Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Industry Watch » The Technological

Wsnpoem

Nostalgia isn't what it used to be.


Get It

Try It

Running Linux and feel constantly perturbed by the lack of peripheral support? Running Apple's OS X and feel constantly frustrated by that company's cavalier attitude towards security?

It's easy to be spoiled. Things get so easy once you get away from Windows.

And what's particularly annoying is noticing 90% of the punters on the Internet have no clue, stay on Windows, and continue to spread their misery both amongst themselves and to others - to us.

The Internet of today is overrun by botnets of Windows PCs spewing out over 80% of the electronic mail, infecting 80-90% of all Windows PCs, with an average of 30 infections per PC.

The costs, the traffic, the waste are staggering. The dangers are anything but trivial. Yet they go on.

They're stupid. They have no social responsibility. But above all they're stupid.

Perhaps it was something like the following dropping into your webmail inbox that caused you to reflect on the matter again - reminding yourself of course that none of this would spread if 90% of the punters online weren't spewing out this crap from their Windows machines.



Now of course the first question is who in their right mind would want a copy of Internet Explorer anyway. But we know the answer: the 90% of the punters online who are stupid enough to run Windows.

And they have an attachment to download. Or a URL to access. And either way they get a lovely present.



'Unable to clean'? Hello? What do they mean by 'unable to clean'?

What's 'Wsnpoem'? Time to Google. And when you do you'll come up with some amazing revelations.

  • Wsnpoem has a keystroke logger. It's going to steal your passwords. It's recommended you do not connect to the Internet and do not change any passwords until you get rid of it.
  • Wsnpoem is almost impossible to get rid of. Exactly how lugubrious the procedure can be will be revealed below. Get your flight bag now.

The Solution (Easy)

PC Pitstop have the easy solution to getting rid of Wsnpoem. [Did you get that flight bag like you were told?]

Trojan, I can't get rid of it!(Solved), Win 32agent.pz

Hello folks
I have this trojan that I just can seem to shift. I have run both spybot and ad-aware, both programs report it but are unable to remove it...
Please can someone help me....
Here is a log file I have just run........

Thankyou..

Logfile of HijackThis v1.99.1
Scan saved at 10:38:46, on 09/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\User\My Documents\Unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\blueyonder\PCguard\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\blueyonder\PCguard\FBHR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Athens Toolbar - {2E560504-B9C8-48AA-982A-08B79C3FD40E} - C:\Program Files\Eduserv Technologies Limited\Athens Toolbar\AthensToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [SpybotDeletingA8943] command /c del "C:\WINDOWS\system32\wsnpoem\video.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2800] cmd /c del "C:\WINDOWS\system32\wsnpoem\video.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2789] command /c del "C:\WINDOWS\system32\wsnpoem\audio.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8942] cmd /c del "C:\WINDOWS\system32\wsnpoem\audio.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5659] command /c del "C:\WINDOWS\system32\wsnpoem\video.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC170] cmd /c del "C:\WINDOWS\system32\wsnpoem\video.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4197] command /c del "C:\WINDOWS\system32\wsnpoem\audio.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC405] cmd /c del "C:\WINDOWS\system32\wsnpoem\audio.dll_tobedeleted"
O4 - HKCU\..\Run: [swg] c:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173033604250
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: O&O Defrag 2000 (OOD2000) - O&O Software GmbH - C:\WINDOWS\system32\OOD2000.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe

Note this punter has run two of the most effective antivirus products on his box - and he still can't get rid of the thing.

Note how much crap these punters have to go through to get rid of only one piece malware. Windows boxes have an average of 30 infections at any one time. Do the math.

You have a password stealing trojan. Do not change any of your passwords using this machine until it is clean. You need to take precautions for any banking, credit cards etc that you may have used with this machine.

Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps.
Your may need several replies to post the requested logs, otherwise they might get cut off.

Download SDFix or from Here and save it to your Desktop
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the SDFix Report.txt back on the forum with a new HijackThis log

NEXT

Download ComboFix© by sUBs Here
IMPORTANT !! Place it on your Desktop.
In case you have used Combofix before, please delete the version you have now and redownload it again, Combofix is updated everyday.
If your anti-virus or firewall give alerts, please allow this script to run as it is not malicious.

Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Go to START → Run → copy and paste in the single line command & click OK

"%userprofile%\desktop\combofix.exe" /killall


# Follow the prompts.......
Type "1" and press Enter to begin the scan.
# Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Please be patient while the scan runs, at times it may appear to stall.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
After rebooting ensure your Security applications have been re-enabled.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open task-manager > use the processes tab (press ctrl alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

You are using an older version of HijackThis. Please do the following to download and install the latest version of HijackThis v2.0.2:

Download Trend Micro Hijack This™ and save to desktop.
It is important that you uninstall any previous versions by using Add/Remove programs in your control panel
before installing a newer version.
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.

Accept the license agreement by clicking the "I Accept" button.
Click on the "Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click "Save log" to save the log file and then the log will open in Notepad.
Click on Edit-> Select All then click on "Edit -> Copy" to copy the entire contents of the log.

In your next reply post:
SDFix Report.txt
ComboFix.txt
New HJT log taken after the above scan has run

That was easy enough!

Hi Juliet, thanks for your reply.
I am having problems already.
I have followed the instructions but when I get to safe mode and open the %systemdrive% folder, there is no RunThis.bat option, there is only a RUNThis.cmd option I have doubled clicked to open it, but it just sort of flashes black, as though it opens and then shuts immediatly? I have also tried in normal mode and the same thing happens?
Any ideas?
Thanks
Newonnet

[*] Type Y to begin the cleanup process??
Did you follow through with this?

Haha. As if you couldn't see it coming. Oh give it up. Give it a good 'LMAO'.

I dont get the chance to type 'Y', as soon as I double-click on the RunThis.cmd, it opens and then closes the page before Iget the chance to type anything, I have tried holding down the Y as well but it still closes instantely?

OK

Continue on with the instructions for ComboFix and post the logs.

Hi Juliet, thanks for your prompt reply.
Here are the completed logs for COMBOFIX and HijackThisLog

ComboFix 07-12-09.3 - User 2007-12-09 20:03:53.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.207 [GMT 0:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-09 to 2007-12-09 )))))))))))))))))))))))))))))))
.

2007-12-09 18:11 . 2007-12-09 18:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-09 18:10 . 2007-12-09 20:03 <DIR> d-------- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
2007-12-09 18:09 . 2007-12-09 18:09 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-07 22:31 . 2007-12-07 22:31 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-07 22:31 . 2007-12-07 22:31 42,496 --a------ C:\info.exe
2007-12-07 22:31 . 2007-12-07 22:31 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-01 15:06 . 2007-12-01 15:06 <DIR> d-------- C:\Program Files\Tap Tap Software
2007-12-01 15:06 . 2004-05-27 11:32 102,400 --a------ C:\WINDOWS\system32\vbuzip10.dll
2007-12-01 15:06 . 2004-11-02 18:17 78,088 --a------ C:\WINDOWS\system32\dsofile.dll
2007-12-01 15:06 . 2001-07-05 15:05 40,448 --a------ C:\WINDOWS\system32\dsofile14.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-09 20:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-09 17:52 --------- d-----w C:\Documents and Settings\User\Application Data\AVG7
2007-12-09 00:14 --------- d-----w C:\Program Files\SpywareBlaster
2007-12-06 17:24 --------- d-----w C:\Program Files\SPSS
2007-12-01 15:15 --------- d-----w C:\Documents and Settings\User\Application Data\MySpace
2007-12-01 15:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-04 13:15 --------- d-----w C:\Program Files\BFG
2007-09-28 16:58 282,624 ----a-r C:\WINDOWS\Setup1.exe
2007-09-09 20:37 73,216 ------w C:\WINDOWS\ST6UNST.EXE
2006-09-09 20:43 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2003-02-20 16:42 823,464 ----a-r C:\Documents and Settings\JRE\javaws-1_2_0_02-windows-i586-i.exe
2000-05-16 11:55 17,788 ----a-w C:\Documents and Settings\Maps\WORLD.DAT
2000-05-16 11:52 1,754 ----a-w C:\Documents and Settings\Maps\EUROPE.DAT
1999-11-30 18:04 930 ----a-w C:\Documents and Settings\Maps\ES_HIWAY.DAT
1999-11-30 18:04 85,467 ----a-w C:\Documents and Settings\Maps\ESCTY705.DAT
1999-11-30 18:04 810 ----a-w C:\Documents and Settings\Maps\MX_HIWAY.DAT
1999-11-30 18:04 4,639 ----a-w C:\Documents and Settings\Maps\ESCTY37.DAT
1999-11-30 18:04 30,526 ----a-w C:\Documents and Settings\Maps\EURNUTS2.DAT
1999-11-30 18:04 250,494 ----a-w C:\Documents and Settings\Maps\US_ZIPS.DAT
1999-11-30 18:04 2,092 ----a-w C:\Documents and Settings\Maps\ES_NUTS2.DAT
1999-11-30 18:04 18,662 ----a-w C:\Documents and Settings\Maps\MXCTY364.DAT
1999-11-30 18:04 11,626 ----a-w C:\Documents and Settings\Maps\EURNUTS1.DAT
1999-11-30 18:04 108,626 ----a-w C:\Documents and Settings\Maps\MXCTY_2K.DAT
1999-11-30 18:04 1,781 ----a-w C:\Documents and Settings\Maps\MX_CAPS.DAT
1999-11-30 16:57 78 ----a-w C:\Documents and Settings\Maps\OCN_ASIA.DAT
1999-11-30 16:55 72 ----a-w C:\Documents and Settings\Maps\OCEAN_LL.DAT
1999-11-29 18:55 72 ----a-w C:\Documents and Settings\Maps\OCEAN.DAT
1999-11-29 18:54 332 ----a-w C:\Documents and Settings\Maps\GRID15.DAT
1999-11-29 18:53 2,123 ----a-w C:\Documents and Settings\Maps\WLDCTY25.DAT
1999-11-29 18:53 13,826 ----a-w C:\Documents and Settings\Maps\WORLDCAP.DAT
1999-11-29 18:46 958 ----a-w C:\Documents and Settings\Maps\USCTY_20.DAT
1999-11-29 18:46 53,289 ----a-w C:\Documents and Settings\Maps\USCTY_1K.DAT
1999-11-29 18:46 382,583 ----a-w C:\Documents and Settings\Maps\USCTY_8K.DAT
1999-11-29 18:46 3,611 ----a-w C:\Documents and Settings\Maps\USA_CAPS.DAT
1999-11-29 18:46 1,271 ----a-w C:\Documents and Settings\Maps\USA.DAT
1999-11-29 18:45 150,994 ----a-w C:\Documents and Settings\Maps\US_CNTY.DAT
1999-11-29 18:45 12,000 ----a-w C:\Documents and Settings\Maps\US_HIWAY.DAT
1999-11-29 18:20 24,967 ----a-w C:\Documents and Settings\Maps\UKCTY215.DAT
1999-11-29 18:20 1,632 ----a-w C:\Documents and Settings\Maps\UKMTRWAY.DAT
1999-11-29 18:20 1,449 ----a-w C:\Documents and Settings\Maps\UK_REGNS.DAT
1999-11-29 18:19 65,527 ----a-w C:\Documents and Settings\Maps\UK_A_RDS.DAT
1999-11-29 17:41 3,938 ----a-w C:\Documents and Settings\Maps\MEXICO.DAT
1999-11-18 14:00 14,962 ----a-w C:\Documents and Settings\Maps\EURHIWAY.DAT
1999-11-18 13:59 752,419 ----a-w C:\Documents and Settings\Maps\EUCTY_6K.DAT
1999-11-18 13:59 5,244 ----a-w C:\Documents and Settings\Maps\EUR_CAPS.DAT
1999-11-18 13:59 1,443,087 ----a-w C:\Documents and Settings\Maps\EUCTY11K.DAT
1999-11-18 13:52 603 ----a-w C:\Documents and Settings\Maps\DC_ZIPS.DAT
1999-11-18 13:52 51,160 ----a-w C:\Documents and Settings\Maps\DC_PTS.DAT
1999-11-18 13:52 5,830 ----a-w C:\Documents and Settings\Maps\DC_HIWAY.DAT
1999-11-18 13:52 5,020 ----a-w C:\Documents and Settings\Maps\DC_STRDS.DAT
1999-11-18 13:52 4,210 ----a-w C:\Documents and Settings\Maps\DC_INTST.DAT
1999-11-18 13:52 256 ----a-w C:\Documents and Settings\Maps\DC_BDYS.DAT
1999-11-18 13:52 2,206 ----a-w C:\Documents and Settings\Maps\DC_AREAS.DAT
1999-11-18 13:52 16,360 ----a-w C:\Documents and Settings\Maps\DC_RDS.DAT
1999-11-18 13:52 14,956 ----a-w C:\Documents and Settings\Maps\DC_WATER.DAT
1999-11-18 13:24 934 ----a-w C:\Documents and Settings\Maps\CANHIWAY.DAT
1999-11-18 13:24 900 ----a-w C:\Documents and Settings\Maps\CAN_CAPS.DAT
1999-11-18 13:24 3,469 ----a-w C:\Documents and Settings\Maps\CANADA.DAT
1999-11-18 13:24 181,097 ----a-w C:\Documents and Settings\Maps\CNCTY_3K.DAT
1999-11-18 13:24 11,573 ----a-w C:\Documents and Settings\Maps\CNCTY223.DAT
1999-11-18 13:18 573,702 ----a-w C:\Documents and Settings\Maps\Aucty_4k.DAT
1999-11-18 13:18 50,619 ----a-w C:\Documents and Settings\Maps\Aucty417.DAT
1999-11-18 13:18 386 ----a-w C:\Documents and Settings\Maps\Austrlia.DAT
1999-11-18 13:18 1,284 ----a-w C:\Documents and Settings\Maps\Aushiway.DAT
1999-11-18 13:18 1,130 ----a-w C:\Documents and Settings\Maps\Austcaps.DAT
1999-11-18 13:05 6,497 ----a-w C:\Documents and Settings\Maps\ASICTY79.DAT
1999-11-18 13:05 3,856 ----a-w C:\Documents and Settings\Maps\ASIA.DAT
1999-11-18 13:05 3,010 ----a-w C:\Documents and Settings\Maps\ASIACAPS.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-04 17:30]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-25 08:10]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-03 23:56]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 08:10]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-03 23:56 C:\WINDOWS\system32\narrator.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\TEMP\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\TEMP\SASWINLO.dll 2007-04-19 13:41 294912 C:\TEMP\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Logo1_.exe]
debugger=nircmd execmd del /a/f c:\windows\Logo1_.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

R3 scrcap;scrcap;C:\WINDOWS\system32\DRIVERS\scrcap.sys
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys
S3 WebSTARXP;Scientific Atlanta WebSTAR 100 & 200 series Cable Modem;C:\WINDOWS\system32\DRIVERS\SACMXP1.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-12-09 19:59:24 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-12-07 22:00:00 C:\WINDOWS\Tasks\SmartDefrag.job"
- C:\Documents and Settings\User\Desktop\Spyware\IObit SmartDefrag\schedule.exeY
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-09 20:04:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-09 20:05:35
C:\ComboFix-quarantined-files.txt ... 2007-04-18 14:52
C:\ComboFix2.txt ... 2007-12-09 20:00
C:\ComboFix3.txt ... 2007-04-18 14:52
.
--- E O F ---
--------------------------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:08:31, on 09/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\blueyonder\PCguard\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\blueyonder\PCguard\FBHR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Athens Toolbar - {2E560504-B9C8-48AA-982A-08B79C3FD40E} - C:\Program Files\Eduserv Technologies Limited\Athens Toolbar\AthensToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [swg] c:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173033604250
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O20 - Winlogon Notify: !SASWinLogon - C:\TEMP\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: O&O Defrag 2000 (OOD2000) - O&O Software GmbH - C:\WINDOWS\system32\OOD2000.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe
O24 - Desktop Component 0: (no name) - http://www.pebblepad.co.uk/hallam/images/grid.gif

--
End of file - 7545 bytes

That flight bag of yours looks pretty full. Better throw it out and get another. Get two.

Lets do a check to see if any of the tool tried to run

See if you can locate this
C:\SDFix\backups
If you do find it, open with notepad and copy and paste the log for me to see....ty

Please print or copy these instructions to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

Did you place this item on your desktop?
http://www.pebblepad.co.uk/hallam/images/grid.gif

Also, is this a folder you created?
C:\Documents and Settings\Maps

We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

After all of the fixes are complete it is very important that you enable Real-time Protection again

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Please open Notepad *Do Not Use Wordpad!* (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt" and change the "Save as type" to "All Files" and place it on your desktop.


File::
C:\info.exe
c:\windows\Logo1_.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Logo1_.exe]




Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open task-manager > use the processes tab (press ctrl alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

NEXT

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html
Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner
Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419
The program launches and downloads the latest definition files.

  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
        Extended
    • Scan Options:
        Scan Archives
        Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer

When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.



To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

In your next reply post:
Requested folder information
ComboFix.txt
Kaspersky log
New HJT log

Ah. Piece of cake.

Hi Juliet, thanks for your reply again!!
Okay here goes.......

See if you can locate this
C:\SDFix\backups
If you do find it, open with notepad and copy and paste the log for me to see....ty

I searched for this, but could not find it, I used the START--SEARCH option and entered the relevant text, but it came back "Not found" ?

Did you place this item on your desktop?
http://www.pebblepad.co.uk/hallam/images/grid.gif

Also, is this a folder you created?
C:\Documents and Settings\Maps

No, neither of these were created by me, or put onto my desktop.

Here are the logs you asked for......

ComboFix 07-12-09.3 - User 2007-12-09 22:10:42.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.189 [GMT 0:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\info.exe
c:\windows\Logo1_.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\info.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-09 to 2007-12-09 )))))))))))))))))))))))))))))))
.

2007-12-09 20:06 . 2007-12-09 20:06 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-09 18:11 . 2007-12-09 18:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-09 18:10 . 2007-12-09 20:03 <DIR> d-------- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
2007-12-09 18:09 . 2007-12-09 18:09 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-07 22:31 . 2007-12-07 22:31 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-07 22:31 . 2007-12-07 22:31 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-01 15:06 . 2007-12-01 15:06 <DIR> d-------- C:\Program Files\Tap Tap Software
2007-12-01 15:06 . 2004-05-27 11:32 102,400 --a------ C:\WINDOWS\system32\vbuzip10.dll
2007-12-01 15:06 . 2004-11-02 18:17 78,088 --a------ C:\WINDOWS\system32\dsofile.dll
2007-12-01 15:06 . 2001-07-05 15:05 40,448 --a------ C:\WINDOWS\system32\dsofile14.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-09 20:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-09 17:52 --------- d-----w C:\Documents and Settings\User\Application Data\AVG7
2007-12-09 00:14 --------- d-----w C:\Program Files\SpywareBlaster
2007-12-06 17:24 --------- d-----w C:\Program Files\SPSS
2007-12-01 15:15 --------- d-----w C:\Documents and Settings\User\Application Data\MySpace
2007-12-01 15:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-04 13:15 --------- d-----w C:\Program Files\BFG
2007-09-28 16:58 282,624 ----a-r C:\WINDOWS\Setup1.exe
2007-09-09 20:37 73,216 ------w C:\WINDOWS\ST6UNST.EXE
2006-09-09 20:43 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2003-02-20 16:42 823,464 ----a-r C:\Documents and Settings\JRE\javaws-1_2_0_02-windows-i586-i.exe
2000-05-16 11:55 17,788 ----a-w C:\Documents and Settings\Maps\WORLD.DAT
2000-05-16 11:52 1,754 ----a-w C:\Documents and Settings\Maps\EUROPE.DAT
1999-11-30 18:04 930 ----a-w C:\Documents and Settings\Maps\ES_HIWAY.DAT
1999-11-30 18:04 85,467 ----a-w C:\Documents and Settings\Maps\ESCTY705.DAT
1999-11-30 18:04 810 ----a-w C:\Documents and Settings\Maps\MX_HIWAY.DAT
1999-11-30 18:04 4,639 ----a-w C:\Documents and Settings\Maps\ESCTY37.DAT
1999-11-30 18:04 30,526 ----a-w C:\Documents and Settings\Maps\EURNUTS2.DAT
1999-11-30 18:04 250,494 ----a-w C:\Documents and Settings\Maps\US_ZIPS.DAT
1999-11-30 18:04 2,092 ----a-w C:\Documents and Settings\Maps\ES_NUTS2.DAT
1999-11-30 18:04 18,662 ----a-w C:\Documents and Settings\Maps\MXCTY364.DAT
1999-11-30 18:04 11,626 ----a-w C:\Documents and Settings\Maps\EURNUTS1.DAT
1999-11-30 18:04 108,626 ----a-w C:\Documents and Settings\Maps\MXCTY_2K.DAT
1999-11-30 18:04 1,781 ----a-w C:\Documents and Settings\Maps\MX_CAPS.DAT
1999-11-30 16:57 78 ----a-w C:\Documents and Settings\Maps\OCN_ASIA.DAT
1999-11-30 16:55 72 ----a-w C:\Documents and Settings\Maps\OCEAN_LL.DAT
1999-11-29 18:55 72 ----a-w C:\Documents and Settings\Maps\OCEAN.DAT
1999-11-29 18:54 332 ----a-w C:\Documents and Settings\Maps\GRID15.DAT
1999-11-29 18:53 2,123 ----a-w C:\Documents and Settings\Maps\WLDCTY25.DAT
1999-11-29 18:53 13,826 ----a-w C:\Documents and Settings\Maps\WORLDCAP.DAT
1999-11-29 18:46 958 ----a-w C:\Documents and Settings\Maps\USCTY_20.DAT
1999-11-29 18:46 53,289 ----a-w C:\Documents and Settings\Maps\USCTY_1K.DAT
1999-11-29 18:46 382,583 ----a-w C:\Documents and Settings\Maps\USCTY_8K.DAT
1999-11-29 18:46 3,611 ----a-w C:\Documents and Settings\Maps\USA_CAPS.DAT
1999-11-29 18:46 1,271 ----a-w C:\Documents and Settings\Maps\USA.DAT
1999-11-29 18:45 150,994 ----a-w C:\Documents and Settings\Maps\US_CNTY.DAT
1999-11-29 18:45 12,000 ----a-w C:\Documents and Settings\Maps\US_HIWAY.DAT
1999-11-29 18:20 24,967 ----a-w C:\Documents and Settings\Maps\UKCTY215.DAT
1999-11-29 18:20 1,632 ----a-w C:\Documents and Settings\Maps\UKMTRWAY.DAT
1999-11-29 18:20 1,449 ----a-w C:\Documents and Settings\Maps\UK_REGNS.DAT
1999-11-29 18:19 65,527 ----a-w C:\Documents and Settings\Maps\UK_A_RDS.DAT
1999-11-29 17:41 3,938 ----a-w C:\Documents and Settings\Maps\MEXICO.DAT
1999-11-18 14:00 14,962 ----a-w C:\Documents and Settings\Maps\EURHIWAY.DAT
1999-11-18 13:59 752,419 ----a-w C:\Documents and Settings\Maps\EUCTY_6K.DAT
1999-11-18 13:59 5,244 ----a-w C:\Documents and Settings\Maps\EUR_CAPS.DAT
1999-11-18 13:59 1,443,087 ----a-w C:\Documents and Settings\Maps\EUCTY11K.DAT
1999-11-18 13:52 603 ----a-w C:\Documents and Settings\Maps\DC_ZIPS.DAT
1999-11-18 13:52 51,160 ----a-w C:\Documents and Settings\Maps\DC_PTS.DAT
1999-11-18 13:52 5,830 ----a-w C:\Documents and Settings\Maps\DC_HIWAY.DAT
1999-11-18 13:52 5,020 ----a-w C:\Documents and Settings\Maps\DC_STRDS.DAT
1999-11-18 13:52 4,210 ----a-w C:\Documents and Settings\Maps\DC_INTST.DAT
1999-11-18 13:52 256 ----a-w C:\Documents and Settings\Maps\DC_BDYS.DAT
1999-11-18 13:52 2,206 ----a-w C:\Documents and Settings\Maps\DC_AREAS.DAT
1999-11-18 13:52 16,360 ----a-w C:\Documents and Settings\Maps\DC_RDS.DAT
1999-11-18 13:52 14,956 ----a-w C:\Documents and Settings\Maps\DC_WATER.DAT
1999-11-18 13:24 934 ----a-w C:\Documents and Settings\Maps\CANHIWAY.DAT
1999-11-18 13:24 900 ----a-w C:\Documents and Settings\Maps\CAN_CAPS.DAT
1999-11-18 13:24 3,469 ----a-w C:\Documents and Settings\Maps\CANADA.DAT
1999-11-18 13:24 181,097 ----a-w C:\Documents and Settings\Maps\CNCTY_3K.DAT
1999-11-18 13:24 11,573 ----a-w C:\Documents and Settings\Maps\CNCTY223.DAT
1999-11-18 13:18 573,702 ----a-w C:\Documents and Settings\Maps\Aucty_4k.DAT
1999-11-18 13:18 50,619 ----a-w C:\Documents and Settings\Maps\Aucty417.DAT
1999-11-18 13:18 386 ----a-w C:\Documents and Settings\Maps\Austrlia.DAT
1999-11-18 13:18 1,284 ----a-w C:\Documents and Settings\Maps\Aushiway.DAT
1999-11-18 13:18 1,130 ----a-w C:\Documents and Settings\Maps\Austcaps.DAT
1999-11-18 13:05 6,497 ----a-w C:\Documents and Settings\Maps\ASICTY79.DAT
1999-11-18 13:05 3,856 ----a-w C:\Documents and Settings\Maps\ASIA.DAT
1999-11-18 13:05 3,010 ----a-w C:\Documents and Settings\Maps\ASIACAPS.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-04 17:30]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-25 08:10]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-03 23:56]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 08:10]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-03 23:56 C:\WINDOWS\system32\narrator.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\TEMP\SASSEH.DLL [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\TEMP\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

R3 scrcap;scrcap;C:\WINDOWS\system32\DRIVERS\scrcap.sys
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys
S3 WebSTARXP;Scientific Atlanta WebSTAR 100 & 200 series Cable Modem;C:\WINDOWS\system32\DRIVERS\SACMXP1.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-12-09 20:15:08 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-12-09 22:00:00 C:\WINDOWS\Tasks\SmartDefrag.job"
- C:\Documents and Settings\User\Desktop\Spyware\IObit SmartDefrag\schedule.exeY
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-09 22:12:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-09 22:13:02
C:\ComboFix-quarantined-files.txt ... 2007-04-18 14:52
C:\ComboFix2.txt ... 2007-12-09 20:05
C:\ComboFix3.txt ... 2007-12-09 20:00
.
--- E O F ---
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, December 10, 2007 12:09:50 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/12/2007
Kaspersky Anti-Virus database records: 477939
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 45676
Number of viruses found: 1
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 01:34:54

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Freedom\logs\FirewallService12-09-2007--20-12-05.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12222006-014232.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{15273A8F-C20B-4ECB-B670-D37E6FDAD987} Object is locked skipped
C:\Documents and Settings\User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\History\History.IE5\MSHist012007120920071210\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\User\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\info.exe.vir Infected: Trojan-Spy.Win32.Zbot.dq skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ntos.exe.vir Infected: Trojan-Spy.Win32.Zbot.dq skipped
C:\System Volume Information\_restore{4B63690D-45BA-4480-A3C3-9AF21F4A87F6}\RP302\A0018414.exe Object is locked skipped
C:\System Volume Information\_restore{4B63690D-45BA-4480-A3C3-9AF21F4A87F6}\RP306\A0018593.exe Object is locked skipped
C:\System Volume Information\_restore{4B63690D-45BA-4480-A3C3-9AF21F4A87F6}\RP306\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{6BD084A7-1B57-4C8C-BCB0-A7BD495DD195}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:12:51, on 10/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\blueyonder\PCguard\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\blueyonder\PCguard\FBHR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Athens Toolbar - {2E560504-B9C8-48AA-982A-08B79C3FD40E} - C:\Program Files\Eduserv Technologies Limited\Athens Toolbar\AthensToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [swg] c:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173033604250
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O20 - Winlogon Notify: !SASWinLogon - C:\TEMP\SASWINLO.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: O&O Defrag 2000 (OOD2000) - O&O Software GmbH - C:\WINDOWS\system32\OOD2000.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe
O24 - Desktop Component 0: (no name) - http://www.pebblepad.co.uk/hallam/images/grid.gif

--
End of file - 7200 bytes

Obviously there wasn't much to report on. These Windows machines are a lot simpler than people give them credit for.

Files Installed with the Stand-Alone Version of MS Excel
C:\Documents and Settings\Maps
http://support.microsoft.com/kb/171741

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

O20 - Winlogon Notify: !SASWinLogon - C:\TEMP\SASWINLO.dll (file missing)
O24 - Desktop Component 0: (no name) - http://www.pebblepad.co.uk/hallam/images/grid.gif

The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe\"
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

Reboot to set the registry

Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page"),

Also remove the checkmark from the the Lock Desktop Items box if it is checked.
Apply.
Apply and Exit Display properties.

The following procedure will clear out the tools we've used as well as the backups and quarantines created by the fix.

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the /u, it needs to be there.

    Example below

The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Set a new, clean Restore Point.

Post back once more and let me know what issues remain, I think we're ready for closing and preventive tips.

Oh well.

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.