Warning: Spyware threat has been detected on you PC

By ME2008
Apr 21, 2008
Topic Status:
Not open for further replies.
  1. Hi. I've been having this problem with the blue desktop that says Warning: Spyware threat has been detected on you PC. If anyone can help, that would be great. Thanks.
  2. kritius

    kritius TechSpot Guru Posts: 2,087

    Download and Run Malwarebytes' Anti-Malware
    Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please Attach the log into your next reply.
    • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

    Download and Run ComboFix
    • Download this file to your desktop from either of the two below listed places :

      HERE or HERE
    • Then double click combofix.exe & follow the prompts.
    • When finished, it shall produce a log for you. Attach that log in your next reply
    WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    HighjackThis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in its own folder, usually C:\Program Files\Trend Micro\HijackThis. Please don't change the directory as it is necessary to create backups.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete attach the log into your reply.
    Do not attempt to fix any item yet.
    Do not add anything to the ignore list.
    Don't use the AnalyseThis button, its findings are dangerous if misinterpreted.
  3. ME2008

    ME2008 Newcomer, in training Topic Starter

    This is the Malwarebytes' Anti-Malware Log (Part 1):

    Malwarebytes' Anti-Malware 1.11
    Database version: 666

    Scan type: Full Scan (C:\|)
    Objects scanned: 107868
    Time elapsed: 1 hour(s), 12 minute(s), 30 second(s)

    Memory Processes Infected: 6
    Memory Modules Infected: 2
    Registry Keys Infected: 36
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 9
    Files Infected: 81

    Memory Processes Infected:
    c:\program files\Bat\X_Bat.exe (Adware.Batco) -> Unloaded process successfully.
    C:\Documents and Settings\All Users\Application Data\Common\ruranadq.exe (Trojan.FakeAlert) -> Unloaded process successfully.
    C:\Documents and Settings\All Users\Application Data\Common\ruranadq.exe (Trojan.FakeAlert) -> Unloaded process successfully.
    C:\Program Files\QdrModule\QdrModule15.exe (Adware.ISM) -> Unloaded process successfully.
    C:\Program Files\QdrPack\QdrPack15.exe (Adware.ISM) -> Unloaded process successfully.
    C:\WINDOWS\winself.exe (Trojan.Agent) -> Unloaded process successfully.

    Memory Modules Infected:
    C:\Program Files\Bat\Bat.dll (Adware.Batco) -> Unloaded module successfully.
    C:\WINDOWS\system32\kavo0.dll (Rootkit.Agent) -> Unloaded module successfully.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d} (Adware.123Mania) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a} (Adware.123Mania) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AppID\{f663b917-591f-4172-8d87-3d7d729007ca} (Adware.Batco) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\bat.batbho (Adware.Batco) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{63f7460b-c831-4142-a4aa-5ec303ec4343} (Adware.Batco) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{63f7460b-c831-4142-a4aa-5ec303ec4343} (Adware.Batco) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\bat.batbho.1 (Adware.Batco) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{d279bc2b-a85b-4559-8fd9-ddc55f5d402d} (Adware.Batco) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Typelib\{b80a3586-caa5-41c8-89bf-e617f0b6cfbf} (Adware.Batco) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{1212bcb8-67dd-475e-8025-9d2198fb8f61} (Adware.AdBand) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{1212bcb8-67dd-475e-8025-9d2198fb8f61} (Adware.AdBand) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{8334a30c-49e5-489a-b63d-5b927c1ef46e} (Adware.AdBand) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8334a30c-49e5-489a-b63d-5b927c1ef46e} (Adware.AdBand) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ism (Adware.ISM) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\mwc (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsSecurity1.209.4 (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\QdrPack (Adware.ISM) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\QdrModule (Adware.ISM) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\QdrDrive (Adware.ISM) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\BATCO (Adware.Batco) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Batco (Adware.Batco) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AppID\bat.DLL (Adware.Batco) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bat (Adware.Batco) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bat (Adware.Batco) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\xflock (Malware.Trace) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msgmon (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\WINDOWS\PerfInfo (Rogue.WinPerformance) -> Quarantined and deleted successfully.
    C:\Program Files\QdrDrive (Adware.AdBand) -> Quarantined and deleted successfully.
    C:\Program Files\Bat (Adware.Batco) -> Quarantined and deleted successfully.
    C:\Program Files\ISM (Adware.ISM) -> Quarantined and deleted successfully.
    C:\Program Files\QdrModule (Adware.ISM) -> Quarantined and deleted successfully.
    C:\Program Files\QdrPack (Adware.ISM) -> Quarantined and deleted successfully.
    C:\Documents and Settings\m\Start Menu\Programs\Internet Speed Monitor (Adware.AdSponsor) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Application Data\Rabio\Search Enhancer (Adware.SearchEnhancer) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Application Data\Rabio (Adware.Rabio) -> Quarantined and deleted successfully.

    Files Infected:
    c:\program files\Bat\X_Bat.exe (Adware.Batco) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Application Data\Common\ruranadq.exe (Trojan.FakeAlert) -> Delete on reboot.
    C:\Program Files\Bat\Bat.dll (Adware.Batco) -> Quarantined and deleted successfully.
    C:\Documents and Settings\m\Local Settings\Temp\BatSetup.exe (Adware.Batco) -> Quarantined and deleted successfully.
    C:\Documents and Settings\m\Local Settings\Temp\fibuzobu.exe.bak (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\m\Local Settings\Temp\syswcc32.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
    C:\Documents and Settings\m\Local Settings\Temporary Internet Files\Content.IE5\PNNFT50E\syswcc32[1].exe (Adware.Webhancer) -> Quarantined and deleted successfully.
    C:\Documents and Settings\m\Local Settings\Temporary Internet Files\Content.IE5\ULDABITG\BatSetup[1].exe (Adware.Batco) -> Quarantined and deleted successfully.
    C:\Documents and Settings\m\Local Settings\Temporary Internet Files\Content.IE5\ULDABITG\msiexec[1].exe (Trojan.Clicker) -> Quarantined and deleted successfully.
    C:\Program Files\Bat\Bat.exe (Adware.Batco) -> Quarantined and deleted successfully.
    C:\Program Files\Bat\un_BatSetup_15041.exe (Adware.Rabio) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{176631CA-1F51-4A69-8B5F-0EC5EA005914}\RP138\A0089030.exe (Adware.Batco) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{176631CA-1F51-4A69-8B5F-0EC5EA005914}\RP138\A0089040.dll (Adware.WebHancer) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{176631CA-1F51-4A69-8B5F-0EC5EA005914}\RP138\A0089045.exe (Adware.Batco) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{176631CA-1F51-4A69-8B5F-0EC5EA005914}\RP138\A0089052.dll (Adware.WebHancer) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{176631CA-1F51-4A69-8B5F-0EC5EA005914}\RP138\A0089057.exe (Adware.Batco) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{176631CA-1F51-4A69-8B5F-0EC5EA005914}\RP138\A0089069.exe (Adware.Batco) -> Quarantined and deleted successfully.
  4. ME2008

    ME2008 Newcomer, in training Topic Starter

    This is the Malwarebytes' Anti-Malware Log (Part 2):

    C:\System Volume Information\_restore{176631CA-1F51-4A69-8B5F-0EC5EA005914}\RP138\A0089096.exe (Adware.Batco) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{176631CA-1F51-4A69-8B5F-0EC5EA005914}\RP138\A0090347.exe (Adware.Batco) -> Quarantined and deleted successfully.
    C:\Program Files\QdrDrive\QdrDrive15.dll (Adware.AdBand) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{176631CA-1F51-4A69-8B5F-0EC5EA005914}\RP138\A0089070.exe (Adware.WebHancer) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{176631CA-1F51-4A69-8B5F-0EC5EA005914}\RP138\A0089089.exe (Adware.WebHancer) -> Quarantined and deleted successfully.
    C:\Program Files\QdrDrive\qdrloader.exe (Adware.AdBand) -> Quarantined and deleted successfully.
    C:\Program Files\Bat\Bat.dll.intermediate.manifest (Adware.Batco) -> Quarantined and deleted successfully.
    C:\Program Files\Bat\Bat.info (Adware.Batco) -> Quarantined and deleted successfully.
    C:\Program Files\Bat\Bat.original (Adware.Batco) -> Quarantined and deleted successfully.
    C:\Program Files\Bat\Info.dll (Adware.Batco) -> Quarantined and deleted successfully.
    C:\Program Files\Bat\un_BatSetup_15041.txt (Adware.Batco) -> Quarantined and deleted successfully.
    C:\Program Files\Bat\X_Bat.log (Adware.Batco) -> Quarantined and deleted successfully.
    C:\Program Files\ISM\ism.exe (Adware.ISM) -> Quarantined and deleted successfully.
    C:\Program Files\ISM\Uninstall.exe (Adware.ISM) -> Quarantined and deleted successfully.
    C:\Program Files\QdrModule\dicy.gz (Adware.ISM) -> Quarantined and deleted successfully.
    C:\Program Files\QdrModule\kwdy.gz (Adware.ISM) -> Quarantined and deleted successfully.
    C:\Program Files\QdrModule\pckr.dat (Adware.ISM) -> Quarantined and deleted successfully.
    C:\Program Files\QdrModule\QdrModule15.exe (Adware.ISM) -> Quarantined and deleted successfully.
    C:\Program Files\QdrPack\dicts.gz (Adware.ISM) -> Quarantined and deleted successfully.
    C:\Program Files\QdrPack\QdrPack15.exe (Adware.ISM) -> Quarantined and deleted successfully.
    C:\Program Files\QdrPack\trgts.gz (Adware.ISM) -> Quarantined and deleted successfully.
    C:\Documents and Settings\m\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk (Adware.AdSponsor) -> Quarantined and deleted successfully.
    C:\Documents and Settings\m\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk (Adware.AdSponsor) -> Quarantined and deleted successfully.
    C:\WINDOWS\winself.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\kavo0.dll (Rootkit.Agent) -> Delete on reboot.
    C:\WINDOWS\system32\000060.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\000090.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\avifile32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\avisynthex32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\aviwrap32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\bjam.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\bokja.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\browserad.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\cdsm32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\changeurl_30.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\didduid.ini (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\msa64chk.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\msapasrc.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\mspphe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\123messenger.per (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\mssvr.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\ntnut.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\saiemod.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\shdocpe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\shdocpl.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\stcloader.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\swin32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\voiceip.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\winsb.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\2020search.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\2020search2.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\apphelp32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\asferror32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\asycfilt32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\athprxy32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\ati2dvaa32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\ati2dvag32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\audiosrv32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\autodisc32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\licencia.txt (Malware.Trace) -> Quarantined and deleted successfully.
    C:\WINDOWS\telefonos.txt (Malware.Trace) -> Quarantined and deleted successfully.
    C:\WINDOWS\textos.txt (Malware.Trace) -> Quarantined and deleted successfully.
    C:\Documents and Settings\m\Local Settings\Temp\ismtpa15.exe (Adware.ISM) -> Quarantined and deleted successfully.
    C:\Documents and Settings\m\Start Menu\Programs\Startup\Bat - Auto Update.lnk (Adware.Batco) -> Quarantined and deleted successfully.
  5. ME2008

    ME2008 Newcomer, in training Topic Starter

    This is the ComboFix Log (Part 1):

    ComboFix 08-04-20.5 - m 2008-04-21 17:02:12.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.153 [GMT -5:00]
    Running from: C:\Documents and Settings\m\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Autorun.inf
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    C:\WINDOWS\default.htm
    C:\WINDOWS\Downloaded Program Files\setup.inf

    ----- BITS: Possible infected sites -----

    hxxp://80.93.48.74
    .
    ((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
    .

    2008-04-21 14:43 . 2008-04-21 14:43 <DIR> d-------- C:\Documents and Settings\m\Application Data\Malwarebytes
    2008-04-21 14:42 . 2008-04-21 15:57 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-04-21 14:42 . 2008-04-21 14:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-04-21 14:34 . 2008-04-21 16:54 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2008-04-21 14:34 . 2008-04-21 14:34 <DIR> d-------- C:\Documents and Settings\m\Application Data\SUPERAntiSpyware.com
    2008-04-21 14:34 . 2008-04-21 14:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-04-21 13:23 . 2008-04-21 16:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Common
    2008-04-21 13:07 . 2008-04-21 13:07 <DIR> d-------- C:\Program Files\Lavasoft
    2008-04-21 13:07 . 2008-04-21 13:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-04-21 13:06 . 2008-04-21 14:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-04-21 11:34 . 2008-04-21 15:53 <DIR> dr-h----- C:\$VAULT$.AVG
    2008-04-21 11:32 . 2008-04-21 11:35 <DIR> d-------- C:\Documents and Settings\m\Application Data\AVG7
    2008-04-21 11:32 . 2008-04-21 11:32 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
    2008-04-21 11:30 . 2008-04-21 11:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
    2008-04-20 23:12 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
    2008-04-20 23:12 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2008-04-20 23:12 . 2008-04-14 19:28 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
    2008-04-20 23:12 . 2008-04-20 00:38 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
    2008-04-20 23:12 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2008-04-20 23:12 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2008-04-20 23:12 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
    2008-04-20 23:12 . 2008-04-20 23:13 1,298 --a------ C:\WINDOWS\system32\tmp.reg
    2008-04-20 23:09 . 2008-04-20 23:09 174 --a------ C:\WINDOWS\wininit.ini
    2008-04-20 22:39 . 2008-04-20 22:39 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-04-20 22:39 . 2008-04-20 23:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-04-20 22:33 . 2008-04-21 11:32 <DIR> d-------- C:\Documents and Settings\Administrator
    2008-04-20 22:33 . 2008-04-21 17:02 1,024 --ah----- C:\Documents and Settings\Administrator\NtUser.dat.LOG
    2008-04-19 22:29 . 2008-04-19 22:29 <DIR> d-------- C:\Documents and Settings\m\Application Data\Grisoft
    2008-04-19 22:29 . 2007-05-30 07:10 10,872 --a------
  6. ME2008

    ME2008 Newcomer, in training Topic Starter

    This is the ComboFix Log (Part 2):

    C:\WINDOWS\system32\drivers\AvgAsCln.sys
    2008-04-19 22:04 . 2008-04-19 22:04 <DIR> d-------- C:\WINDOWS\mgwwgmke
    2008-04-19 22:04 . 2008-04-21 16:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\otizadkp
    2008-04-19 22:03 . 2008-04-19 22:03 192,512 --a------ C:\WINDOWS\vufcbedi.dll
    2008-04-19 22:03 . 2008-04-19 22:03 65,024 --a------ C:\WINDOWS\bajonglo.dll
    2008-04-19 22:03 . 2008-04-19 22:03 65,024 --a------ C:\Documents and Settings\All Users\Application Data\sxidyjen.dll
    2008-04-19 22:02 . 2008-04-20 22:22 138 -r-hs---- C:\WINDOWS\mainms.vpi
    2008-04-19 22:02 . 2008-04-21 11:23 33 -r-hs---- C:\WINDOWS\muotr.so
    2008-04-19 22:02 . 2008-04-20 23:27 4 --------- C:\WINDOWS\megavid.cdt
    2008-04-19 22:01 . 2008-04-19 22:01 6,656 --a------ C:\WINDOWS\ons.dll
    2008-04-11 11:27 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
    2008-04-11 11:27 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
    2008-04-09 09:55 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
    2008-04-09 09:55 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
    2008-04-09 09:54 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
    2008-04-09 09:54 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
    2008-04-07 11:36 . 2008-04-07 11:36 244 --ah----- C:\sqmnoopt19.sqm
    2008-04-07 11:36 . 2008-04-07 11:36 232 --ah----- C:\sqmdata19.sqm
    2008-04-07 11:34 . 2008-04-07 11:34 244 --ah----- C:\sqmnoopt18.sqm
    2008-04-07 11:34 . 2008-04-07 11:34 232 --ah----- C:\sqmdata18.sqm
    2008-04-05 10:36 . 2008-04-07 13:07 <DIR> d-------- C:\Documents and Settings\m\Application Data\SecondLife

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-21 16:32 --------- d-----w C:\Program Files\BitComet
    2008-04-21 16:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
    2008-04-18 23:11 --------- d-----w C:\Documents and Settings\m\Application Data\LimeWire
    2008-04-18 21:24 --------- d-----w C:\Program Files\Viewpoint
    2008-04-18 21:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
    2008-04-17 13:19 --------- d-----w C:\Documents and Settings\m\Application Data\U3
    2008-03-11 20:43 --------- d-----w C:\Documents and Settings\m\Application Data\dvdcss
    2008-03-08 21:38 --------- d-----w C:\Program Files\Photo Recovery
    2008-03-08 21:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-03-08 21:37 --------- d-----w C:\Program Files\FreeUndelete
    2008-03-08 18:50 --------- d-----w C:\Program Files\DiskInternals
    2008-03-08 18:28 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
    2008-03-08 18:28 249,856 ------w C:\WINDOWS\Setup1.exe
    2007-11-24 01:24 8 ----a-w C:\Documents and Settings\m\Application Data\usb.dat.bin
    .

    ------- Sigcheck -------

    2002-08-29 03:41 599040 f3587750a7481dccbea13d473a0700be C:\WINDOWS\$NtServicePackUninstall$\wininet.dll
    2004-08-03 23:56 1134080 0657a5b234a9abb3f0b63e2f422220b5 C:\WINDOWS\ServicePackFiles\i386\wininet.dll
    2004-08-03 23:56 1134080 0657a5b234a9abb3f0b63e2f422220b5 C:\WINDOWS\system32\wininet.dll

    2002-08-29 01:58 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
    2004-08-03 22:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
    2007-12-21 12:33 359040 c81d6a930a7805f6daa0c7902b99037e C:\WINDOWS\system32\dllcache\tcpip.sys
    2007-12-21 12:33 359040 c81d6a930a7805f6daa0c7902b99037e C:\WINDOWS\system32\drivers\tcpip.sys

    2004-08-03 23:56 3194368 5ef48912206ff9225ba9cb3d26917db1 C:\WINDOWS\explorer.exe
    2002-08-29 03:41 1004032 a82b28bfc2e4455fe43022a498c0ef0a C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
    2004-08-03 23:56 3194368 5ef48912206ff9225ba9cb3d26917db1 C:\WINDOWS\ServicePackFiles\i386\explorer.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1a8523dc-1dd2-11b2-8f50-a0f5b7cb9b7f}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RocketDock"="C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe" [2006-05-14 15:47 344064]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-03 23:56 1667584]
    "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-08-19 18:34 3084288]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2007-01-13 08:47 131072]
    "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2007-01-13 08:47 163840]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
    "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-21 11:31 579584]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-21 11:31 219136]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2004-08-03 23:56 48128 C:\WINDOWS\system32\narrator.exe]

    C:\Documents and Settings\m\Start Menu\Programs\Startup\
    RocketDock.lnk - C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe [2006-05-14 15:47:48 344064]
    UberIcon.lnk - C:\WINDOWS\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe [2006-02-05 07:20:14 180224]
    Y'z Shadow.lnk - C:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe [2002-09-30 14:09:06 131072]
    Y'z Toolbar.lnk - C:\WINDOWS\BricoPacks\Crystal Clear\YzToolbar\YzToolBar.exe [2002-09-29 07:41:10 90112]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
    backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
    --a------ 2006-08-01 15:35 67112 C:\Program Files\AIM\aim.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIMPro]
    C:\Program Files\AIM\AIM Pro\aimpro.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
    C:\Program Files\Ares\Ares.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
    C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    --a------ 2006-10-26 23:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kava]
    C:\WINDOWS\system32\kavo.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    C:\WINDOWS\system32\dumprep 0 -k

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    --a------ 2007-01-19 11:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
    --a------ 2007-01-13 08:46 135168 C:\WINDOWS\System32\igfxpers.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Runonce]
    C:\WINDOWS\smss.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    --a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    --a------ 2005-08-19 18:34 3084288 C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "AddFiltr"=3 (0x3)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "C:\\Program Files\\AIM\\aim.exe"=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\MSN Messenger\\livecall.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\LimeWire\\LimeWire.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "19794:TCP"= 19794:TCP:BitComet 19794 TCP
    "19794:UDP"= 19794:UDP:BitComet 19794 UDP
  7. ME2008

    ME2008 Newcomer, in training Topic Starter

    This is the ComboFix Log (Part 2):


    R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
    S3 PentaxUsb;PENTAX Optio E10 on USB;C:\WINDOWS\system32\DRIVERS\CoachUsb.sys [2004-11-24 14:34]
    S3 PentaxVc;PENTAX Optio E10 Video Capture;C:\WINDOWS\system32\DRIVERS\CoachVc.sys [2004-11-24 14:36]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
    \Shell\AutoRun\command - G:\LaunchU3.exe -a

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0d3b0d2e-a41f-11dc-b60e-001a730fbf3a}]
    \Shell\AutoRun\command - F:\LaunchU3.exe -a

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0d3b0d2f-a41f-11dc-b60e-001a730fbf3a}]
    \Shell\Auto\command - G:\sxs.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{166594d7-68af-11dc-b5c2-001a730fbf3a}]
    \Shell\Auto\command - F:\sxs.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a909ce2-0c08-11dd-b71b-001a730fbf3a}]
    \Shell\AutoRun\command - E:\2y8la.exe
    \Shell\explore\Command - E:\2y8la.exe
    \Shell\open\Command - E:\2y8la.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{31f979c6-ed23-11dc-b6da-001a730fbf3a}]
    \Shell\AutoRun\command - F:\m6dqm2vd.exe
    \Shell\explore\Command - F:\m6dqm2vd.exe
    \Shell\open\Command - F:\m6dqm2vd.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361a856c-db27-11dc-b69d-001a730fbf3a}]
    \Shell\AutoRun\command - E:\p3r1ud.exe
    \Shell\explore\Command - E:\p3r1ud.exe
    \Shell\open\Command - E:\p3r1ud.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{397b992c-f9d0-11dc-b6f3-001a730fbf3a}]
    \Shell\AutoRun\command - E:\u3dsc.com
    \Shell\explore\Command - E:\u3dsc.com
    \Shell\open\Command - E:\u3dsc.com

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3da8288e-8b12-11dc-b5fa-001a730fbf3a}]
    \Shell\Auto\command - F:\Cn911.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d9f4f66-6bb4-11dc-b5d4-001a730fbf3a}]
    \Shell\Auto\command - F:\sxs.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e02a518-96b7-11dc-b5ff-001a730fbf3a}]
    \Shell\AutoRun\command - F:\LaunchU3.exe -a

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e02a51a-96b7-11dc-b5ff-001a730fbf3a}]
    \Shell\Auto\command - F:\sxs.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7bb6a51f-da5b-11dc-b69b-001a730fbf3a}]
    \Shell\AutoRun\command - E:\p3r1ud.exe
    \Shell\explore\Command - E:\p3r1ud.exe
    \Shell\open\Command - E:\p3r1ud.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{892e865c-72a6-11dc-b5df-001a730fbf3a}]
    \Shell\AutoRun\command - F:\LaunchU3.exe -a

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{91777ed1-6c85-11dc-b5d7-001a730fbf3a}]
    \Shell\AutoRun\command - E:\c.com
    \Shell\explore\Command - E:\c.com
    \Shell\open\Command - E:\c.com

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d9f6e86-00f8-11dd-b703-001a730fbf3a}]
    \Shell\AutoRun\command - E:\30ed3.exe
    \Shell\explore\Command - E:\30ed3.exe
    \Shell\open\Command - E:\30ed3.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a78b04bb-6eb6-11dc-b5da-001a730fbf3a}]
    \Shell\Auto\command - F:\sxs.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b55d257e-2f38-11dd-b700-001a730fbf3a}]
    \Shell\AutoRun\command - E:\LaunchU3.exe -a

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b92485b6-7033-11dc-b5db-001a730fbf3a}]
    \Shell\Auto\command - F:\Cn911.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2010c4a-707d-11dc-b5dd-001a730fbf3a}]
    \Shell\AutoRun\command - E:\LaunchU3.exe -a

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c4e5f5aa-68aa-11dc-b5be-0016d4a6bd85}]
    \Shell\Auto\command - G:\sxs.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d16abb0c-ce7e-11dc-b664-001a730fbf3a}]
    \Shell\AutoRun\command - E:\LaunchU3.exe -a

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d16abb0d-ce7e-11dc-b664-001a730fbf3a}]
    \Shell\Autoplay\Command - F:\smss.exe
    \Shell\AutoRun\command - F:\smss.exe
    \Shell\Explore\Command - F:\smss.exe
    \Shell\Open\Command - F:\smss.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1d7460d-07cc-11dd-b712-001a730fbf3a}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL NETSVCS.EXE
    \Shell\é_†™\command - E:\NETSVCS.EXE

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8ba89cc-af4a-11dc-b61f-001a730fbf3a}]
    \Shell\AutoRun\command - F:\LaunchU3.exe -a

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8ba89cd-af4a-11dc-b61f-001a730fbf3a}]
    \Shell\Auto\command - G:\sxs.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fdd270dc-a2a7-11dc-b60c-001a730fbf3a}]
    \Shell\AutoRun\command - F:\LaunchU3.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fdd270de-a2a7-11dc-b60c-001a730fbf3a}]
    \Shell\Auto\command - H:\MicrosoftPowerPoint.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

    *Newly Created Service* - CATCHME
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-04-09 16:26:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************

    catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-21 17:06:54
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-04-21 17:08:50
    ComboFix-quarantined-files.txt 2008-04-21 22:08:43

    Pre-Run: 46,294,294,528 bytes free
    Post-Run: 47,423,827,968 bytes free

    287
  8. ME2008

    ME2008 Newcomer, in training Topic Starter

    This is the HJT Log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:14:02 PM, on 4/21/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe
    C:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe
    C:\WINDOWS\BricoPacks\Crystal Clear\YzToolbar\YzToolBar.exe
    C:\Documents and Settings\m\Desktop\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {1a8523dc-1dd2-11b2-8f50-a0f5b7cb9b7f} - (no file)
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [RocketDock] "C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe
    O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe
    O4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe
    O4 - Startup: Y'z Toolbar.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\YzToolbar\YzToolBar.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 7456 bytes
  9. kritius

    kritius TechSpot Guru Posts: 2,087

    Ill go over your logs later and post a fix sometime tomorrow. Quite tired now.
  10. barelylegalrcc

    barelylegalrcc Newcomer, in training

    I am having the exact same problem and need help as well, it seems to be a common problem right now, i have done the same steps mentioned but i know it would only create confusion to post my logs here.. i have very minimal knowledge of computers, but can navigate through the basics.. where do i need to post my logs so that i can be helped as well?
  11. kritius

    kritius TechSpot Guru Posts: 2,087

    @ barelylegalrcc

    Go HERE and look at the top of the page you'll see a button called new thread, start a new thread and post the logs as attachments.
     
  12. kritius

    kritius TechSpot Guru Posts: 2,087

    This next step is purely optional however viewpoint is considered foistware and is not needed on your computer,


    Go to Start > Run and copy/paste or type: taskmgr
    • Under the Processes tab find the following tasks or processes:
      ViewpointService.exe
      ViewMgr.exe
    • Highlight and click "End Process".
    • Exit Task Manager.
    Click on Start > Run and type: services.msc
    • Press "OK".
    • Click the "Extended tab".
    • Scroll down the list and find the service called "Viewpoint Manager Service"
    • When you find the service, double-click on it.
    • In the Properties Window > General Tab that opens, click the "Stop" button.
    • From the drop-down menu next to "Startup Type", click on "Disabled".
    • Now click "Apply", then "OK" and close any open windows.
    Click on Start > Settings > Control Panel > Add/Remove Programs > highlight and remove all references to Viewpoint - i.e. Viewpoint, Viewpoint Manager, Viewpoint Media Player.

    Finally, delete the following folders if they still exist:
    C:\Program Files\ViewManager\ <-- and delete this folder
    C:\Program Files\Viewpoint\ <-- and delete this folder

    COMBOFIX-Script

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      Code:
      File::
      C:\Documents and Settings\All Users\Application Data\sxidyjen.dll
      
      Folder::
      C:\Documents and Settings\All Users\Application Data\otizadkp
      
          
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

      [​IMG]
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

    Fix entries using HiJackThis
    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {1a8523dc-1dd2-11b2-8f50-a0f5b7cb9b7f} - (no file)
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
    O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)

    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary

    P2P Warning!

    • IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

      LimeWire and BitComet

      Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
      Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation

      I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

      References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/community/columns/protection.mspx
      http://www.techweb.com/wire/160500554
      http://www.internetworldstats.com/articles/art053.htm
      See Clean/Infected P2P Programs here

      I would recommend that you uninstall LimeWire and BitComet, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

      If you wish to keep it, please do not use it until your computer is cleaned.

    You should get a firewall as well, either,

    Update your Java Runtime Environment
    • First try going to Start -> Control Panel -> double click Java
    • Select the Update TAb at the top
    • Click the Check for Updates button at the bottom
    • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
    • After it installs the newest version Go back to Control Panel -> Add/remove programs
    • Uninstall any older versions of Java

    If for some reason you couldn't update through the above instructions.
    • Click the following link
      Java Runtime Environment 6 Update 5
    • The 4th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.