1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Pop-Up Madness

Discussion in 'Malware and Virus Removal Archive' started by Cherysei, 2007/02/28.

Thread Status:
Not open for further replies.
  1. 2007/02/28
    Cherysei

    Cherysei Inactive Thread Starter

    Joined:
    2005/06/30
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    76
    Computer Experience:
    Beginner
    Hello Forum,

    My niece has (unfortunately) been introduced into the world of MySpace. Today, I permitted her a few hours on my laptop. She managed to visit various "Pimp My Profile" sites and now I can't seem to stop a flow of pop-up windows... which ironically advertise Malware removal software, ha.

    Here is my HiJackThis log. Any help would be much appreciated!

    ----

    Logfile of HijackThis v1.99.1
    Scan saved at 8:49:41 PM, on 2/27/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\WINDOWS\stsystra.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Zune\ZuneLauncher.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\outlook\outlook.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\YMANTE~1\userinit.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\LimeWire\LimeWire.exe
    C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
    C:\Program Files\Common Files\s?mbols\r?ndll.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\Cheryse\LOCALS~1\Temp\Rar$EX00.672\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {6A941BA7-873E-D4C8-4A72-D858170AF7E9} - C:\WINDOWS\system32\gsmrm.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: (no name) - {95362948-BE8C-ED24-F3DC-B2DEBFC004E2} - C:\WINDOWS\system32\mnbq.dll
    O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{304A4~1\Bar888.dll
    O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{304A4~1\Bar888.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe "
    O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe "
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
    O4 - HKLM\..\Run: [winlog] winlog.exe
    O4 - HKLM\..\RunServices: [winlog] winlog.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Uaol] "C:\WINDOWS\system32\YMANTE~1\userinit.exe" -vt yazb
    O4 - HKCU\..\Run: [Eioozcii] "C:\Program Files\Common Files\s?mbols\r?ndll.exe" 99001396
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://qtinstall.info.apple.com/qtactivex/QTPlugin.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by129fd.bay129.hotmail.msn.com/resources/MsnPUpld.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000140 (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
     
  2. 2007/02/28
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Trophy Points:
    106
    Location:
    Ontario
    Computer Experience:
    Where's the any key?
    Hi and welcome.

    Quite the mess you have. It will take a few tools and rounds of malware bashing to remove it all.
    I need a couple other logs though to see what all we're dealing with. Hijackthis does not show me enough.

    Download ComboScan to your Desktop.:

    http://www.techsupportforum.com/sectools/Deckard/comboscan.exe

    This tool does not "fix" anything. Just shows what it can see.
    Not everything it shows means bad.

    Close all applications and windows.
    Double-click on comboscan.exe to run it, and follow the prompts.
    When the scan is complete, a text file will open - ComboScan.txt
    Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt here.
    A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.
    Copy/paste the contents of Supplementry.txt to your next reply.

    Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

    What ComboScan will do:
    --create a new System Restore point in Windows XP and Vista.
    --clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
    --check some important areas of your system and produce a report for your analyst to review.
    --ComboScan automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.


    Please double check both logs got posted OK. These logs can be kinda long and may get cut off. You may need to span the logs across several posts.

    Thanks :)

    ps. If you can please try to keep offline as much as possible.
    Some of the infections you are dealing with are steady downloading more malware and there is a chance you have an email spam worm onboard too and we don't want to upset your ISP.

    Blender
     

  3. to hide this advert.

  4. 2007/03/04
    Cherysei

    Cherysei Inactive Thread Starter

    Joined:
    2005/06/30
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    76
    Computer Experience:
    Beginner
    Hello, Bender!

    I'm sorry for the delay. I was not able to get online until today. I will post the two log files below this thread...
     
  5. 2007/03/04
    Cherysei

    Cherysei Inactive Thread Starter

    Joined:
    2005/06/30
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    76
    Computer Experience:
    Beginner
    Supplementary.txt Log

    ComboScan v20070226.18 run by Cheryse on 2007-03-04 at 19:41:00
    Supplementary logfile - please post this as an attachment with your post.
    --------------------------------------------------------------------------------

    -- System Information -----------------------------------------------------------

    Microsoft Windows XP Professional (build 2600) SP 2.0
    Architecture: X86; Language: English

    CPU 0: Genuine Intel(R) CPU T2300 @ 1.66GHz
    CPU 1: Genuine Intel(R) CPU T2300 @ 1.66GHz
    Percentage of Memory in Use: 43%
    Physical Memory (total/avail): 502.37 MiB / 285.95 MiB
    Pagefile Memory (total/avail): 1227.34 MiB / 1018.83 MiB
    Virtual Memory (total/avail): 2047.88 MiB / 1975.49 MiB

    C: is Fixed (NTFS) - 31.21 GiB total, 0.67 GiB free.
    D: is CDROM (Unformatted)
    E: is Removable (No Media)
    F: is Removable (No Media)
    G: is Removable (No Media)
    H: is Removable (No Media)


    -- Security Center --------------------------------------------------------------

    AUOptions is scheduled to auto-install.
    Windows Internal Firewall is enabled.

    FirstRunDisabled is set.



    -- Environment Variables --------------------------------------------------------

    ALLUSERSPROFILE=C:\Documents and Settings\All Users
    APPDATA=C:\Documents and Settings\Cheryse\Application Data
    CLASSPATH=.;C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
    CLIENTNAME=Console
    CommonProgramFiles=C:\Program Files\Common Files
    COMPUTERNAME=DPU
    ComSpec=C:\WINDOWS\system32\cmd.exe
    FP_NO_HOST_CHECK=NO
    HOMEDRIVE=C:
    HOMEPATH=\Documents and Settings\Cheryse
    LOGONSERVER=\\DPU
    NUMBER_OF_PROCESSORS=2
    OS=Windows_NT
    Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Adobe\AGL
    PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
    PROCESSOR_ARCHITECTURE=x86
    PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
    PROCESSOR_LEVEL=6
    PROCESSOR_REVISION=0e08
    ProgramFiles=C:\Program Files
    PROMPT=$P$G
    QTJAVA=C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
    SESSIONNAME=Console
    SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
    SystemDrive=C:
    SystemRoot=C:\WINDOWS
    TEMP=C:\DOCUME~1\Cheryse\LOCALS~1\Temp
    TMP=C:\DOCUME~1\Cheryse\LOCALS~1\Temp
    USERDOMAIN=DPU
    USERNAME=Cheryse
    USERPROFILE=C:\Documents and Settings\Cheryse
    windir=C:\WINDOWS


    -- User Profiles ----------------------------------------------------------------

    Pi'ilani (admin)
    Dabney (admin)
    Cheryse (admin)


    -- Add/Remove Programs ----------------------------------------------------------

    --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
    --> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
    --> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
    --> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
    --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{943884D4-B604-496F-B132-DFA9C63FAF6A}\setup.exe" -l0x9
    --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
    Ad-Aware SE Personal --> MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}
    Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000103}
    Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
    Adobe Flash Player 9 --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe
    Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
    Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
    Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
    AIM 6.0 --> C:\Program Files\AIM6\uninst.exe
    Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
    Broadcom 440x 10/100 Integrated Controller --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{52504CE6-E909-4113-B232-4AFEC6543A61} /l1033
    Conexant HDA D110 MDC V.92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3\HXFSETUP.EXE -U -Idel1028k.inf
    Cool Edit Pro 2.0 --> C:\Program Files\coolpro2\cep2unin.exe
    Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
    Dell Wireless WLAN Card --> C:\WINDOWS\system32\BCMWLU00.exe verbose
    ESPNMotion --> C:\PROGRA~1\ESPNMO~1\UNWISE.EXE /u C:\PROGRA~1\ESPNMO~1\INSTALL.LOG
    High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
    HijackThis 1.99.1 --> C:\DOCUME~1\Cheryse\LOCALS~1\Temp\Rar$EX00.672\HijackThis.exe /uninstall
    iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
    J2SE Runtime Environment 5.0 Update 8 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150080}
    Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
    Macromedia Flash MX 2004 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2F353D44-73BB-4971-B31D-F7642E9E9531}\Setup.exe" -l0x9 UNINSTALL
    Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe "
    Microsoft Office XP Media Content --> MsiExec.exe /I{90300409-6000-11D3-8CFE-0050048383C9}
    Microsoft Office XP Small Business --> MsiExec.exe /I{91130409-6000-11D3-8CFE-0050048383C9}
    Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe "
    MSXML 6.0 Parser (KB927977) --> MsiExec.exe /I{5A710547-B58E-488B-828D-CA9A25A0533C}
    Power Commander 3 USB --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{212ADFE3-0EA7-4670-B629-058A6CF3C58E} AnyText
    QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
    RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
    Roxio RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
    Roxio RecordNow Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
    Roxio RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
    SigmaTel Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
    SoulSeek Client 156c --> "C:\Program Files\Soulseek\uninstall.exe "
    Sound Blaster ADVANCED MB Drivers --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{943884D4-B604-496F-B132-DFA9C63FAF6A}\setup.exe" -l0x9 /remove
    Update Rollup 2 for Windows XP Media Center Edition 2005 --> C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
    Video Converter 3 --> C:\Program Files\Xilisoft\Video Converter 3\Uninstall.exe
    Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
    Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
    Windows Live Sign-in Assistant --> MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
    Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe "
    Windows XP Media Center Edition 2005 KB925766 --> "C:\WINDOWS\$NtUninstallKB925766$\spuninst\spuninst.exe "
    WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


    -- End of ComboScan: finished at 2007-03-04 at 19:42:36 -------------------------
     
  6. 2007/03/04
    Cherysei

    Cherysei Inactive Thread Starter

    Joined:
    2005/06/30
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    76
    Computer Experience:
    Beginner
    ComboScan.txt Log

    ComboScan v20070226.18 run by Cheryse on 2007-03-04 at 19:41:00
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    Successfully created restore point.
    Performed disk cleanup.


    -- HijackThis (run as Cheryse.exe) ----------------------------------------------

    Logfile of HijackThis v1.99.1
    Scan saved at 7:42:12 PM, on 3/4/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\outlook\outlook.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Documents and Settings\Cheryse\Desktop\comboscan.exe
    C:\PROGRA~1\HIJACK~1\Cheryse.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {6A941BA7-873E-D4C8-4A72-D858170AF7E9} - C:\WINDOWS\system32\gsmrm.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe "
    O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
    O4 - HKLM\..\Run: [winlog] winlog.exe
    O4 - HKLM\..\RunServices: [winlog] winlog.exe
    O4 - HKLM\..\RunOnce: [MyWebSearch bar Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -3
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\RunOnce: [DeleteDLL] cmd.exe /c del C:\PROGRA~1\COMMON~1\{304A4~1\Bar888.dll > nul
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://qtinstall.info.apple.com/qtactivex/QTPlugin.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15-3.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by129fd.bay129.hotmail.msn.com/resources/MsnPUpld.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000140 (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


    -- File Associations ------------------------------------------------------------

    .bat - batfile - "%1" %*
    .chm - chm.file - "C:\WINDOWS\hh.exe" %1
    .cmd - cmdfile - "%1" %*
    .com - comfile - "%1" %*
    .exe - exefile - "%1" %*
    .hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
    .inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
    .ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
    .js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
    .lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
    .pif - piffile - "%1" %*
    .reg - regfile - regedit.exe "%1 "
    .scr - scrfile - "%1" /S
    .txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
    .vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ----------------------

    2R AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - C:\WINDOWS\system32\drivers\AegisP.sys
    3R Arp1394 (1394 ARP Client Protocol) - C:\WINDOWS\system32\drivers\arp1394.sys
    3R BCM43XX (Dell Wireless WLAN Card Driver) - C:\WINDOWS\system32\drivers\BCMWL5.SYS
    3R bcm4sbxp (Broadcom 440x 10/100 Integrated Controller XP Driver) - C:\WINDOWS\system32\drivers\bcm4sbxp.sys
    0S cercsr6 - C:\WINDOWS\system32\drivers\cercsr6.sys
    3R ctsfm2k (Creative SoundFont Management Device Driver) - C:\WINDOWS\system32\drivers\ctsfm2k.sys
    3R CTUSFSYN (Creative SoundFont Synthesizer) - C:\WINDOWS\system32\drivers\ctusfsyn.sys
    3R GEARAspiWDM - C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
    3R HDAudBus (Microsoft UAA Bus Driver for High Definition Audio) - C:\WINDOWS\system32\drivers\Hdaudbus.sys
    3R HidUsb (Microsoft HID Class Driver) - C:\WINDOWS\system32\drivers\hidusb.sys
    3R HSFHWAZL - C:\WINDOWS\system32\drivers\HSFHWAZL.sys
    3R HSF_DPV - C:\WINDOWS\system32\drivers\HSF_DPV.sys
    1R intelppm (Intel Processor Driver) - C:\WINDOWS\system32\drivers\intelppm.sys
    2R mdmxsdk - C:\WINDOWS\system32\drivers\mdmxsdk.sys
    3S MHNDRV (MHN driver) - C:\WINDOWS\system32\drivers\mhndrv.sys
    3R monfilt - C:\WINDOWS\system32\drivers\monfilt.sys
    3R mouhid (Mouse HID Driver) - C:\WINDOWS\system32\drivers\mouhid.sys
    3R NIC1394 (1394 Net Driver) - C:\WINDOWS\system32\drivers\nic1394.sys
    0R ohci1394 (OHCI Compliant IEEE 1394 Host Controller) - C:\WINDOWS\system32\drivers\ohci1394.sys
    1R OMCI - C:\WINDOWS\system32\drivers\omci.sys
    3R ossrv (Creative OS Services Driver) - C:\WINDOWS\system32\drivers\ctoss2k.sys
    0R PxHelp20 - C:\WINDOWS\system32\drivers\pxhelp20.sys
    3R sdbus - C:\WINDOWS\system32\drivers\sdbus.sys
    3S sffdisk (SFF Storage Class Driver) - C:\WINDOWS\system32\drivers\sffdisk.sys
    3S sffp_sd (SFF Storage Protocol Driver for SDBus) - C:\WINDOWS\system32\drivers\sffp_sd.sys
    3S SONYPVU1 (Sony USB Filter Driver (SONYPVU1)) - C:\WINDOWS\system32\drivers\SONYPVU1.SYS
    3R STHDA (SigmaTel High Definition Audio CODEC) - C:\WINDOWS\system32\drivers\sthda.sys
    3S UIUSys (Conexant Setup API) - C:\WINDOWS\system32\drivers\UIUSys.sys (not found)
    3R usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - C:\WINDOWS\system32\drivers\usbehci.sys
    3R USBSTOR (USB Mass Storage Driver) - C:\WINDOWS\system32\drivers\USBSTOR.SYS
    3R winachsf - C:\WINDOWS\system32\drivers\HSF_CNXT.sys
    3S WpdUsb - C:\WINDOWS\system32\drivers\wpdusb.sys
    0R WudfPf (Windows Driver Foundation - User-mode Driver Framework Platform Driver) - C:\WINDOWS\system32\drivers\WudfPf.sys
    3S WudfRd (Windows Driver Foundation - User-mode Driver Framework Reflector) - C:\WINDOWS\system32\drivers\WudfRd.sys


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

    3S Adobe LM Service - "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe "
    3S aspnet_state (ASP.NET State Service) - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
    2R ehRecvr (Media Center Receiver Service) - C:\WINDOWS\eHome\ehRecvr.exe
    2R ehSched (Media Center Scheduler Service) - C:\WINDOWS\eHome\ehSched.exe
    3S IDriverT (InstallDriver Table Manager) - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe "
    3R iPod Service - "C:\Program Files\iPod\bin\iPodService.exe "
    3S Macromedia Licensing Service - "C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe "
    2R McrdSvc (Media Center Extender Service) - C:\WINDOWS\ehome\mcrdsvc.exe
    3S MHN - C:\WINDOWS\System32\svchost.exe -k netsvcs
    3R usnjsvc (Messenger Sharing Folders USN Journal Reader service) - "C:\Program Files\MSN Messenger\usnsvc.exe "
    2R wltrysvc (Dell Wireless WLAN Tray Service) - C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe
    2S Client IP-IPX - "C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000140


    -- Scheduled Tasks --------------------------------------------------------------

    2007-03-02 20:00:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job<APPLES~1.JOB>


    -- Files created between 2007-02-04 and 2007-03-04 ------------------------------

    2007-03-04 19:42:02 0 d-------- C:\Program Files\HijackThis<HIJACK~1>
    2007-03-04 19:36:44 376915 --a------ C:\Program Files\Uninstall Fun Web Products.dll<UNINST~1.DLL>
    2007-03-04 07:03:30 0 d-------- C:\Program Files\Common Files\{504A4518-067E-1033-0301-0601060001}<{504A4~1>
    2007-03-03 18:02:06 0 d-a------ C:\Program Files\MyWebSearch<MYWEBS~1>
    2007-02-26 11:26:06 0 d-------- C:\Program Files\Common Files\s?mbols
    2007-02-25 10:58:15 2 --a------ C:\WINDOWS\system32\wnscpsv.exe
    2007-02-25 10:58:14 0 d-------- C:\Program Files\Common Files\?ymbols
    2007-02-25 10:57:57 0 d-------- C:\WINDOWS\system32\?ystem
    2007-02-25 10:55:45 0 ---hs---- C:\WINDOWS\system32\tracert.com
    2007-02-25 10:55:45 0 ---hs---- C:\WINDOWS\system32\tasklist.com
    2007-02-25 10:55:45 0 ---hs---- C:\WINDOWS\system32\taskkill.com
    2007-02-25 10:55:45 0 ---hs---- C:\WINDOWS\system32\regedit.com
    2007-02-25 10:55:45 0 ---hs---- C:\WINDOWS\system32\ping.com
    2007-02-25 10:55:45 0 ---hs---- C:\WINDOWS\system32\netstat.com
    2007-02-25 10:55:45 0 ---hs---- C:\WINDOWS\system32\cmd.com
    2007-02-25 10:55:45 62464 --a------ C:\WINDOWS\system32\bszip.dll
    2007-02-24 10:22:24 0 d-------- C:\Documents and Settings\Cheryse\Application Data\Lavasoft
    2007-02-24 10:22:03 0 d-------- C:\Program Files\Lavasoft
    2007-02-24 10:21:31 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
    2007-02-23 07:21:15 0 d-------- C:\Documents and Settings\Cheryse\Application Data\s?stem32
    2007-02-23 07:20:17 0 d-------- C:\Program Files\s?curity
    2007-02-22 09:23:28 0 d-------- C:\WINDOWS\?dobe
    2007-02-22 08:17:15 0 d-------- C:\Program Files\Common Files\??curity
    2007-02-22 08:17:14 56832 --a------ C:\WINDOWS\system32\gsmrm.dll
    2007-02-21 11:52:23 0 d-------- C:\Documents and Settings\Cheryse\Application Data\??mbols
    2007-02-21 11:51:52 0 d-------- C:\Program Files\Common Files\?icrosoft
    2007-02-21 11:51:36 0 d-------- C:\Program Files\Common Files\{304A4518-067E-1033-0301-0601060001}<{304A4~1>
    2007-02-21 11:51:35 2560 --a------ C:\WINDOWS\system32\unsvchosts.exe<UNSVCH~1.EXE>
    2007-02-21 11:51:35 36864 --a------ C:\WINDOWS\system32\svchosts.exe
    2007-02-21 08:07:37 0 d-------- C:\Documents and Settings\Dabney\Application Data\LimeWire
    2007-02-20 18:31:40 0 d--hs---- C:\Program Files\outlook
    2007-02-20 18:31:40 0 d--hs---- C:\Documents and Settings\Cheryse\Complete
    2007-02-20 16:55:53 0 d-------- C:\Program Files\Xilisoft
    2007-02-19 11:32:20 23552 --a------ C:\WINDOWS\xobglu32.dll
    2007-02-19 11:32:20 63488 --a------ C:\WINDOWS\xobglu16.dll
    2007-02-17 12:15:05 0 d-------- C:\Program Files\LimeWire
    2007-02-16 20:16:38 0 d-------- C:\Program Files\iTunes
    2007-02-13 18:41:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems<ADOBES~1>
    2007-02-13 18:41:06 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared<ADOBES~1>
    2007-02-11 19:36:38 0 d-------- C:\Program Files\Common Files\xing shared<XINGSH~1>
    2007-02-11 13:02:19 55808 --a------ C:\WINDOWS\system32\lfpsd13n.dll
    2007-02-11 13:02:17 69632 --a------ C:\WINDOWS\system32\lfgif13n.dll
    2007-02-11 13:02:16 462848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
    2007-02-11 13:02:16 450560 --a------ C:\WINDOWS\system32\ltimg13n.dll
    2007-02-11 13:02:16 163840 --a------ C:\WINDOWS\system32\ltfil13n.dll
    2007-02-11 13:02:16 206336 --a------ C:\WINDOWS\system32\ltefx13n.dll
    2007-02-11 13:02:16 299008 --a------ C:\WINDOWS\system32\ltdis13n.dll
    2007-02-11 13:02:16 401408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
    2007-02-11 13:02:16 57344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
    2007-02-06 16:05:08 0 d-------- C:\Program Files\Apple Software Update<APPLES~1>


    -- Find3M Report ----------------------------------------------------------------

    2007-03-04 19:40:25 0 d-------- C:\Program Files\Soulseek
    2007-03-04 18:32:19 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
    2007-03-03 18:02:09 0 d-------- C:\Program Files\MSN Messenger<MSNMES~1>
    2007-02-21 14:07:30 0 d-------- C:\Documents and Settings\Cheryse\Application Data\Adobe
    2007-02-21 14:07:30 0 d-------- C:\Documents and Settings\Cheryse\Application Data\?dobe
    2007-02-19 10:45:27 0 d-------- C:\Program Files\AIM6
    2007-02-19 10:15:18 0 d-------- C:\Documents and Settings\Cheryse\Application Data\Mozilla
    2007-02-16 20:16:48 0 d-------- C:\Program Files\iPod
    2007-02-13 20:30:22 0 d-------- C:\Program Files\Google
    2007-02-13 20:22:34 0 d-------- C:\Program Files\Common Files\Adobe
    2007-02-13 18:53:08 0 d-------- C:\Program Files\Real
    2007-02-13 18:48:38 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
    2007-02-11 19:38:56 0 d-------- C:\Documents and Settings\Cheryse\Application Data\Real
    2007-02-11 19:36:20 0 d-------- C:\Program Files\Common Files\Real
    2007-02-09 20:00:54 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
    2007-02-03 09:39:27 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
    2007-01-31 22:20:17 1168 --a------ C:\WINDOWS\mozver.dat
    2007-01-31 22:19:28 0 d-------- C:\Documents and Settings\Cheryse\Application Data\Talkback
    2007-01-28 22:58:06 60416 -----n--- C:\WINDOWS\system32\tzchange.exe
    2007-01-19 14:35:27 0 d-------- C:\Program Files\Java
    2007-01-19 12:53:04 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
    2007-01-18 10:21:05 0 d-------- C:\Documents and Settings\Cheryse\Application Data\Viewpoint<VIEWPO~1>
    2007-01-14 13:59:38 71752 --a------ C:\Documents and Settings\Cheryse\Application Data\GDIPFONTCACHEV1.DAT<GDIPFO~1.DAT>
    2007-01-13 23:08:59 0 d-------- C:\Program Files\Common Files\Roxio Shared<ROXIOS~1>
    2007-01-13 23:01:22 0 d-------- C:\Program Files\MySpace
    2007-01-13 23:01:22 0 d-------- C:\Program Files\GeoVid
    2007-01-13 23:01:22 0 d-------- C:\Program Files\GemMaster<GEMMAS~1>
    2007-01-13 23:01:22 0 d-------- C:\Program Files\AOD
    2007-01-13 23:00:58 0 d-------- C:\Program Files\Winter Fun Pack 2004 for Windows XP(2)<WINTER~1>
    2007-01-13 10:33:44 0 d-------- C:\Program Files\RGB
    2007-01-12 09:27:42 232960 --a------ C:\WINDOWS\system32\webcheck.dll
    2007-01-12 09:27:42 51712 -----n--- C:\WINDOWS\system32\msfeedsbs.dll<MSFEED~1.DLL>
    2007-01-12 09:27:42 458752 -----n--- C:\WINDOWS\system32\msfeeds.dll
    2007-01-12 09:27:42 6054400 --a------ C:\WINDOWS\system32\ieframe.dll
    2007-01-09 18:50:42 0 d---s---- C:\Documents and Settings\Cheryse\Application Data\Microsoft<MICROS~1>
    2007-01-08 19:04:54 105984 --a------ C:\WINDOWS\system32\url.dll
    2007-01-08 19:04:08 102400 --a------ C:\WINDOWS\system32\occache.dll
    2007-01-08 19:02:04 266752 --a------ C:\WINDOWS\system32\iertutil.dll
    2007-01-08 19:02:04 44544 --a------ C:\WINDOWS\system32\iernonce.dll
    2007-01-08 19:02:02 384000 --a------ C:\WINDOWS\system32\iedkcs32.dll
    2007-01-08 19:02:02 383488 -----n--- C:\WINDOWS\system32\ieapfltr.dll
    2007-01-08 19:02:02 161792 --a------ C:\WINDOWS\system32\ieakui.dll
    2007-01-08 19:02:02 230400 --a------ C:\WINDOWS\system32\ieaksie.dll
    2007-01-08 19:02:02 153088 --a------ C:\WINDOWS\system32\ieakeng.dll
    2007-01-08 19:00:48 124928 --a------ C:\WINDOWS\system32\advpack.dll
    2007-01-08 18:08:14 56832 --a------ C:\WINDOWS\system32\ie4uinit.exe
    2007-01-08 18:08:10 13824 --a------ C:\WINDOWS\system32\ieudinit.exe
    2006-12-19 11:52:18 134656 --a------ C:\WINDOWS\system32\shsvcs.dll
    2006-12-19 08:16:47 333824 --a------ C:\WINDOWS\system32\wiaservc.dll


    -- Registry Dump ----------------------------------------------------------------


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "ctfmon.exe "= "C:\\WINDOWS\\system32\\ctfmon.exe "
    "Aim6 "= "\ "C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp "
    "MsnMsgr "= "\ "C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background "

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
    "DeleteDLL "= "cmd.exe /c del C:\\PROGRA~1\\COMMON~1\\{304A4~1\\Bar888.dll > nul "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "ehTray "= "C:\\WINDOWS\\ehome\\ehtray.exe "
    "SunJavaUpdateSched "= "\ "C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\" "
    "Dell Wireless Manager UI "= "C:\\WINDOWS\\system32\\WLTRAY "
    "DIGStream "= "C:\\Program Files\\DIGStream\\digstream.exe "
    "SigmatelSysTrayApp "= "stsystra.exe "
    "IPHSend "= "C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe "
    "KernelFaultCheck "=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
    65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
    "ISUSPM Startup "= "C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup "
    "ISUSScheduler "= "\ "C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start "
    "QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
    "TkBellExe "= "\ "C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot "
    "iTunesHelper "= "\ "C:\\Program Files\\iTunes\\iTunesHelper.exe\" "
    "outlook "= "C:\\Program Files\\outlook\\outlook.exe /auto "
    "winlog "= "winlog.exe "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
    "Installed "= "1 "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
    "Installed "= "1 "
    "NoChange "= "1 "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
    "Installed "= "1 "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
    "MyWebSearch bar Uninstall "= "rundll32 C:\\PROGRA~1\\UNINST~1.DLL,O -3 "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
    "winlog "= "winlog.exe "

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
    "RunNarrator "= "Narrator.exe "

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
    "RunNarrator "= "Narrator.exe "


    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
    "WPDShServiceObj "= "{AAA288BA-9A4C-45B0-95D7-94D524869DB5} "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle "=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
    63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
    6d,73,73,74,79,6c,65,73,00
    "InstallTheme "=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
    73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoCDBurning "=dword:00000000

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
    "{504A4518-067E-1033-0301-0601060001} "= "\ "C:\\Program Files\\Common Files\\{504A4518-067E-1033-0301-0601060001}\\Update.exe\" mc-110-12-0000140 "

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
    "{504A4518-067E-1033-0301-0601060001} "= "\ "C:\\Program Files\\Common Files\\{504A4518-067E-1033-0301-0601060001}\\Update.exe\" mc-110-12-0000137 "

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]
    "{504A4518-067E-1033-0301-0601060001} "= "\ "C:\\Program Files\\Common Files\\{504A4518-067E-1033-0301-0601060001}\\Update.exe\" mc-110-12-0000137 "

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
    HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
    LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService REG_MULTI_SZ DnsCache\0\0
    DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
    rpcss REG_MULTI_SZ RpcSs\0\0
    imgsvc REG_MULTI_SZ StiSvc\0\0
    termsvcs REG_MULTI_SZ TermService\0\0
    WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



    -- End of ComboScan: finished at 2007-03-04 at 19:42:36 -------------------------
     
  7. 2007/03/05
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Trophy Points:
    106
    Location:
    Ontario
    Computer Experience:
    Where's the any key?
    Hi,

    Glad to see you got back OK.

    I see there is more than one user account on this machine.
    Each account can have its own infections so I ask that you please stay with the "Cheryse" account till it's cleared, then we can use tools to access registry info from other accounts before you actually log into them.
    If you log into the other accounts--we risk re-infection with dormant files.

    1. Go to C:\ and create a new folder, call it BFU

    2. So that you have c:\BFU

    3. Download Brute Force Uninstaller. By Merijn author of Hijackthis.
    http://www.merijn.org/files/bfu.zip

    4. Unzip it to the folder you created (c:\BFU)
    So that you now have c:\BFU\BFU.exe
    Doubleclick on BFU.exe, Click the round green icon (open script URL)

    copy then paste in the following bold line into the "Scriptfile to download" box :-

    http://metallica.geekstogo.com/alcanshorty.bfu

    Click OK...

    Have checked : "show log file after script ends "

    Press execute and let it do it’s job.
    Wait for the completed script execution box to pop-up and press OK.
    If the script is really executed you should have seen a progress bar.
    When notepad pops up with log...
    click "save "
    IN "filename" enter "log.txt "
    Click "save "
    The log.txt will be in the C:\BFU\ folder ...I will need this later.

    click exit to exit the BFU program.

    Next:

    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally copy and paste the contents of the results file Report.txt back onto the forum.

    Next:

    Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
    http://www.ewido.net/en/download/
    • Install AVG Anti-Spyware by double clicking the installer.
    • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
    • On the main screen under Your Computer's security.
      • Click on Change state next to Resident shield. It should now change to inactive.
      • Click on Change state next to Automatic updates. It should now change to inactive.
      • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
      • Wait until you see the Update succesfull message.
    • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
    • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
    If you are having problems with the updater, you can use this link to manually update ewido.
    AVG Anti-Spyware manual updates.
    Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

    Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
    • Click on Scanner on the toolbar.
    • Click on the Settings tab.
      • Under How to act?
        • Click on Recommended Action and choose Quarantine from the popup menu.
      • Under How to scan?
        • All checkboxes should be ticked.
      • Under Possibly unwanted software:
        • All checkboxes should be ticked.
      • Under Reports:
        • Select Automatically generate report after every scan and uncheck Only if threats were found.
      • Under What to scan?
        • Select Scan every file.
    • Click on the Scan tab.
    • Click on Complete System Scan to start the scan process.
    • Let the program scan the machine.
    • When the scan has finished, follow the instructions below.
      IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
      • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
      • At the bottom of the window click on the Apply all Actions button. (3)
        [​IMG]
    • When done, click the Save Scan Report button. (4)
      • Click the Save Report as button.
      • Save the report to your Desktop.
    • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
    Reboot in Normal Mode.

    Please post the following logs:

    Your AVG report
    New Hijackthis log
    C:\BFU\log.txt

    Let me know how the machine is running

    Thanks :)
     
  8. 2007/03/06
    Cherysei

    Cherysei Inactive Thread Starter

    Joined:
    2005/06/30
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    76
    Computer Experience:
    Beginner
    Report.txt

    SDFix: Version 1.69

    Run by Cheryse - Mon 03/05/2007 - 21:55:54.92

    Microsoft Windows XP [Version 5.1.2600]

    Running From: C:\SDFix

    Safe Mode:
    Checking Services:

    Name:
    Client IP-IPX

    Path:
    "C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000137

    Client IP-IPX Deleted



    Restoring Windows Registry Entries
    Restoring Default Hosts File


    Rebooting...

    Normal Mode:
    Checking Files:

    Below files will be copied to Backups folder then removed:

    C:\WINDOWS\system32\svchosts.exe - Deleted
    C:\WINDOWS\system32\unsvchosts.exe - Deleted



    ADS Check:

    C:\WINDOWS\system32
    No streams found.


    Final Check:

    Remaining Services:
    ------------------



    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "C:\\Program Files\\Messenger\\msmsgs.exe "= "C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger "
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader "
    "C:\\Program Files\\Common Files\\AOL\\1157573461\\ee\\aolsoftware.exe "= "C:\\Program Files\\Common Files\\AOL\\1157573461\\ee\\aolsoftware.exe:*:Enabled:AOL Services "
    "C:\\Program Files\\Common Files\\AOL\\1157573461\\ee\\aim6.exe "= "C:\\Program Files\\Common Files\\AOL\\1157573461\\ee\\aim6.exe:*:Enabled:AIM "
    "C:\\Program Files\\Soulseek\\slsk.exe "= "C:\\Program Files\\Soulseek\\slsk.exe:*:Enabled:SoulSeek "
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "= "%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000 "
    "C:\\Program Files\\AIM6\\aim6.exe "= "C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM "
    "C:\\Program Files\\Internet Explorer\\iexplore.exe "= "C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer "
    "C:\\Program Files\\MSN Messenger\\msncall.exe "= "C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone) "
    "C:\\StubInstaller.exe "= "C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer "
    "C:\\Program Files\\LimeWire\\LimeWire.exe "= "C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire "
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe "= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
    "C:\\Program Files\\MSN Messenger\\livecall.exe "= "C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "
    "C:\\Program Files\\iTunes\\iTunes.exe "= "C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes "


    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "= "%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000 "
    "C:\\Program Files\\MSN Messenger\\msncall.exe "= "C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone) "
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe "= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
    "C:\\Program Files\\MSN Messenger\\livecall.exe "= "C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "


    Remaining Files:
    ---------------

    Backups Folder: - C:\SDFix\backups\backups.zip

    Checking For Files with Hidden Attributes :

    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\WINDOWS\??sks\dvdplay.exe
    C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
    C:\Documents and Settings\Dabney\Local Settings\Temp\dn28.tmp

    Add/Remove Programs List:

    Adobe Photoshop CS2
    AIM 6.0
    Dell Wireless WLAN Card
    Conexant HDA D110 MDC V.92 Modem
    Cool Edit Pro 2.0
    ESPNMotion
    HijackThis 1.99.1
    Microsoft Internationalized Domain Names Mitigation APIs
    Windows Internet Explorer 7
    Power Commander 3 USB
    Broadcom 440x 10/100 Integrated Controller
    High Definition Audio Driver Package - KB835221
    Update Rollup 2 for Windows XP Media Center Edition 2005
    Windows XP Media Center Edition 2005 KB925766
    Microsoft .NET Framework 1.1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft National Language Support Downlevel APIs
    RealPlayer
    Sound Blaster ADVANCED MB Drivers
    Adobe Flash Player 9
    SoulSeek Client 156c
    Video Converter 3
    Viewpoint Media Player
    WinRAR archiver
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Roxio RecordNow Data
    Power Commander 3 USB
    Adobe Photoshop CS2
    Macromedia Flash MX 2004
    J2SE Runtime Environment 5.0 Update 8
    iTunes
    Windows Live Sign-in Assistant
    QuickTime
    Broadcom 440x 10/100 Integrated Controller
    Windows Live Messenger
    Java 2 Runtime Environment, SE v1.4.2_03
    Ad-Aware SE Personal
    Adobe Common File Installer
    Microsoft Office XP Media Content
    Microsoft Office XP Small Business
    SigmaTel Audio
    Apple Software Update
    Roxio RecordNow Audio
    Adobe Reader 8
    Roxio RecordNow Copy
    Adobe Bridge 1.0
    Microsoft .NET Framework 1.1
    Dell ResourceCD
    Adobe Help Center 1.0

    Finished
     
  9. 2007/03/06
    Cherysei

    Cherysei Inactive Thread Starter

    Joined:
    2005/06/30
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    76
    Computer Experience:
    Beginner
    Finished!

    My laptop's already noticibly quicker! Here are two of the log files you instructed to post. As for the AVG log.txt... it's so big that my IE window freezes when I click "paste." How shall I go about posting it?

    ---

    Logfile of HijackThis v1.99.1
    Scan saved at 1:42:07 AM, on 3/6/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\system32\userinit.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {6A941BA7-873E-D4C8-4A72-D858170AF7E9} - C:\WINDOWS\system32\gsmrm.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{304A4~1\Bar888.dll
    O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{304A4~1\Bar888.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe "
    O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://qtinstall.info.apple.com/qtactivex/QTPlugin.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15-3.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by129fd.bay129.hotmail.msn.com/resources/MsnPUpld.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
     
  10. 2007/03/06
    Cherysei

    Cherysei Inactive Thread Starter

    Joined:
    2005/06/30
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    76
    Computer Experience:
    Beginner
    Finished! (cont)

    Log.txt

    ---

    BFU v1.00.9
    Windows XP SP2 (WinNT 5.01.2600 SP2)
    Script started at 9:42:34 PM, on 3/5/2007

    Failed: DllUnregister C:\WINDOWS\DH.dll|1 (file not found)
    Failed: DllUnregister C:\Program Files\Deskbar\deskbar.dll|1 (file not found)
    Failed: DllUnregister \asappsrv.dll|1 (file not found)
    Failed: DllUnregister \MyToolBar.dll|1 (file not found)
    Failed: DllUnregister \888Bar.dll|1 (file not found)
    Failed: ServiceStop Network Monitor (service not found)
    Failed: ServiceStop cmdService (service not found)
    Failed: ServiceDisable Network Monitor (service not found)
    Failed: ServiceDisable cmdService (service not found)
    Failed: ServiceDelete Network Monitor (service not found)
    Failed: ServiceDelete cmdService (service not found)
    Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegistryTools (key not found)
    Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (key not found)
    Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found)
    Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRiskFileTypes (key not found)
    Failed: RegDelValue HKCU\Microsoft\Windows\CurrentVersion\policies\Explorer\Run|WinUpdate.exe (key not found)
    Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU1 (key not found)
    Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU2 (key not found)
    Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|services32 (key not found)
    Option pause between commands: 300 ms
    Option pause between commands: 50 ms
    Failed: FolderDelete C:\Program Files\MsConfigs (folder not found)
    Failed: FolderDelete C:\Program Files\winupdates (folder not found)
    Failed: FolderDelete C:\Program Files\winupdate (folder not found)
    Failed: FolderDelete C:\Program Files\winsupdater (folder not found)
    Failed: FolderDelete C:\Program Files\MsUpdate (folder not found)
    Failed: FolderDelete C:\Program Files\MsMovies (folder not found)
    Failed: FolderDelete C:\Program Files\wmplayer (folder not found)
    Failed: FolderDelete C:\Program Files\outlook (folder not found)
    Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe (operation failed)
    Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation failed)
    Failed: FileDelete C:\Program Files\common files\{*-*-1033-*-*}\update.exe (operation failed)
    Failed: FileDelete C:\Program Files\common files\{*-*-1033-*-*}\services.dll (operation failed)
    Failed: FileDelete C:\Program Files\common files\{*-*-1033-*-*}\activate.exe (operation failed)
    Failed: FileDelete C:\Program Files\common files\{*-*-1033-*-*}\MyToolBar.dll (operation failed)
    Failed: FileDelete C:\Program Files\common files\{*-*-2057-*-*}\update.exe (operation failed)
    Failed: FileDelete C:\Program Files\common files\{*-*-2057-*-*}\services.dll (operation failed)
    Failed: FileDelete C:\Program Files\common files\{*-*-2057-*-*}\activate.exe (operation failed)
    Failed: FileDelete C:\Program Files\common files\{*-*-2057-*-*}\MyToolBar.dll (operation failed)
    Failed: FolderDelete C:\Program Files\toolbar888 (folder not found)
    Failed: FolderDelete C:\Program Files\e-mailpaysu toolbar (folder not found)
    Failed: FolderDelete C:\Program Files\EMUSIC TOOLBAR (folder not found)
    Failed: FolderDelete C:\Program Files\find dvd toolbar (folder not found)
    Failed: FolderDelete C:\Program Files\GULESIDER VERKTøYLINJE (folder not found)
    Failed: FolderDelete C:\Program Files\sesam-p4 toolbar (folder not found)
    Failed: FolderDelete C:\Program Files\slownik ling (folder not found)
    Failed: FolderDelete C:\Program Files\MediaPipe (folder not found)
    Failed: FolderDelete C:\Program Files\p2pnetworks (folder not found)
    Failed: FolderDelete C:\DOCUME~1\Cheryse\LOCALS~1\Temp\hsperfdata_Cheryse (operation failed)
    Failed: FileDelete C:\DOCUME~1\Cheryse\LOCALS~1\Temp\~DFEDC2.tmp (operation failed)
    Failed: FolderDelete C:\Documents and Settings\Cheryse\Local Settings\Temporary Internet Files\Content.IE5\L7651UDQ (operation failed)
    Failed: FolderDelete C:\Program Files\Maxifiles (folder not found)
    Failed: FolderDelete C:\Program Files\DNS (folder not found)
    Failed: FolderDelete C:\Program Files\EQAdvice (folder not found)
    Failed: FolderDelete C:\Program Files\FCAdvice (folder not found)
    Failed: FolderDelete C:\Program Files\PSCastor (folder not found)
    Failed: FolderDelete C:\Program Files\CMIntex (folder not found)
    Failed: FolderDelete C:\Program Files\PadsysAssistant (folder not found)
    Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found)
    Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found)
    Failed: FolderDelete C:\Program Files\Common Files\InetGet (folder not found)
    Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not found)
    Failed: FolderDelete C:\Program Files\Common Files\svchostsys (folder not found)
    Failed: FolderDelete C:\Program Files\Common Files\simtest (folder not found)
    Failed: FolderDelete C:\Program Files\Common Files\misc001 (folder not found)
    Failed: FolderDelete C:\Program Files\InetGet2 (folder not found)
    Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not found)
    Failed: FolderDelete C:\Program Files\Network Monitor (folder not found)
    Failed: FolderDelete C:\WINDOWS\inet20001 (folder not found)
    Failed: FolderDelete C:\WINDOWS\inet20000 (folder not found)
    Failed: FolderDelete C:\Program Files\Update06 (folder not found)
    Failed: FolderDelete C:\Program Files\Update03 (folder not found)
    Failed: FolderDelete C:\Program Files\Update04 (folder not found)
    Failed: FolderDelete C:\Program Files\Update08 (folder not found)
    Failed: FolderDelete C:\Program Files\W-Update (folder not found)
    Failed: FolderDelete C:\Program Files\Yazzle Sudoku (folder not found)
    Failed: FolderDelete C:\Program Files\Cas (folder not found)
    Failed: FolderDelete C:\Program Files\CasStub (folder not found)
    Failed: FolderDelete C:\Program Files\Cas2Stub (folder not found)
    Failed: FolderDelete C:\Program Files\ipwins (folder not found)
    Failed: FolderDelete C:\Program Files\Ipwindows (folder not found)
    Failed: FolderDelete C:\Program Files\Common Files\Snowball Wars (folder not found)
    Failed: FolderDelete C:\Program Files\folder.js (folder not found)
    Failed: FolderDelete C:\Program Files\ini.ini (folder not found)
    Failed: FolderDelete C:\temp (folder not found)
    Failed: FolderDelete C:\WINDOWS\mdrive (folder not found)
    Failed: FolderDelete C:\WINDOWS\system32\crunner (folder not found)
    Failed: FolderDelete C:\Program Files\PECarlin (folder not found)
    Failed: FolderDelete C:\Program Files\AXVenore (folder not found)
    Failed: FolderDelete C:\Program Files\SDVita (folder not found)
    Failed: FolderDelete C:\Program Files\EQBranch (folder not found)
    Failed: FolderDelete C:\Program Files\EQArticle (folder not found)
    Failed: FolderDelete C:\Program Files\PSHope (folder not found)
    Failed: FolderDelete C:\Program Files\Batty (folder not found)
    Failed: FolderDelete C:\Program Files\Batty2 (folder not found)
    Failed: FolderDelete C:\Program Files\AXFibula (folder not found)
    Failed: FolderDelete C:\Program Files\CMFibula (folder not found)
    Failed: FolderDelete C:\Program Files\PSLister (folder not found)
    Failed: FolderDelete C:\Program Files\PSCloner (folder not found)
    Failed: FolderDelete C:\Program Files\PSDream (folder not found)
    Failed: FolderDelete C:\Program Files\cmapp (folder not found)
    Failed: FolderDelete C:\Program Files\cmman (folder not found)
    Failed: FolderDelete C:\Program Files\cmsystem (folder not found)
    Failed: FolderDelete C:\Program Files\fcengine (folder not found)
    Failed: FolderDelete C:\Program Files\wincmapp (folder not found)
    Failed: FolderDelete C:\Program Files\Deskbar\Cache (folder not found)
    Failed: FolderDelete C:\Program Files\popupwithcast (folder not found)
    Failed: FolderDelete C:\Program Files\Common Files\cloader (folder not found)
    Failed: FolderDelete C:\Program Files\Common Files\misc001 (folder not found)
    Failed: FolderCreate C:\bintheredunthat (folder already exists)
    Failed: FileMove C:\WINDOWS\win*-*.exe|C:\bintheredunthat (source file not found)
    Script completed.






    THANKS!!! :D
     
  11. 2007/03/06
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Trophy Points:
    106
    Location:
    Ontario
    Computer Experience:
    Where's the any key?
    Hi

    Can you upload your AVG log here please? If its erally huge please zip it up before you upload it.
    ~ 1MB shouldn't be an issue at all.

    http://www.bleepingcomputer.com/submit-malware.php?channel=19

    Do put a link in the upload page to this thread so I know who's log I'm looking at.
    I'd like to have quick look at that log before I give you much more to do.

    Hmmm...

    Can I get you to upload some files for me too? I'd like some samples so these antispyware/antivirus programs can get these files.

    Create a folder called "blender" on your desktop.

    Go to this folder:

    C:\Program files\common files

    See those folders in there with really long names? like {C1B4DEC2-2623-438e-9CA2-C9043AB28508} (this isnt the right name but this is kinda what they look like).

    Please copy each one to the "blender" folder. (you may have one or several)

    Then......

    Locate this file:

    Cwindows\system32\gsmrm.dll

    Copy it to the "blender" folder.

    Right click "blender" > send to> compressed (zipped) folder.

    Upload blender.zip here:

    http://www.bleepingcomputer.com/submit-malware.php?channel=20

    Do leave link there to this thread so I know who the files belong to.

    Once done that....delete folder "blender" and its zip & empty the recycle bin. I don't want those things kicking around.

    I'll be back shortly with some other things to do.

    Thanks!
     
  12. 2007/03/06
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Trophy Points:
    106
    Location:
    Ontario
    Computer Experience:
    Where's the any key?
    I'm back....:D

    After you have done above...

    This attachment is meant for this user only!

    I have attached a file called Fix.zip
    Please download this file and save it someplace handy like your desktop.
    Right click Fix.zip > choose "extract all" > follow the prompts to extract the file.
    It should create a folder called Fix.

    Open the folder and double click fix.bat
    A "dos" window will flash up a second and dissapear. This is normal.

    Start Hijackthis, run system scan and check the following entries if they exist:

    O2 - BHO: (no name) - {6A941BA7-873E-D4C8-4A72-D858170AF7E9} - C:\WINDOWS\system32\gsmrm.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{304A4~1\Bar888.dll
    O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{304A4~1\Bar888.dll
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab


    Once checked, close all other open windows and click "fix checked "
    Say OK and exit Hijackthis.

    Reboot

    Find and delete this folder if it exists:

    C:\Program files\common files\{304A4~1 <-- unsure of full folder name but it does start with {304A4

    You can also delete fix.zip and its folder.

    Empty recycle bin.

    Please post me a new hijachthis log and let me know how things are running.

    Thanks :)
     
  13. 2007/03/26
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    3
    Trophy Points:
    608
    Location:
    PHX. AZ
    Computer Experience:
    Intermediate
    Due to lack of feedback this topic is closed.

    If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.
     
Thread Status:
Not open for further replies.

Share This Page