DaniWeb IT Discussion Community
1 2
Show 40 post(s) from this thread on one page

DaniWeb IT Discussion Community (http://www.daniweb.com/forums/index.php)
-   Viruses, Spyware and other Nasties (http://www.daniweb.com/forums/forum64.html)
-   -   Infected, Please help!!! (http://www.daniweb.com/forums/thread87867.html)

m_s_ifland Aug 28th, 2007 5:21 pm
Infected, Please help!!!
 
Ok here's what is happening. I think that I have a virus, it deleted the Avast, Sprbot S&D, and Trend execute files. Every time I reinstall it just deletes them instantly again. I'vd done a Windows XP Pro Repair with the CD.
I had the Vundo virus but i deleted it with an online Norton Scanner. My other spyware programs can't find it. It also changed my desktop to blue and grayed out my Desktop Properties.
I used a smitfraud.reg fix that I found in one of the other threads, that un-grayed the properties. But it still doesn't show the picture I select, it just remains blue.
The only time it shows the desktop picture is when I shut the computer down and all the icons disappear, you can see it for a second.
My computer is very vulnerable, because it won't let me install any other virsu protection, like AVG or Avast, it just deletes them.
It also won't let me install the Windows 3.1 Istaller, it starts to install then it says "Cannot find the specified path"

Please help me.
He is my Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:06:54 PM, on 8/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\sda\bin\tgsrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Dell\QuickSet\quickset.exe
C:\Program Files\ScrSvr Hot Key\Scrn Svr Hot Key.exe
C:\Program Files\Spyware Nuker\swnxt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Moffsoft Calculator 2\MoffCalc2.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Desktop weather authority\TrueWeather.exe
C:\Program Files\WordWeb\wweb32.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Michael\Desktop\Avast\setupengpro.exe
C:\DOCUME~1\Michael\LOCALS~1\Temp\_av_sfx.tm~a03136\avast.setup
C:\PROGRA~1\ALWILS~1\Avast4\ashQuick.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
C:\WINDOWS\REGEDIT.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Michael\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O1 - Hosts: 204.224.4.1 sda.ds.adp.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Dell QuickSet] C:\PROGRA~1\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ScrSvrHK] C:\Program Files\ScrSvr Hot Key\Scrn Svr Hot Key.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SWN2] C:\Program Files\Spyware Nuker\swnxt.exe /h
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Moffsoft Calculator 2] C:\Program Files\Moffsoft Calculator 2\MoffCalc2.exe /tray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Desktop Weather Authority.lnk = C:\Program Files\Common Files\Desktop weather authority\TrueWeather.exe
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00906302-0F14-442C-B39C-275F61BC25BC} (atSdaCfg Control) - http://204.224.4.1/sport/download/common/atSdaCfg.CAB
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) -
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) -
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - http://pilot.vehicledata.com/WebForm...ts/arview2.cab
O16 - DPF: {CAFEEFAC-0014-0000-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_04) -
O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
O16 - DPF: {DA511858-B44C-439E-A0EA-704ED20035E7} (EphoxEditLive4.EditLive) - http://crm.icarconnect.com/editlive/.../editlive4.cab
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe (file missing)
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Repair Service (sda) (tgsrvc_sda) - SupportSoft, Inc. - C:\Program Files\sda\bin\tgsrvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

--
End of file - 11046 bytes


Please help, thank you.

Michael Ifland

gerbil Aug 29th, 2007 10:59 pm
Re: Infected, Please help!!!
 
Hi, Michael, let's try to see what you have.
Because you had a vundo infection please rename hijackthis.exe to imabunny.exe - this is important.
I should not doubt Norton's expertise, but...
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!

Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O4 - HKLM\..\Run: [ScrSvrHK] C:\Program Files\ScrSvr Hot Key\Scrn Svr Hot Key.exe

Delete this file:
C:\Program Files\ScrSvr Hot Key\Scrn Svr Hot Key.exe

==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Post the contents of C:\vundofix.txt, C:\Combofix.txt plus a new HijackThis log with your comments.

m_s_ifland Aug 30th, 2007 11:21 am
Re: Infected, Please help!!!
 
gerbil,

thank you for your quick reply. I will do all these things and get back to you.

In reference to the file below:
C:\Program Files\ScrSvr Hot Key\Scrn Svr Hot Key.exe

That is a program that I wrote in VB.

m_s_ifland Aug 30th, 2007 1:12 pm
Re: Infected, Please help!!!
 
Once again, gerbil, thanks for your help.
I did everything that you said. I did it all in safe mode, because it didn't restart after VundoFix ran. I hope this was ok. I also saw another log in the C:\ drive called ComboFix-quarantine, I don't know how relevant this log is but I will post it as well.

VundoFix log:
VundoFix V6.5.7

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 9:42:20 AM 8/30/2007

Listing files found while scanning....

No infected files were found.


New Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:04:25 AM, on 8/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\sda\bin\tgsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Dell\QuickSet\quickset.exe
C:\Program Files\ScrSvr Hot Key\Scrn Svr Hot Key.exe
C:\Program Files\Spyware Nuker\swnxt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Moffsoft Calculator 2\MoffCalc2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Desktop weather authority\TrueWeather.exe
C:\Program Files\WordWeb\wweb32.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\imabunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Dell QuickSet] C:\PROGRA~1\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ScrSvrHK] C:\Program Files\ScrSvr Hot Key\Scrn Svr Hot Key.exe
O4 - HKLM\..\Run: [SWN2] C:\Program Files\Spyware Nuker\swnxt.exe /h
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Moffsoft Calculator 2] C:\Program Files\Moffsoft Calculator 2\MoffCalc2.exe /tray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Desktop Weather Authority.lnk = C:\Program Files\Common Files\Desktop weather authority\TrueWeather.exe
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O16 - DPF: {00906302-0F14-442C-B39C-275F61BC25BC} (atSdaCfg Control) - http://204.224.4.1/sport/download/common/atSdaCfg.CAB
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) -
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) -
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase8300.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - http://pilot.vehicledata.com/WebForm...ts/arview2.cab
O16 - DPF: {CAFEEFAC-0014-0000-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_04) -
O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
O16 - DPF: {DA511858-B44C-439E-A0EA-704ED20035E7} (EphoxEditLive4.EditLive) - http://crm.icarconnect.com/editlive/.../editlive4.cab
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe (file missing)
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Repair Service (sda) (tgsrvc_sda) - SupportSoft, Inc. - C:\Program Files\sda\bin\tgsrvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

--
End of file - 9766 bytes


Combofix Log:
ComboFix 07-08-30.3 - "Michael" 2007-08-30 10:39:01.1 - NTFS x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.763 [GMT -5:00]
C:\WINDOWS\system32\chkdsk.exe not present

ADS removed - C:\WINDOWS\system32\ntoskrnl.exe: The system cannot find the file specified.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\hosts
C:\WINDOWS\system32\aspi32.exe
C:\WINDOWS\system32\drivers\hidr.exe
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\FTPx.dll
C:\WINDOWS\system32\packet.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NPF
-------\LEGACY_SROSA
-------\srosa


((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-30 )))))))))))))))))))))))))))))))


2007-08-30 10:51 <DIR> d-------- C:\WINDOWS\LastGood
2007-08-30 10:32 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-30 09:42 <DIR> d----c--- C:\VundoFix Backups
2007-08-29 17:35 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-08-29 16:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
2007-08-29 16:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-08-29 14:00 78,848 --a------ C:\WINDOWS\system32\msiexec.exe
2007-08-29 14:00 271,360 --a------ C:\WINDOWS\system32\msihnd.dll
2007-08-29 14:00 2,854,400 --a------ C:\WINDOWS\system32\msi.dll
2007-08-29 13:28 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2007-08-29 13:28 2,148,352 --a--c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2007-08-29 10:22 <DIR> d-------- C:\Program Files\ClamWin
2007-08-28 14:24 169,984 --a------ C:\WINDOWS\system32\spuninst.exe
2007-08-28 14:07 163,840 --a------ C:\WINDOWS\system32\igfxres.dll
2007-08-28 13:51 725,566 --a--c--- C:\WINDOWS\system32\dllcache\srchui.dll
2007-08-28 13:51 58,434 --a--c--- C:\WINDOWS\system32\dllcache\srchctls.dll
2007-08-28 13:51 3,166,208 --a--c--- C:\WINDOWS\system32\dllcache\msgr3en.dll
2007-08-28 13:51 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2007-08-28 13:34 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2007-08-28 13:34 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-08-28 13:34 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2007-08-28 13:34 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-08-28 13:11 <DIR> d-------- C:\WINDOWS\srchasst
2007-08-28 11:16 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-08-28 09:53 200 --a------ C:\WINDOWS\QCPC60UI.dat
2007-08-27 18:17 <DIR> d----c--- C:\Avast
2007-08-27 13:43 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-27 10:38 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-08-25 16:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-25 16:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-25 15:29 48,128 --a------ C:\WINDOWS\system32\igxprd32.dll
2007-08-25 15:29 1,109,568 --a------ C:\WINDOWS\system32\drivers\igxpmp32.sys
2007-08-25 15:28 397,312 --a------ C:\WINDOWS\system32\igxpun.exe
2007-08-25 15:28 309,760 --a------ C:\WINDOWS\system32\difxapi.dll
2007-08-25 15:28 309,760 --a------ C:\WINDOWS\system32\difx32.dll
2007-08-25 15:28 2,076,160 --a------ C:\WINDOWS\system32\igxpdx32.dll
2007-08-25 15:28 192,512 --a------ C:\WINDOWS\system32\igfxCoIn_v4670.dll
2007-08-25 15:28 140,288 --a------ C:\WINDOWS\system32\igxpgd32.dll
2007-08-25 15:28 1,304,320 --a------ C:\WINDOWS\system32\igxpdv32.dll
2007-08-25 15:28 <DIR> d-------- C:\WINDOWS\system32\Lang
2007-08-25 15:15 <DIR> d-------- C:\DOCUME~1\Michael\.housecall6.6
2007-08-25 14:33 <DIR> d-------- C:\Program Files\Anti-Spy.Info
2007-08-25 14:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiSpyInfo
2007-08-25 12:33 <DIR> d-------- C:\DOCUME~1\Michael\APPLIC~1\INAC
2007-08-25 12:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\INAC
2007-08-25 12:27 67,645 --a------ C:\WINDOWS\system32\drivers\pshook11.sys
2007-08-25 12:26 <DIR> d-------- C:\Program Files\Spyware Nuker
2007-08-25 12:26 <DIR> d-------- C:\Program Files\INAC
2007-08-24 18:24 <DIR> d----c--- C:\Virtual
2007-08-20 18:26 <DIR> d-------- C:\Program Files\WHSL Log Backup
2007-08-17 17:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-08-17 17:36 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-08-15 18:19 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-08-11 14:48 <DIR> d-------- C:\DOCUME~1\Michael\APPLIC~1\DivX
2007-08-11 14:47 9,464 --a------ C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-08-11 14:47 9,336 --a------ C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-08-11 14:47 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2007-08-10 14:34 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-08-10 14:34 383,238 --a------ C:\WINDOWS\system32\libmp3lame-0.dll
2007-08-10 14:34 3,086,336 --a------ C:\WINDOWS\system32\NCMedia.dll
2007-08-10 14:34 3,086,336 --a------ C:\WINDOWS\system32\flvvideo.dll
2007-08-10 14:34 <DIR> d----c--- C:\videooutput
2007-08-10 14:34 <DIR> d-------- C:\Program Files\Free FLV to AVI Converter
2007-08-10 13:21 <DIR> d-------- C:\Program Files\Total Video Converter
2007-08-06 08:31 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-08-06 08:31 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-08-06 08:31 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-08-01 14:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BlueZone
2007-08-01 14:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Seagull Software
2007-08-01 14:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SupportSoft
2007-08-01 13:59 <DIR> d-------- C:\Program Files\sda
2007-08-01 13:59 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2007-07-31 17:09 <DIR> d-------- C:\Program Files\ScrSvr Hot Key
2007-07-25 22:06 144,704 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-07-25 21:53 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-25 21:53 3,596,288 --a--c--- C:\WINDOWS\system32\qt-dx331.dll
2007-07-25 21:53 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-25 21:53 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-25 21:49 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-07-09 11:24 <DIR> d-------- C:\Program Files\Free Audio Pack


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-29 17:20 --------- d-------- C:\Program Files\Yahoo!
2007-08-29 17:18 --------- d-------- C:\DOCUME~1\Michael\APPLIC~1\Yahoo!
2007-08-29 17:18 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-08-29 09:37 --------- d-------- C:\Program Files\Trend Micro
2007-08-28 18:12 --------- d-------- C:\Program Files\DellSupport
2007-08-28 18:09 --------- d-------- C:\Program Files\Common Files\Desktop weather authority
2007-08-28 18:07 --------- d-------- C:\Program Files\Apoint
2007-08-28 11:18 --------- d-------- C:\Program Files\Winspector
2007-08-28 10:11 --------- d-------- C:\Program Files\SpywareBlaster
2007-08-27 10:30 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-25 09:46 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-25 09:46 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-24 20:46 --------- d-------- C:\Program Files\palmOne
2007-08-24 19:38 --------- d-------- C:\Program Files\Alwil Software
2007-08-24 19:15 1822 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-24 18:37 --------- d-------- C:\Program Files\XoftSpySE
2007-08-16 11:57 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-08-16 09:42 356352 --a------ C:\DOCUME~1\Michael\cwshredder.dll
2007-08-11 14:47 --------- d-------- C:\Program Files\DivX
2007-08-02 11:21 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TuneUp Software
2007-08-01 14:34 --------- d-------- C:\Program Files\ADP
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 16:03 --------- d-------- C:\Program Files\eMule
2007-07-30 16:02 --------- d-------- C:\Program Files\VeryPDF PDF Editor v2.2
2007-07-27 17:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-27 17:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-27 17:02 92848 --a--c--- C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-27 17:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 16:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 16:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 16:57 95608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-07-25 21:53 43528 --a------ C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-07-25 21:53 120056 --a--c--- C:\WINDOWS\system32\pxcpyi64.exe
2007-07-25 21:53 118520 --a--c--- C:\WINDOWS\system32\pxinsi64.exe
2007-07-25 21:50 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-25 21:50 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-25 21:50 81920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-25 21:50 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-25 21:50 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-25 21:50 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-25 21:50 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-25 21:50 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-25 21:50 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-25 21:50 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-25 21:50 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-25 21:50 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-12 10:26 --------- d-------- C:\Program Files\bDeluxe
2007-06-29 16:39 61440 --a------ C:\WINDOWS\wnUninstall.exe
2007-02-05 10:28 3 --a------ C:\Program Files\fld.dll
2005-04-21 17:02 13824 --a--c--- C:\DOCUME~1\Michael\atwbxdet.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="C:\PROGRA~1\Dell\QuickSet\quickset.exe" [2004-11-10 12:54]
"ScrSvrHK"="C:\Program Files\ScrSvr Hot Key\Scrn Svr Hot Key.exe" [2007-07-31 17:42]
"SWN2"="C:\Program Files\Spyware Nuker\swnxt.exe" [2007-08-25 12:56]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 09:03]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 08:59]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 17:33]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-29 16:47]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"Moffsoft Calculator 2"="C:\Program Files\Moffsoft Calculator 2\MoffCalc2.exe" [2006-12-15 16:25]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2002-12-31 07:00]

C:\DOCUME~1\Michael\STARTM~1\Programs\Startup\
Desktop Weather Authority.lnk - C:\Program Files\Common Files\Desktop weather authority\TrueWeather.exe [2005-07-11 09:19:45]
WordWeb Pro.lnk - C:\Program Files\WordWeb\wweb32.exe [2007-05-28 12:18:16]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}"= c:\Program Files\Trend Micro\Tmas\sshook.dll [2007-08-25 13:19 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Weather Authority.lnk]
backup=C:\WINDOWS\pss\Desktop Weather Authority.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LNSS Status Monitor.lnk]
backup=C:\WINDOWS\pss\LNSS Status Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Michael^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\axent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWBMOUSE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
"C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Crawler]
C:\PROGRA~1\RCrawler\RCrawler.exe -TRAYONLY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search and Recover Disk Image Service]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Macromedia Licensing Service"=3 (0x3)
"iPodService"=3 (0x3)
"ColdFusion MX 7 Search Server"=2 (0x2)
"ColdFusion MX 7 ODBC Server"=2 (0x2)
"ColdFusion MX 7 ODBC Agent"=2 (0x2)
"ColdFusion MX 7 Application Server"=2 (0x2)
"SQLWriter"=2 (0x2)
"SQLBrowser"=2 (0x2)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"MSSQL$SQLEXPRESS"=2 (0x2)
"mnmsrvc"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Windows Media Player"=C:\Program Files\Windows Media Player\wmplayer.exe
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"Apoint"=C:\Program Files\Apoint\Apoint.exe

R2 tgsrvc_sda;SupportSoft Repair Service (sda);C:\Program Files\sda\bin\tgsrvc.exe /p sda
S3 PORTMON;PORTMON;\??\C:\Documents and Settings\Michael\Desktop\Sysinternals\PORTMSYS.SYS
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80
S4 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a2f0b4c-ffca-11db-81a6-00114373e488}]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bde75848-78ca-11db-814d-000b7d1c8ad1}]


Contents of the 'Scheduled Tasks' folder
2007-08-28 19:30:32 C:\WINDOWS\Tasks\Disk Cleanup.job - C:\WINDOWS\system32\cleanmgr.exe
2007-08-30 14:30:01 C:\WINDOWS\Tasks\F&I Log Backup.job - C:\PROGRA~1\F&ILOG~2\FANDIL~1.EXE
2007-08-30 15:50:11 C:\WINDOWS\Tasks\WHSL Log Backup.job
2007-08-28 08:00:00 C:\WINDOWS\Tasks\XoftSpySE.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-30 10:52:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\KB933360.log

scan completed successfully
hidden files: 1

**************************************************************************

Completion time: 2007-08-30 10:58:37 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-30 10:58

--- E O F ---



ComboFix-quarantine log:
1999-11-24 01:00      288433    --a--c---    C:\Qoobox\Quarantine\C\WINDOWS\system32\aspi32.exe.vir

2002-03-14 10:35      61440    --a--c---    C:\Qoobox\Quarantine\C\WINDOWS\system32\packet.dll.vir

2002-03-20 11:10      14448    --a--c---    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\npf.sys.vir

2005-09-14 16:41      279800    --a--c---    C:\Qoobox\Quarantine\C\WINDOWS\system32\FTPX.dll.vir

2006-01-18 02:07      243725    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\hidr.exe.vir

2007-01-17 09:48      0    --a--c---    C:\Qoobox\Quarantine\C\WINDOWS\hosts.vir

2007-07-08 21:23      15399    --a--c---    C:\Qoobox\Quarantine\C\ComboFix\FProps.vbs.vir

2007-08-24 17:46      60056    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\srosa.sys.vir

2007-08-30 10:33      146    --a--c---    C:\Qoobox\BackEnv\DESKTOP.folder.cf

2007-08-30 10:33      151    --a--c---    C:\Qoobox\BackEnv\FAVORITES.folder.cf

2007-08-30 10:33      151    --a--c---    C:\Qoobox\BackEnv\PERSONAL.folder.cf

2007-08-30 10:33      151    --a--c---    C:\Qoobox\BackEnv\START MENU.folder.cf

2007-08-30 10:33      151    --a--c---    C:\Qoobox\BackEnv\TEMPLATES.folder.cf

2007-08-30 10:33      196    --a--c---    C:\Qoobox\BackEnv\MY PICTURES.folder.cf

2007-08-30 10:33      251    --a--c---    C:\Qoobox\BackEnv\PROGRAMS.folder.cf

2007-08-30 10:33      259    --a--c---    C:\Qoobox\BackEnv\LOCAL SETTINGS.folder.cf

2007-08-30 10:33      276    --a--c---    C:\Qoobox\BackEnv\CACHE.folder.cf

2007-08-30 10:33      276    --a--c---    C:\Qoobox\BackEnv\LOCAL APPDATA.folder.cf

2007-08-30 10:33      280    --a--c---    C:\Qoobox\BackEnv\profiles.folder.cf

2007-08-30 10:33      290    --a--c---    C:\Qoobox\BackEnv\APPDATA.folder.cf

2007-08-30 10:33      299    --a--c---    C:\Qoobox\BackEnv\STARTUP.folder.cf

2007-08-30 10:33      3183    --a--c---    C:\Qoobox\BackEnv\setpath.bat

2007-08-30 10:44      1146    --a--c---    C:\Qoobox\Quarantine\Registry_backups\LEGACY_NPF.reg.cf

2007-08-30 10:44      1304    --a--c---    C:\Qoobox\Quarantine\Registry_backups\LEGACY_SROSA.reg.cf

2007-08-30 10:44      2542    --a--c---    C:\Qoobox\Quarantine\Registry_backups\services_srosa.reg.cf

2007-08-30 10:56      850228    --a--c---    C:\Qoobox\snapshot_2007-08-30_105655.03.cf





Folder PATH listing

Volume serial number is 04FF-AB98

C:\QOOBOX

|   snapshot_2007-08-30_105655.03.cf


+---BackEnv

|       APPDATA.folder.cf

|       CACHE.folder.cf

|       DESKTOP.folder.cf

|       FAVORITES.folder.cf

|       LOCAL APPDATA.folder.cf

|       LOCAL SETTINGS.folder.cf

|       MY PICTURES.folder.cf

|       PERSONAL.folder.cf

|       profiles.folder.cf

|       PROGRAMS.folder.cf

|       setpath.bat

|       START MENU.folder.cf

|       STARTUP.folder.cf

|       TEMPLATES.folder.cf

|       

\---Quarantine

    +---C

    |   +---ComboFix

    |   |       FProps.vbs.vir

    |   |       

    |   \---WINDOWS

    |       |   hosts.vir

    |       |   

    |       \---system32

    |           |   aspi32.exe.vir

    |           |   FTPX.dll.vir

    |           |   packet.dll.vir

    |           |   

    |           \---drivers

    |                   hidr.exe.vir

    |                   npf.sys.vir

    |                   srosa.sys.vir

    |                   

    \---Registry_backups

            LEGACY_NPF.reg.cf

            LEGACY_SROSA.reg.cf

            services_srosa.reg.cf


That's it, thank you.

m_s_ifland Aug 30th, 2007 4:57 pm
Re: Infected, Please help!!!
 
Hey gerbil,
good news everything seems to be working fine now, I reinstalled all my antivirus and anti spyware programs and they are working great. Man you are a life saver. I really really appreciate this help. It is invaluable.
Only one problem remaining. I can't install windows updates. The notification icon comes up in the tray, I select to install and it tries, then says that the updates weren't installed. Any ideas on that?

Thank you from the bottom of my motherboard,
Michael Ifland

hbk619 Aug 30th, 2007 5:13 pm
Re: Infected, Please help!!!
 
Turn off your antivirus (temporarily while it installs, turn back on afterwards), that worked for me. Some of them block the registry from being edited.

gerbil Aug 31st, 2007 3:07 am
Re: Infected, Please help!!!
 
Okay, i'll have to let you off on this one- C:\Program Files\ScrSvr Hot Key\Scrn Svr Hot Key.exe :)
May I assume this is your work also [sched task]?- 2007-08-30 14:30:01 C:\WINDOWS\Tasks\F&I Log Backup.job - C:\PROGRA~1\F&ILOG~2\FANDIL~1.EXE

Note that these two sys files are missing...
C:\WINDOWS\system32\chkdsk.exe not present
C:\WINDOWS\system32\ntoskrnl.exe -you must have a 3rd party one?

Use hijackthis to fix this entry:
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - (no file)
- the remainder of the HT log was clean.
The reasons for updates not working are many.... mine do work, and so I tend not to get too interested in its ways. Sorry, I know they can be fickle for some.
Play in the registry with these if you wish....
Two bad keys, unless you like MyWebSearch:
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Michael^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]

These three keys point nowhere?:
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\axent]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]

Not required:
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=0 (0x0)

Cheers, glad you're flying again. [delete all vundofix and combofix files....]

m_s_ifland Aug 31st, 2007 10:46 am
Re: Infected, Please help!!!
 
Yes F&I Log Backup is also my work.
gerbil, you are a life saver. I really appreciate all your help.

HBK619, thnks for the suggestion, I turned off the antivirus and the firewall, but the updates still won't work.

Another weird thing is when I insert my flash drive, it recognizes that I put in a mass storage device, but I doesn't let me access it unless I go into Computer Management and manually name the drive letter. Then I can open it, but when I remove it, it leaves the drive letter until I restart. I can't re-use that drive letter either, until I restart.

Once again, thank you for your help.

Michael Ifland

gerbil Sep 1st, 2007 8:17 am
Re: Infected, Please help!!!
 
I may be able to help you with the flash drive problem... copy the text between the lines to a notepad, save it as nodrives.reg to your desktop, dclick it to run it - tell me what happpens [you may need to restart..]
___________________________________________
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDrives"=dword:0
___________________________________________

m_s_ifland Sep 3rd, 2007 10:10 am
Re: Infected, Please help!!!
 
When I run it it brings up an error that reads:

"Cannot import C:\Documents and Settings\Michael\Desktop\nodrives.reg: The specified file is not a registry script. You can only import binary registry files from within the registry editor."

Thanks,
Michael Ifland


All times are GMT -4. The time now is 2:31 am.
1 2
Show 40 post(s) from this thread on one page

Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC