-----w C:\Program Files\Symantec 2007-12-02 16:11 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-12-02 16:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2007-11-28 10:36 --------- d-----w C:\Program Files\MSN Messenger 2007-11-28 06:26 --------- d-----w C:\Documents and Settings\yangyq\Application Data\Creative 2007-11-28 04:48 --------- d-----w C:\Program Files\Creative 2007-11-27 13:39 --------- d-----w C:\Program Files\HP 2007-11-27 12:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP 2007-11-25 05:37 --------- d-----w C:\Program Files\Common Files\Adobe 2007-11-25 05:34 --------- d-----w C:\Program Files\Google 2007-11-25 05:26 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-11-25 05:25 --------- d-----w C:\Documents and Settings\yangyq\Application Data\Samsung 2007-11-25 05:20 --------- d-----w C:\Program Files\Common Files\Macromedia 2007-11-22 12:43 --------- d-----w C:\Program Files\Windows Live Toolbar 2007-11-06 06:07 --------- d-----w C:\Documents and Settings\yangyq\Application Data\HP 2007-11-02 09:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\WEBREG 2007-11-02 08:58 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard 2007-11-02 08:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard 2007-10-15 13:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound 2007-10-15 13:35 --------- d-----w C:\Documents and Settings\yangyq\Application Data\NCH Swift Sound 2007-10-11 04:48 --------- d-----w C:\Program Files\ANI 2007-10-10 00:41 20,912,795 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_10_09_22_36_25_full.dmp.zip 2007-10-09 14:06 17,951,872 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_10_09_20_56_05_full.dmp.zip 2007-10-01 02:50 20,925,876 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_10_01_10_46_50_full.dmp.zip 2007-09-10 01:17 2,257,783 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip 2007-09-06 08:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe 2007-09-06 08:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll 2007-07-17 15:34 34 --sh--w C:\Program Files\DLD.DAT 2005-04-29 09:27 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}] 2007-03-02 16:52 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}] 2007-03-02 16:52 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{242F800B-2172-4659-A381-476B66E3DE2A}] 2007-11-28 17:59 601600 --a------ C:\WINDOWS\system32\evxluuuxvnfpu.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{956D977E-3EE4-460F-8CD2-23CDEABBDC94}] 2007-12-02 16:12 476160 --a------ C:\WINDOWS\system32\wseqxvis.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00] "Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14] "ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 18:19] "D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-11-11 16:04] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 21:52] "Vmlist"="regsvr32 /s apphelps.dll" [] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-10-25 23:20] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00] "Spyware Doctor"="" [] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2004-08-04 20:00 C:\WINDOWS\system32\narrator.exe] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] 2006-12-10 21:52 49152 --a------ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask.exe -atboottime R0 SSI;SSI;C:\WINDOWS\system32\Drivers\SSI.SYS R2 BaseTDI;Rising TDI Base Driver;C:\WINDOWS\system32\DRIVERS\BaseTDI.SYS R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys S3 cwbwdm_device;Crystal WDM Audio Codec Driver;C:\WINDOWS\system32\drivers\cwbwdm.sys S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe -k p2psvc S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe -k p2psvc S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe -k p2psvc S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe -k p2psvc S3 SRS_SSCFilter;SRS Labs Audio Sandbox (WDM);C:\WINDOWS\system32\drivers\srs_sscfilter.sys [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . ************************************************************************ catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-03 16:58:10 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2007-12-03 17:01:06 - machine was rebooted . --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:04:51 PM, on 12/3/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0013) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe C:\Program Files\D-Link\AirPlus G\AirGCFG.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\setup\avast.setup C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {242F800B-2172-4659-A381-476B66E3DE2A} - C:\WINDOWS\system32\evxluuuxvnfpu.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: (no name) - {956D977E-3EE4-460F-8CD2-23CDEABBDC94} - C:\WINDOWS\system32\wseqxvis.dll O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Vmlist] regsvr32 /s apphelps.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1106318163126 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1130988789699 O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37940.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/...dsolutions.cab O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thi...wnloadCtrl.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 8926 bytes

12-03-2007, 04:04 AM	#6 (permalink)
menk Registered User Join Date: Nov 2007 Posts: 10 OS: xp sp2	Re: Forced to download Firefox Now, the IE is not running with add-on disabled, which is ok if it was done purposely during the combofix scan.

12-03-2007, 07:14 PM	#8 (permalink)
menk Registered User Join Date: Nov 2007 Posts: 10 OS: xp sp2	Re: Forced to download Firefox Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1004 AM, on 12/4/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0013) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\D-Link\AirPlus G\AirGCFG.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\system32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1106318163126 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1130988789699 O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37940.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/...dsolutions.cab O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thi...wnloadCtrl.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 8045 bytes

12-03-2007, 07:20 PM	#10 (permalink)
menk Registered User Join Date: Nov 2007 Posts: 10 OS: xp sp2	Re: Forced to download Firefox The zipped file for submission has also been sent.

12-03-2007, 07:35 PM	#12 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,443 OS: 2000 Pro; XP Pro; XP Home	Re: Forced to download Firefox Also....what happened to your AntiVirus program, Avast? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

12-03-2007, 07:44 PM	#13 (permalink)
menk Registered User Join Date: Nov 2007 Posts: 10 OS: xp sp2	Re: Forced to download Firefox For a moment I thought I had lost it! I also thought you would ask about avast; I uninstalled it since it couldn't remove the malware. I'll install another asap. Appreciate your concern. ComboFix 07-12-02.7 - yangyq 2007-12-04 9:44:22.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.231 [GMT 8:00] Running from: C:\Documents and Settings\yangyq\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\yangyq\Desktop\CFScript.txt * Created a new restore point FILE C:\WINDOWS\askerserkb.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\askerserkb.dll C:\WINDOWS\inituusee.exe C:\WINDOWS\mhqq.exe C:\WINDOWS\system32\evxluuuxvnfpu.dll C:\WINDOWS\system32\wseqxvis.dll . ((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 ))))))))))))))))))))))))))))))) . 2007-12-03 17:54 . 2007-12-03 17:54 24,576 --a------ C:\WINDOWS\my_70201.exe 2007-12-03 13:12 . 2007-12-03 13:12 <DIR> d-------- C:\Deckard 2007-12-03 00:17 . 2007-12-03 00:17 <DIR> d-------- C:\Program Files\Alwil Software 2007-11-28 18:37 . 2007-11-28 18:38 209 --a------ C:\WINDOWS\ie.ini 2007-11-28 18:36 . 2007-11-28 18:36 <DIR> d-------- C:\Program Files\Windows Live 2007-11-28 18:36 . 2007-11-28 18:36 449,024 --a------ C:\WINDOWS\SlientInstall2143.exe 2007-11-28 18:36 . 2007-11-28 18:36 20,541 --a------ C:\WINDOWS\system32\detoured.dll 2007-11-28 17:59 . 2007-12-03 17:54 239 --a------ C:\WINDOWS\system32\rsfunser.ini 2007-11-28 13:34 . 2000-05-22 16:58 647,872 --------- C:\WINDOWS\system32\Mscomct2.ocx 2007-11-27 21:08 . 2006-12-16 00:04 258,048 -ra------ C:\WINDOWS\system32\SET277.tmp 2007-11-27 20:38 . 2007-11-27 20:38 <DIR> d-------- C:\Program Files\Hewlett-Packard 2007-11-27 19:48 . 2007-11-27 21:24 130,920 --a------ C:\WINDOWS\hpoins12.dat 2007-11-27 19:48 . 2007-01-23 00:05 1,470 --------- C:\WINDOWS\hpomdl12.dat 2007-11-27 19:40 . 2007-11-27 19:15 154,010 --------- C:\WINDOWS\hpoins14.dat 2007-11-27 19:40 . 2007-09-20 23:56 2,000 --------- C:\WINDOWS\hpomdl14.dat 2007-11-27 18:35 . 2007-11-27 18:35 <DIR> d-------- C:\Documents and Settings\yangyq\Application Data\HPAppData 2007-11-27 15:57 . 2004-08-03 23:08 17,024 --a------ C:\WINDOWS\system32\drivers\usbohci.sys 2007-11-27 15:57 . 2004-08-03 23:08 17,024 --a--c--- C:\WINDOWS\system32\dllcache\usbohci.sys 2007-11-24 14:41 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe 2007-11-24 14:41 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf 2007-11-14 21:23 . 2007-11-21 17:59 <DIR> d-------- C:\WINDOWS\system32\URTTemp 2007-11-04 18:35 . 2007-11-27 20:46 <DIR> d-------- C:\Program Files\Common Files\HP 2007-11-04 18:31 . 2007-03-28 14:01 117,760 --a------ C:\WINDOWS\system32\hpzll5ha.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-04 01:53 18,042,912 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat 2007-12-04 01:52 5,063,851 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip 2007-12-04 01:51 212,468 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2007-12-02 16:11 --------- d-----w C:\Program Files\Symantec AntiVirus 2007-12-02 16:11 --------- d-----w C:\Program Files\Symantec 2007-12-02 16:11 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-12-02 16:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2007-11-28 10:36 --------- d-----w C:\Program Files\MSN Messenger 2007-11-28 06:26 --------- d-----w C:\Documents and Settings\yangyq\Application Data\Creative 2007-11-28 04:48 --------- d-----w C:\Program Files\Creative 2007-11-27 13:39 --------- d-----w C:\Program Files\HP 2007-11-27 12:56 --------- d-----w C:\Documents and Settings\yangyq\Application Data\Image Zone Express 2007-11-27 12:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP 2007-11-25 05:37 --------- d-----w C:\Program Files\Common Files\Adobe 2007-11-25 05:34 --------- d-----w C:\Program Files\Google 2007-11-25 05:26 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-11-25 05:25 --------- d-----w C:\Documents and Settings\yangyq\Application Data\Samsung 2007-11-25 05:20 --------- d-----w C:\Program Files\Common Files\Macromedia 2007-11-22 12:43 --------- d-----w C:\Program Files\Windows Live Toolbar 2007-11-06 06:07 --------- d-----w C:\Documents and Settings\yangyq\Application Data\HP 2007-11-03 01:35 --------- d-----w C:\Documents and Settings\yangyq\Application Data\Printer Info Cache 2007-11-02 09:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\WEBREG 2007-11-02 08:58 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard 2007-11-02 08:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard 2007-10-15 13:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound 2007-10-15 13:35 --------- d-----w C:\Documents and Settings\yangyq\Application Data\NCH Swift Sound 2007-10-11 04:48 --------- d-----w C:\Program Files\ANI 2007-10-10 00:41 20,912,795 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_10_09_22_36_25_full.dmp.zip 2007-10-09 14:06 17,951,872 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_10_09_20_56_05_full.dmp.zip 2007-10-01 02:50 20,925,876 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_10_01_10_46_50_full.dmp.zip 2007-09-06 08:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe 2007-09-06 08:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll 2007-07-17 15:34 34 --sh--w C:\Program Files\DLD.DAT 2005-04-29 09:27 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( snapshot@2007-12-03_16.59.16.98 ))))))))))))))))))))))))))))))))))))))))) . - 2007-12-03 08:57:25 214,365 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin + 2007-12-04 01:53:30 214,365 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin + 2007-12-04 01:53:34 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_6a0.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}] 2007-03-02 16:52 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}] 2007-03-02 16:52 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00] "Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14] "ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 18:19] "D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-11-11 16:04] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 21:52] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00] "Spyware Doctor"="" [] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2004-08-04 20:00 C:\WINDOWS\system32\narrator.exe] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] 2006-12-10 21:52 49152 --a------ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask.exe -atboottime R0 SSI;SSI;C:\WINDOWS\system32\Drivers\SSI.SYS R2 BaseTDI;Rising TDI Base Driver;C:\WINDOWS\system32\DRIVERS\BaseTDI.SYS R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys S3 cwbwdm_device;Crystal WDM Audio Codec Driver;C:\WINDOWS\system32\drivers\cwbwdm.sys S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe -k p2psvc S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe -k p2psvc S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe -k p2psvc S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe -k p2psvc S3 SRS_SSCFilter;SRS Labs Audio Sandbox (WDM);C:\WINDOWS\system32\drivers\srs_sscfilter.sys [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . ************************************************************************ catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-04 09:54:15 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2007-12-04 9:56:49 - machine was rebooted C:\ComboFix2.txt ... 2007-12-03 17:01 . --- E O F ---

12-03-2007, 07:45 PM	#14 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,443 OS: 2000 Pro; XP Pro; XP Home	Re: Forced to download Firefox I'll be back with instructions in a little while. In the meantime... You may want to try this one. It's very good. Install this FREE AntiVirus program, update it, and run a full system scan. Avira PersonalEdition Classic Here is a tutorial on it's setup and use: http://www.techsupportforum.com/cont...ticles/64.html Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out. --------------------------------------------------------------------------------------------- __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

12-05-2007, 01:16 AM	#18 (permalink)
menk Registered User Join Date: Nov 2007 Posts: 10 OS: xp sp2	Re: Forced to download Firefox Seems there is still some nonsense in there! Browsers are working properly though occasional links/bullets do not open up completely, showing just a red x in a square. ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Wednesday, December 05, 2007 3:39:32 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 5/12/2007 Kaspersky Anti-Virus database records: 472769 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 95070 Number of viruses found: 6 Number of infected objects: 32 Number of suspicious objects: 0 Duration of the scan process: 03:11:48 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\yangyq\Cookies\index.dat Object is locked skipped C:\Documents and Settings\yangyq\Local Settings\Application Data\Identities\{B150D80B-88E5-4CEA-9FDB-0F37D62D60C9}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx/[From "Microsoft Technical Services" <tmucrxfkp@updates.com>][Date 2 Dec 2007 03:04:27 -0800]/UNNAMED/installation94.exe Infected: Email-Worm.Win32.Swen skipped C:\Documents and Settings\yangyq\Local Settings\Application Data\Identities\{B150D80B-88E5-4CEA-9FDB-0F37D62D60C9}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx/[From "Microsoft Technical Services" <tmucrxfkp@updates.com>][Date 2 Dec 2007 03:04:27 -0800]/UNNAMED Infected: Email-Worm.Win32.Swen skipped C:\Documents and Settings\yangyq\Local Settings\Application Data\Identities\{B150D80B-88E5-4CEA-9FDB-0F37D62D60C9}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx/[From "Microsoft Technical Services" <tmucrxfkp@updates.com>][Date 2 Dec 2007 03:04:27 -0800]/UNNAMED/installation94.exe Infected: Email-Worm.Win32.Swen skipped C:\Documents and Settings\yangyq\Local Settings\Application Data\Identities\{B150D80B-88E5-4CEA-9FDB-0F37D62D60C9}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx/[From "Microsoft Technical Services" <tmucrxfkp@updates.com>][Date 2 Dec 2007 03:04:27 -0800]/UNNAMED Infected: Email-Worm.Win32.Swen skipped C:\Documents and Settings\yangyq\Local Settings\Application Data\Identities\{B150D80B-88E5-4CEA-9FDB-0F37D62D60C9}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx Mail MS Outlook 5: infected - 4 skipped C:\Documents and Settings\yangyq\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped C:\Documents and Settings\yangyq\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\yangyq\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\yangyq\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\yangyq\Local Settings\History\History.IE5\MSHist012007120520071206\index.dat Object is locked skipped C:\Documents and Settings\yangyq\Local Settings\Temp\~DF6AFD.tmp Object is locked skipped C:\Documents and Settings\yangyq\Local Settings\Temp\~DF6B21.tmp Object is locked skipped C:\Documents and Settings\yangyq\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\yangyq\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\yangyq\ntuser.dat Object is locked skipped C:\Documents and Settings\yangyq\ntuser.dat.LOG Object is locked skipped C:\qoobox\Quarantine\C\WINDOWS\dodolook324.exe.vir/stream/data0002/stream/data0002/data0003 Infected: not-a-virus:AdWare.Win32.Cinmus.acc skipped C:\qoobox\Quarantine\C\WINDOWS\dodolook324.exe.vir/stream/data0002/stream/data0002/data0004 Infected: not-a-virus:AdWare.Win32.Cinmus.acc skipped C:\qoobox\Quarantine\C\WINDOWS\dodolook324.exe.vir/stream/data0002/stream/data0002 Infected: not-a-virus:AdWare.Win32.Cinmus.acc skipped C:\qoobox\Quarantine\C\WINDOWS\dodolook324.exe.vir/stream/data0002/stream Infected: not-a-virus:AdWare.Win32.Cinmus.acc skipped C:\qoobox\Quarantine\C\WINDOWS\dodolook324.exe.vir/stream/data0002 Infected: not-a-virus:AdWare.Win32.Cinmus.acc skipped C:\qoobox\Quarantine\C\WINDOWS\dodolook324.exe.vir/stream/data0003/stream/data0001 Infected: not-a-virus:AdWare.Win32.BHO.ia skipped C:\qoobox\Quarantine\C\WINDOWS\dodolook324.exe.vir/stream/data0003/stream Infected: not-a-virus:AdWare.Win32.BHO.ia skipped C:\qoobox\Quarantine\C\WINDOWS\dodolook324.exe.vir/stream/data0003 Infected: not-a-virus:AdWare.Win32.BHO.ia skipped C:\qoobox\Quarantine\C\WINDOWS\dodolook324.exe.vir/stream Infected: not-a-virus:AdWare.Win32.BHO.ia skipped C:\qoobox\Quarantine\C\WINDOWS\dodolook324.exe.vir NSIS: infected - 9 skipped C:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP10\change.log Object is locked skipped C:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP2\A0000287.dll Infected: not-a-virus:AdWare.Win32.Agent.wd skipped C:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP4\A0000400.exe/stream/data0002/stream/data0002/data0003 Infected: not-a-virus:AdWare.Win32.Cinmus.acc skipped C:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP4\A0000400.exe/stream/data0002/stream/data0002/data0004 Infected: not-a-virus:AdWare.Win32.Cinmus.acc skipped C:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP4\A0000400.exe/stream/data0002/stream/data0002 Infected: not-a-virus:AdWare.Win32.Cinmus.acc skipped C:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP4\A0000400.exe/stream/data0002/stream Infected: not-a-virus:AdWare.Win32.Cinmus.acc skipped C:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP4\A0000400.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Cinmus.acc skipped C:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP4\A0000400.exe/stream/data0003/stream/data0001 Infected: not-a-virus:AdWare.Win32.BHO.ia skipped C:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP4\A0000400.exe/stream/data0003/stream Infected: not-a-virus:AdWare.Win32.BHO.ia skipped C:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP4\A0000400.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.BHO.ia skipped C:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP4\A0000400.exe/stream Infected: not-a-virus:AdWare.Win32.BHO.ia skipped C:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP4\A0000400.exe NSIS: infected - 9 skipped C:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP7\A0000809.dll Infected: not-a-virus:AdWare.Win32.Ejik.g skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped C:\WINDOWS\Internet Logs\YANG.ldb Object is locked skipped C:\WINDOWS\PCHealth\ErrorRep\UserDumps\svchost.exe.20050420-092745-00.hdmp Object is locked skipped C:\WINDOWS\PCHealth\ErrorRep\UserDumps\svchost.exe.20050420-092745-00.mdmp Object is locked skipped C:\WINDOWS\PCHealth\ErrorRep\UserDumps\svchost.exe.20050505-040308-00.hdmp Object is locked skipped C:\WINDOWS\PCHealth\ErrorRep\UserDumps\svchost.exe.20050505-040308-00.mdmp Object is locked skipped C:\WINDOWS\PCHealth\ErrorRep\UserDumps\svchost.exe.20050509-120801-00.hdmp Object is locked skipped C:\WINDOWS\PCHealth\ErrorRep\UserDumps\svchost.exe.20050509-120801-00.mdmp Object is locked skipped C:\WINDOWS\PCHealth\ErrorRep\UserDumps\svchost.exe.20050517-083043-00.hdmp Object is locked skipped C:\WINDOWS\PCHealth\ErrorRep\UserDumps\svchost.exe.20050517-083043-00.mdmp Object is locked skipped C:\WINDOWS\PCHealth\ErrorRep\UserDumps\svchost.exe.20050524-110622-00.hdmp Object is locked skipped C:\WINDOWS\PCHealth\ErrorRep\UserDumps\svchost.exe.20050524-110622-00.mdmp Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\temp\Perflib_Perfdata_668.dat Object is locked skipped C:\WINDOWS\temp\ZLT027b9.TMP Object is locked skipped C:\WINDOWS\temp\ZLT03ad2.TMP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped D:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP10\change.log Object is locked skipped D:\XP & Other Downloads\Microsoft Windows XP Pro Corporate Edition with SP2.iso/updates/serial/keyfinder.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped D:\XP & Other Downloads\Microsoft Windows XP Pro Corporate Edition with SP2.iso/updates/serial/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped D:\XP & Other Downloads\Microsoft Windows XP Pro Corporate Edition with SP2.iso/updates/serial/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped D:\XP & Other Downloads\Microsoft Windows XP Pro Corporate Edition with SP2.iso/updates/serial/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped D:\XP & Other Downloads\Microsoft Windows XP Pro Corporate Edition with SP2.iso ISO image: infected - 4 skipped Scan process completed.

12-05-2007, 09:09 AM	#19 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,443 OS: 2000 Pro; XP Pro; XP Home	Re: Forced to download Firefox Please empty your Outlook Express Deleted Items folder. To do so: Open Outlook Express Right click on Deleted Items Select 'Empty Deleted Items folder'. Click 'Yes' at the next popup box to succesfully empty the Deleted Items folder. You may want to consider using these settings for your Outlook Express, which will automatically empty the deleted items folder upon exit: Go to Tools > Options Under the Maintenance Tab, checkmark the following boxes: * Empty messages from 'Deleted item' folder on exit * Purge deleted messages when leaving IMAP folders The other items found by Kaspersky will be addressed by the following steps: -------------------------------------------------------------------------------- Your logs appear clean.You should be good to go. We still have a few items to address. Go to -> Run -> copy/paste in the following single line command & click OK combofix /u This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points. Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and use the following free programs: Microsoft Windows Update - http://www.windowsupdate.com Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items SpywareGuard to catch and block spyware before it can execute. SPYBOT - SEARCH & DESTROY Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here IE-SpyAd - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. An installation tutorial is available here. MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Download Host.zip to your desktop. From your Desktop right-click (hosts.zip) and select: Extract All from the menu. Click Next, click Next, select the option: "Show Extracted files", click Finish This will open the newly created hosts folder on your Desktop. Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine. Once updated you should see another prompt that the task was completed. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out. Do not install more than one AntiVirus program because they will conflict with each other. FIREWALL If you do not have a firewall, here are a couple of great free ones available for personal use. Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here Do not install more than one firewall program because they will conflict with each other. Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer Here are some additional utilities that will further enhance your safety. http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness. http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine. http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT. ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry. NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles HOW DID I GET INFECTED IN THE FIRST PLACE? MAKING INTERNET EXPLORER SAFER If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

12-06-2007, 08:49 PM	#20 (permalink)
menk Registered User Join Date: Nov 2007 Posts: 10 OS: xp sp2	Re: Forced to download Firefox Hello tt I've add a few tricks you've suggested. Before we close this, 1 last Q, what about those malwares found here such as - C:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP2\A0000287.dll Infected: not-a-virus:AdWare.Win32.Agent.wd skipped C:\System Volume Information\_restore{FEF3F01B-AA76-436D-B01F-691CC212DFF1}\RP4\A0000400.exe/stream/data0002/stream/data0002/data0003 Infected: not-a-virus:AdWare.Win32.Cinmus.acc skipped. Can I get rid of them by turning off and on Restore System?