Tech Support Forum banner
Cancel

Help PLEASE! malware found

Jump to Latest Follow
Status
Not open for further replies.
1 - 2 of 2 Posts
C

· Registered
Joined
·
1 Posts
Discussion Starter · #1 ·
I have been getting warnings from my Avast antivirus about the following four viruses:

C:\WINDOWS\ksacre.exe
C:\WINDOWS\daverx.exe
C:\WINDOWS\System32\protector.exe
C:\WINDOWS\System32\ntio256.exe

the ksacre.exe one keeps popping up again and again and no matter how many times I move it to the quarantine, I still get it again.
Can someone please help me to remove them? or tell me what I should do? I am a total newbie here, so please explain it as you would to a 5 year old...

Thank you.

I ran ActiveScan and it found 2 viruses that it said it cleaned and four spyware. I saved the report. It is here:

Status Location

Adware:adware program Not disinfected Windows Registry
Hacktool:Hacktool/MailBomber.F Not disinfected C:\Documents and Settings\Carrie\My Documents\Panopticum_Fire_2_1_.0\PanFire2Psd.exe
Virus:Generic Malware Disinfected C:\Program Files\DIGStream\digstream.exe
Virus:Trj/Downloader.MDW Disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.dll
Adware:Adware/WinAntiVirus2007 Not disinfected C:\WINDOWS\system32\bronto.dll
Adware:Adware/WinAntiVirus2007 Not disinfected C:\WINDOWS\system32\drivers\etc\hosts.20071117-112521.backup
Adware:Adware/WinAntiVirus2007 Not disinfected C:\WINDOWS\system32\skuns.dat
I don't know what to do next. Please help if you can. Thank you.

Here is my DSS log:

Deckard's System Scanner v20071014.68
Run by Carrie on 2007-11-17 17:37:01
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
74: 2007-11-17 23:37:11 UTC - RP159 - Deckard's System Scanner Restore Point
73: 2007-11-17 23:30:21 UTC - RP158 - Software Distribution Service 3.0
72: 2007-11-17 20:34:39 UTC - RP157 - Removed Corel Paint Shop Pro X
71: 2007-11-17 20:29:59 UTC - RP156 - Removed Corel Paint Shop Pro Photo X2.
70: 2007-11-17 20:26:03 UTC - RP155 - Removed Microsoft Silverlight


-- First Restore Point --
1: 2007-08-17 04:56:01 UTC - RP86 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Carrie.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:40:31 PM, on 11/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spoolw.exe
C:\Program Files\HistoryKill 2006\histkill.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\spoolw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\Carrie\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Carrie.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dumprep] C:\WINDOWS\system32\spoolw.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [histkill] "C:\Program Files\HistoryKill 2006\histkill.exe" /STARTUP
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Carrie\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_5.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {775879E2-7309-4619-BB02-AADE41F4B690} (CPlayFirstdreamControl Object) - http://aolsvc.aol.com/onlinegames/free-trial-dream-chronicles/dreamweb.1.0.0.6.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v10.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\skuns.dat
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 12453 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - "regedit.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 PenClass (Pen Class) - c:\windows\system32\drivers\penclass.sys <Not Verified; Wacom Technology Corporation; Wacom Pen Class Driver>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.5.3.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.5.3.0>
R2 FdRedir - c:\program files\common files\protector suite ql\drivers\fdredir.sys <Not Verified; UPEK Inc.; Protector Suite QL>
R2 FileDisk2 (FileDisk Protector Kernel Driver) - c:\program files\common files\protector suite ql\drivers\filedisk.sys <Not Verified; UPEK Inc.; Protector Suite QL>
R2 Netdevio (TOSHIBA Network Device Usermode I/O Protocol) - c:\windows\system32\drivers\netdevio.sys <Not Verified; TOSHIBA Corporation.; TOSHIBA Network Device Usermode I/O protocol>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R2 smihlp (SMI helper driver) - c:\program files\protector suite ql\smihlp.sys <Not Verified; UPEK Inc.; Protector Suite QL>
R3 CB103 (CardBus Fast Ethernet Attached Port PC Card Driver) - c:\windows\system32\drivers\cb103nd5.sys <Not Verified; CARDBUSs; CardBus Fast Ethernet PC Card>

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
S2 ntio256 (Input and output operations) - c:\windows\system32\ntio256.sys (file missing)
S3 WmaCDriverV32 - c:\windows\system32\drivers\wmacdriverv32.sys <Not Verified; Windows (R) 2000/XP; Windows (R) 2000/XP Driver>
S3 WmaCVideo32 - c:\windows\system32\drivers\wmacvideo32.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AdobeActiveFileMonitor (Adobe Active File Monitor) - c:\program files\adobe\photoshop elements 3.0\photoshopelementsfileagent.exe
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe <Not Verified; TOSHIBA CORPORATION; ConfigFree(TM)>
R2 PhotoshopElementsDeviceConnect (Photoshop Elements Device Connect) - c:\program files\adobe\photoshop elements 3.0\photoshopelementsdeviceconnect.exe
R2 RegSrvc (Intel(R) PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel(R) PROSet/Wireless Registry Service>
R2 TabletService - c:\windows\system32\tablet.exe <Not Verified; Wacom Technology, Corp.; Wacom Win32 Tablet Service>

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-10-23 10:19:07 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-10-17 and 2007-11-17 -----------------------------

2007-11-17 17:39:46 0 d-------- C:\Program Files\Trend Micro
2007-11-17 17:36:15 0 dr-h----- C:\Documents and Settings\Carrie\Recent
2007-11-17 17:23:18 0 d-------- C:\ie-spyad_zo
2007-11-17 17:13:25 0 d-------- C:\Program Files\SpywareBlaster
2007-11-17 15:06:29 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-11-17 15:06:28 0 d-------- C:\WINDOWS\LastGood
2007-11-17 13:36:29 355328 --a------ C:\WINDOWS\xlravcrx.exe
2007-11-17 13:31:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-11-17 11:19:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-16 23:15:15 63488 --a------ C:\WINDOWS\system32\spoolw.exe
2007-11-16 23:15:15 289280 --a------ C:\WINDOWS\system32\libcurl.dll <Not Verified; The cURL library, http://curl.haxx.se/; The cURL library>
2007-11-16 10:56:36 0 d-------- C:\WINDOWS\pss
2007-11-16 10:54:55 0 d-------- C:\Documents and Settings\Carrie\.housecall6.6
2007-11-16 05:36:17 156336 --a------ C:\WINDOWS\dracee.exe
2007-11-16 01:27:31 6144 --a------ C:\WINDOWS\system32\skuns.dat
2007-11-16 01:27:31 13824 --a------ C:\WINDOWS\system32\bronto.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-11-10 16:04:42 0 d-------- C:\Converted
2007-11-10 15:59:12 2688 --a------ C:\WINDOWS\system32\drivers\WmaCVideo32.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
2007-11-10 15:59:12 513152 --a------ C:\WINDOWS\system32\drivers\WmaCDriverV32.sys <Not Verified; Windows (R) 2000/XP; Windows (R) 2000/XP Driver>
2007-11-08 00:43:33 212992 --a------ C:\WINDOWS\ALCHUNIN.EXE
2007-11-08 00:36:25 0 d-------- C:\Program Files\Alchemy Mindworks
2007-11-06 15:33:59 0 d-------- C:\Program Files\iPod
2007-11-06 05:18:34 160561 --a------ C:\WINDOWS\Sqirlz Water Reflections Uninstaller.exe
2007-11-06 05:18:34 0 d-------- C:\Program Files\Sqirlz Water Reflections
2007-11-04 12:12:06 0 d-------- C:\Program Files\Common Files\InterVideo
2007-11-04 12:11:40 0 d-------- C:\Program Files\InterVideo
2007-11-03 13:34:49 0 d-------- C:\Program Files\DVDFab HD Decrypter 3
2007-11-03 13:26:08 0 d-------- C:\Program Files\The KMPlayer
2007-11-03 12:36:58 0 d-------- C:\Documents and Settings\Carrie\Application Data\aignes
2007-11-03 12:36:32 0 d-------- C:\Program Files\AM-DeadLink
2007-11-02 19:49:01 0 d-------- C:\Program Files\Netflix
2007-10-29 14:57:34 213504 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2007-10-29 14:57:32 0 d-------- C:\Program Files\Saint Paint
2007-10-27 20:33:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Digital Film Tools
2007-10-27 18:14:34 0 d-------- C:\Program Files\blackmagic
2007-10-27 06:25:48 0 d-------- C:\Documents and Settings\Carrie\Shared
2007-10-27 06:25:37 0 d-------- C:\Documents and Settings\Carrie\Incomplete
2007-10-27 06:25:21 0 d-------- C:\Documents and Settings\Carrie\Application Data\LimeWire
2007-10-27 02:21:27 0 d-------- C:\Program Files\DivX
2007-10-26 23:57:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Corel
2007-10-26 23:51:42 0 d-------- C:\Documents and Settings\Carrie\Application Data\InstallShield
2007-10-26 21:49:20 0 d-------- C:\Program Files\Veoh Networks
2007-10-24 08:19:50 0 d-------- C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
2007-10-24 07:12:41 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-10-24 06:56:36 0 d-------- C:\Documents and Settings\Carrie\Application Data\Grisoft
2007-10-23 18:54:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-23 18:54:34 13107200 --a------ C:\Documents and Settings\Carrie\ntuser.dat
2007-10-21 16:10:04 168 -r-hs---- C:\WINDOWS\system32\C1D5D725DD.sys
2007-10-20 23:52:22 56 -----n--- C:\WINDOWS\system32\DD25D7D5C1.sys
2007-10-20 23:50:42 0 d-------- C:\Documents and Settings\Carrie\Application Data\Corel
2007-10-20 23:48:43 6580 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-10-18 18:12:54 0 d-------- C:\WINDOWS\system32\bak


-- Find3M Report ---------------------------------------------------------------

2007-11-17 16:49:11 0 d-------- C:\Program Files\Protector Suite QL
2007-11-17 16:45:00 0 d-------- C:\Program Files\IZArc
2007-11-17 16:44:57 0 d-------- C:\Program Files\iTunes
2007-11-17 16:40:28 0 d-------- C:\Program Files\HistoryKill 2006
2007-11-17 16:40:26 0 d-------- C:\Program Files\Google
2007-11-17 16:39:59 0 d-------- C:\Program Files\DIGStream
2007-11-17 16:22:56 0 d-------- C:\Program Files\Common Files\Stardock
2007-11-17 16:17:54 0 d-------- C:\Program Files\Bonjour
2007-11-17 14:36:02 0 d-------- C:\Program Files\Common Files
2007-11-17 14:31:57 0 d-------- C:\Program Files\Corel
2007-11-17 14:25:46 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-17 13:32:54 337 --a------ C:\WINDOWS\system32\tablet.dat
2007-11-10 23:08:25 0 d-------- C:\Documents and Settings\Carrie\Application Data\Ahead
2007-11-06 15:32:44 0 d-------- C:\Program Files\QuickTime
2007-11-04 12:19:05 0 d-------- C:\Program Files\Jasc Software Inc
2007-11-04 12:13:14 0 d-------- C:\Program Files\InterVideo Information Service
2007-10-27 06:37:52 0 d-------- C:\Program Files\Java
2007-10-23 18:53:57 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-18 19:54:34 0 d-------- C:\Program Files\IncrediMail
2007-10-13 00:05:30 0 d-------- C:\Program Files\Font Fitting Room Deluxe
2007-10-13 00:04:27 0 d-------- C:\Documents and Settings\Carrie\Application Data\Font Fitting Room Deluxe
2007-10-08 11:49:00 0 d-------- C:\Program Files\Apple Software Update
2007-10-07 02:09:09 0 d-------- C:\Documents and Settings\Carrie\Application Data\GlobalSCAPE
2007-10-07 02:08:51 0 d-------- C:\Program Files\GlobalSCAPE
2007-10-07 01:54:02 0 d-------- C:\Program Files\FTP Commander
2007-10-06 14:07:46 0 d-------- C:\Program Files\PopCap Games
2007-10-04 08:16:35 0 d-------- C:\Program Files\Visicom Media
2007-10-04 06:53:37 0 d-------- C:\Program Files\CoffeeCup Software
2007-10-03 14:11:51 0 d-------- C:\Program Files\Pegtop
2007-10-01 18:16:46 81920 --a------ C:\WINDOWS\system32\SoftSkies.scr
2007-09-29 12:34:57 0 d-------- C:\Documents and Settings\Carrie\Application Data\Move Networks
2007-09-22 14:39:06 0 d-------- C:\Documents and Settings\Carrie\Application Data\IMVU
2007-09-21 19:23:21 0 d-------- C:\Program Files\AOL Games
2007-09-21 00:02:09 0 d-------- C:\Documents and Settings\Carrie\Application Data\Google
2007-09-20 20:22:14 0 --a------ C:\WINDOWS\nsreg.dat
2007-09-20 20:22:10 0 d-------- C:\Documents and Settings\Carrie\Application Data\Mozilla
2007-09-18 14:46:13 0 d-------- C:\Documents and Settings\Carrie\Application Data\Rapid Tools
2007-08-21 23:17:42 16 --a------ C:\WINDOWS\popcinfo.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/05/2005 02:56 PM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" []
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" []
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" []
"PSQLLauncher"="C:\Program Files\Protector Suite QL\launcher.exe" []
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" []
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" []
"RTHDCPL"="RTHDCPL.EXE" [05/05/2006 07:59 AM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [05/04/2005 10:43 AM C:\WINDOWS\Alcmtr.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 12:11 AM]
"TFncKy"="TFncKy.exe" []
"TDispVol"="TDispVol.exe" [03/11/2005 04:03 PM C:\WINDOWS\system32\TDispVol.exe]
"TPSMain"="TPSMain.exe" [05/31/2005 10:00 PM C:\WINDOWS\system32\TPSMain.exe]
"NDSTray.exe"="NDSTray.exe" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [10/25/2007 10:20 AM]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [03/20/2006 05:34 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/11/2005 10:12 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" []
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"CFSServ.exe"="CFSServ.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/19/2007 08:16 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [11/02/2007 06:36 PM]
"dumprep"="C:\WINDOWS\system32\spoolw.exe" [11/16/2007 11:15 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 05:00 AM]
"histkill"="C:\Program Files\HistoryKill 2006\histkill.exe" [05/15/2006 05:35 PM]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [11/13/2007 03:48 PM]
"@"="" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08/31/2007 04:46 PM]

C:\Documents and Settings\Carrie\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [5/8/2007 11:47:22 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [10/4/2004 12:12:18 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 12:01:04 AM]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [5/8/2007 8:26:18 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
psqlpwd.dll 05/05/2006 06:48 PM 40448 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\skuns.dat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli psqlpwd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
C:\Program Files\IncrediMail\bin\IncMail.exe /c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
"C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp\winampa.exe"




-- Hosts -----------------------------------------------------------------------

192.168.200.3 ad.doubleclick.net
192.168.200.3 ad.fastclick.net
192.168.200.3 ads.fastclick.net
192.168.200.3 atdmt.com
192.168.200.3 awaps.net
192.168.200.3 banner.fastclick.net
192.168.200.3 banners.fastclick.net
192.168.200.3 click.atdmt.com
192.168.200.3 clicks.atdmt.com
192.168.200.3 engine.awaps.net

7506 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-11-17 17:41:11 ------------
 

Attachments

Aaflac

· TSF-Enthusiast
Joined
·
923 Posts
#2 ·
Apologies for the delay in responding.

The workload on this forum is intense, and sometimes it is not possible to respond to every inquiry.


Please download SmitfraudFix
Extract the files to the Desktop

~~~~
Start the computer in Safe Mode:
  • When the machine reboots, tap the F8 key before Windows starts
  • You are presented with a Windows XP Advanced Options menu.
  • Select the option for Safe Mode using the arrow keys.
  • Press Enter to boot into Safe Mode.

~~~~
Open SmitfraudFix
  • Double-click smitfraudfix.cmd
  • Select Option 2 - Clean by typing 2 and press Enter (Deletes infected files)
  • You are prompted: Do you want to clean the registry? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool also checks if a relevant file, wininet.dll, is infected.
You may be prompted to replace the infected file (if found).
Replace infected file? Answer Y (yes) and hit Enter to restore a clean file.

~~~~
Restart the computer to complete the removal process.

~~~~
Now, download ComboFix
Save it to the Desktop

Double-click combofix.exe to run the program
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to stall.)

When finished, a log, ComboFix.txt, is produced.

~~~~
Run HijackThis once again to obtain a new log.

~~~~
Please post the SmitFraudFix report located at C:\rapport.txt , the ComboFix.txt, and a new HijackThis log in your reply.
 
1 - 2 of 2 Posts
Status
Not open for further replies.
About this Discussion
1 Reply
2 Participants
Last post:
Aaflac
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows XP Support Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Laptop Support
Top