Tech Support Forum banner
Status
Not open for further replies.
1 - 1 of 1 Posts

·
Registered
Joined
·
1 Posts
Discussion Starter · #1 ·
Hi! I just removed 600+ pieces of spyware. Did I get them all? Anything else I should be worried about? Thanks in advance for all your help!


Deckard's System Scanner v20071014.68
Run by admin on 2008-05-26 21:48:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
12: 2008-05-27 01:48:50 UTC - RP618 - Deckard's System Scanner Restore Point
11: 2008-05-26 23:31:18 UTC - RP617 - ComboFix created restore point
10: 2008-05-26 15:10:32 UTC - RP616 - System Checkpoint
9: 2008-05-24 18:02:15 UTC - RP615 - System Checkpoint
8: 2008-05-23 13:11:00 UTC - RP614 - System Checkpoint


-- First Restore Point --
1: 2008-05-13 02:04:32 UTC - RP607 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as admin.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:02 PM, on 5/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Documents and Settings\admin\Desktop\Hardware Tools\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\admin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pogo.com/games/chess
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pogo.com/games/chess
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [M2WNotifierService] C:\Program Files\M2W Notifier Service\M2W Notifier Service.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: FreePOPs (3).lnk = C:\Program Files\FreePOPs\freepopsd.exe
O4 - Global Startup: Mozilla Firefox Primary Profile (3).lnk = C:\Program Files\Mozilla Firefox\firefox.exe
O4 - Global Startup: Mozilla Thunderbird (2).lnk = C:\Program Files\Mozilla Thunderbird\thunderbird.exe
O4 - Global Startup: Outlook.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
O4 - Global Startup: Today.doc
O4 - Global Startup: Watchtower Library 2007 - Español.lnk = C:\Program Files\Watchtower\Watchtower Library 2007\S\wtlibrary.exe
O4 - Global Startup: ~$Today.doc
O4 - Global Startup: ~WRL0001.tmp
O4 - Global Startup: ~WRL0536.tmp
O4 - Global Startup: ~WRL1339.tmp
O4 - Global Startup: ~WRL1782.tmp
O4 - Global Startup: ~WRL2439.tmp
O4 - Global Startup: ~WRL4051.tmp
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {1D95A7C7-3282-4DB7-9A48-7C39CE152A19} (TeamOn Import Object) - https://bis.na.blackberry.com/html/web/clie...ls/TOImport.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121033866146
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/heavy_w...aploader_v6.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6253 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080128-111257-554 O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
backup-20080128-111257-775 O4 - HKCU\..\Policies\Explorer\Run: [System Patcher] BTCPatcher.exe
backup-20080128-111257-857 O4 - HKCU\..\Policies\Explorer\Run: [NTSecurity] NTSecurity.exe
backup-20080128-111258-593 O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) -
backup-20080128-111258-690 O21 - SSODL: ULBrEIuBH - {4C0D169B-E6A7-BC31-EEBB-C1266F9C8E1F} - (no file)
backup-20080128-111258-781 O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} -
backup-20080128-111258-806 O20 - Winlogon Notify: qomkife - qomkife.dll (file missing)
backup-20080128-111258-916 O20 - Winlogon Notify: khfddde - khfddde.dll (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 cmpci (Turtle Beach Riviera) - c:\windows\system32\drivers\cmaudio.sys <Not Verified; C-Media Inc; C-Media Audio Driver (WDM)>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 PalmUSBD - c:\windows\system32\drivers\palmusbd.sys (file missing)
S3 SBAPIFS - c:\windows\system32\drivers\sbapifs.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S3 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-24 13:27:43 390 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job


-- Files created between 2008-04-26 and 2008-05-26 -----------------------------

2008-05-26 21:11:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-26 21:11:24 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-26 21:11:22 0 d-------- C:\WINDOWS\LastGood
2008-05-26 21:03:55 0 dr-h---c- C:\Documents and Settings\admin\Recent
2008-05-26 19:30:50 68096 --a------ C:\WINDOWS\zip.exe
2008-05-26 19:30:50 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-26 19:30:50 80412 --a------ C:\WINDOWS\grep.exe
2008-05-26 19:30:49 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-26 19:30:49 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-26 19:30:49 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-26 19:30:49 98816 --a------ C:\WINDOWS\sed.exe
2008-05-26 19:30:49 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-06 11:54:01 0 d------c- C:\temp
2008-05-05 11:49:05 0 d-------- C:\Program Files\Ringo
2008-04-28 17:00:03 0 d------c- C:\Documents and Settings\admin\Application Data\Axosoft
2008-04-28 16:59:18 0 d-------- C:\Program Files\TBFDropZone


-- Find3M Report ---------------------------------------------------------------

2008-05-26 21:16:32 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-05-26 20:07:09 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-23 16:23:18 0 d------c- C:\Documents and Settings\admin\Application Data\gtk-2.0
2008-05-18 18:48:50 0 d-------- C:\Documents and Settings\admin\Application Data\uTorrent
2008-05-17 11:22:15 1744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-05-11 14:32:09 1632 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-07 09:33:44 0 d-------- C:\Program Files\AIM6
2008-05-04 12:33:19 0 d------c- C:\Documents and Settings\admin\Application Data\Real
2008-04-16 18:25:00 8135 --a----c- C:\WINDOWS\mozver.dat
2008-04-09 12:51:49 0 d-------- C:\Program Files\Investintech.com Inc
2008-04-09 12:46:13 0 d-------- C:\Program Files\PDF Editor 2
2008-03-30 11:38:39 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-30 11:35:28 0 d-------- C:\Program Files\Common Files\Ahead
2008-03-30 11:14:04 0 d-------- C:\Program Files\M2W Notifier Service
2008-03-30 11:13:24 0 d-------- C:\Program Files\AIM
2008-03-30 11:12:56 0 d------c- C:\Documents and Settings\admin\Application Data\Aim
2008-03-28 16:45:40 0 d------c- C:\Documents and Settings\admin\Application Data\acccore
2008-03-28 16:44:52 0 d-------- C:\Program Files\Viewpoint
2008-03-28 16:44:16 0 d-------- C:\Program Files\Common Files\AOL
2008-03-28 15:14:55 0 d-------- C:\Program Files\AOD


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [06/08/2004 12:31 PM C:\WINDOWS\KHALMNPR.Exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"M2WNotifierService"="C:\Program Files\M2W Notifier Service\M2W Notifier Service.exe" [12/27/2001 01:17 PM]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe" [10/01/2006 02:03 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [03/06/2008 04:50 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/26/2008 08:07 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
FreePOPs (3).lnk - C:\Program Files\FreePOPs\freepopsd.exe [11/17/2007 11:25:16 AM]
Mozilla Firefox Primary Profile (3).lnk - C:\Program Files\Mozilla Firefox\firefox.exe [9/13/2005 10:46:19 AM]
Mozilla Thunderbird (2).lnk - C:\Program Files\Mozilla Thunderbird\thunderbird.exe [10/16/2007 10:24:02 PM]
Outlook.lnk - C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE [7/14/2003 10:45:18 PM]
Today.doc [5/25/2008 3:05:51 PM]
Watchtower Library 2007 - Espa¤ol.lnk - C:\Program Files\Watchtower\Watchtower Library 2007\S\wtlibrary.exe [10/25/2007 9:35:38 AM]
~$Today.doc [2/5/2008 9:07:50 AM]
~WRL0001.tmp [3/29/2008 2:35:07 PM]
~WRL0536.tmp [5/19/2008 12:20:11 AM]
~WRL1339.tmp [2/19/2008 1:22:57 PM]
~WRL1782.tmp [2/19/2008 1:23:42 PM]
~WRL2439.tmp [2/18/2008 8:55:12 PM]
~WRL4051.tmp [2/4/2008 10:08:46 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/26/2008 08:07 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 02:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp




-- Hosts -----------------------------------------------------------------------

127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 www.aaa-livedoor.net #[Trojan-PSW.Win32.Maran.ei]
127.0.0.1 www.abx4.com #[Adware.ABXToolbar]
127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]
127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1 phpadsnew.abac.com
127.0.0.1 a.abnad.net
127.0.0.1 b.abnad.net
127.0.0.1 c.abnad.net #[eTrust.Tracking.Cookie]

12210 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-26 21:52:02 ------------
 
1 - 1 of 1 Posts
Status
Not open for further replies.
Top