« previous next »
Pages: [1]

Author Topic: Spyware and Malware  (Read 852 times)

Offline vid85

  • Newbie
  • *
  • Posts: 27
  • Karma: +0/-0
    • View Profile
Spyware and Malware
« on: January 30, 2008, 05:30:11 AM »
Hi there. My fren com have infected with some spyware and malware. When i tried to remove some of them using spybot search and destroy or Ad-Aware, some of the com function cannot be use, for example, the internet access.
Here is the log file from HiJackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:34:22 PM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\STDSB.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Canon\MultiPASS4\MPTBox.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
c:\windows\system32\rlvknlg.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENSG/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENSG/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENSG/SAOS01?FORM=TOOLBR
F2 - REG:system.ini: UserInit=userinit.exe,EXPLORER.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\System32\STDSB.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MPTBox] C:\Program Files\Canon\MultiPASS4\MPTBox.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [wsctf.exe] wsctf.exe
O4 - HKCU\..\Run: [EXPLORER.EXE] EXPLORER.EXE
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-sg\msntabres.dll.mui/229?5bfd861866d44dfe952bd7d1ef3874d0
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-sg\msntabres.dll.mui/230?5bfd861866d44dfe952bd7d1ef3874d0
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.apple.com.edgesuite.net/qt...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.Email Removed.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194705133578
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Zango/ie/b...195f6925c851a1d
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 9844 bytes

Thnx for the help once again ^^
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Spyware and Malware
« Reply #1 on: January 31, 2008, 08:31:20 PM »
Can you do the following please

You have both Avast AV and AVG AV installed
Decide which Antivirus you like the best and uninstall the other
Having more than one AntiVirus software running can, and probably will cause conflicts and system slowdowns
Reboot the computer after removal

Do a "System scan only" with Hijackthis and put a check next to these entries:

F2 - REG:system.ini: UserInit=userinit.exe,EXPLORER.EXE

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKCU\..\Run: [wsctf.exe] wsctf.exe
O4 - HKCU\..\Run: [EXPLORER.EXE] EXPLORER.EXE
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe


O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -

O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Zango/ie/b...195f6925c851a1d


After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Reboot the computer again

Can you then do the following
Post a fresh hijackthis log

In addition
supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents


Also: Your friends computer also appears to have an infection that is infected by the use of Flash drives
Eg... USB thumbdrive
Do you have access to this thumbdrive?
We must disinfect it, don't have him let other ppls use this thumbdrive till it is clean or they will also be infected
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline vid85

  • Newbie
  • *
  • Posts: 27
  • Karma: +0/-0
    • View Profile
Spyware and Malware
« Reply #2 on: February 01, 2008, 06:03:41 AM »
Hi there, thnx for the reply.

Here is a new log file,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:04:38 PM, on 2/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\STDSB.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Canon\MultiPASS4\MPTBox.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
c:\windows\system32\rlvknlg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENSG/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENSG/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENSG/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\System32\STDSB.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MPTBox] C:\Program Files\Canon\MultiPASS4\MPTBox.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-sg\msntabres.dll.mui/229?5bfd861866d44dfe952bd7d1ef3874d0
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-sg\msntabres.dll.mui/230?5bfd861866d44dfe952bd7d1ef3874d0
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.apple.com.edgesuite.net/qt...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.Email Removed.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194705133578
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 8590 bytes

And here is the uninstall list,

Ad-Aware 2007
Adobe Acrobat 5.0
Adobe Flash Player ActiveX
Adobe MPEG Encoder
Adobe Photoshop 7.0
Adobe Premiere 6.5
Adobe Reader 6.0.1
Adobe Shockwave Player
Advanced RealMedia Export Plug-in for Premiere 6.0
All Video to VCD SVCD DVD Creator & Burner 1.4.1
AVG 7.5
Canon MultiPASS Suite 4.40
Crystal Player Professional 1.76
Digimax Converter
Digimax Master
Digital Photo Navigator 1.0
DivX Player
D-Link AirPlus G+ Wireless Adapter Utility
FLV Player 1.3.3
GetAmped
GetRight
Helix Producer Plus 9
HijackThis 2.0.2
ijji - Gunz
ijji Auto Installer
iPod for Windows 2006-06-28
iTunes
Magic Ball 2
maplestory
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Data Access Components KB870669
Microsoft Office 2000 SR-1 Professional
Mozilla Firefox (2.0.0.11)
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Nero 6 Ultra Edition
Nokia Multimedia Player
OmniPage SE
OneCare Advisor (Windows Live Toolbar)
PC-Linq
Popup Blocker (Windows Live Toolbar)
PowerDVD
PowerQuest PartitionMagic 8.0
Presto! Image Folio 4.2
Presto! Mr.Photo 3
QuickTime
RelevantKnowledge
Rhapsody Player Engine
Samsung USB Driver
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
SiS 900 PCI Fast Ethernet Adapter Driver
Smart Audio Converter
Smart Menus (Windows Live Toolbar)
Sony Ericsson Communication Center
Sony Ericsson PC Suite
Spybot - Search & Destroy
SpywareBlaster v3.5.1
Tabbed Browsing (Windows Live Toolbar)
TC Native Essentials 2.02
TigerLIVE StraightUp Screen Saver
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Virtools 3D Life Player
Windows Installer 3.1 (KB893803)
Windows Live Favorites for Windows Live Toolbar
Windows Live Messenger
Windows Live Outlook Toolbar (Windows Live Toolbar)
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WolfTeam International
XingMPEG Player

As for the thumbdrive, I dun have the access to it yet.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Spyware and Malware
« Reply #3 on: February 01, 2008, 09:56:41 AM »
Access your add/remove programs via control panel and uninstall

RelevantKnowledge

Reboot the computer afterwards

Back in Windows
Download the Flash_Disinfector.exe from here and save to desktop
http://www.techsupportforum.com/sectools/s...Disinfector.exe
Run Flash_Disinfector.exe, Follow the prompts
Insert any removable flash drives you may have when prompted <--If you used any of your own thumbdrives on this computer, insert it

Download this file - Combofix.exe and save it ONLY to your desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post the log from Combofix please
It's default location is C:\Combofix.txt

Also post a fresh hijackthis log
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline vid85

  • Newbie
  • *
  • Posts: 27
  • Karma: +0/-0
    • View Profile
Spyware and Malware
« Reply #4 on: February 02, 2008, 04:41:19 AM »
Hi, here's the log file from the ComboFix:

ComboFix 08-02.02.5 - DYKE 2008-02-02 17:25:07.1 - NTFSx86
Running from: C:\Documents and Settings\DYKE\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((   Files Created from 2008-01-02 to 2008-02-02  )))))))))))))))))))))))))))))))
.

2008-01-30 18:30 . 2008-01-30 18:30   <DIR>   d--------   C:\Program Files\Trend Micro
2008-01-30 17:08 . 2008-01-30 17:08   <DIR>   d--------   C:\Program Files\Lavasoft
2008-01-30 17:08 . 2008-01-30 17:09   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-30 17:06 . 2008-01-30 17:06   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-01-30 15:52 . 2008-01-30 15:52   0   --a------   C:\WINDOWS\nsreg.dat
2008-01-30 14:57 . 2008-01-30 14:59   <DIR>   d--------   C:\Program Files\SpywareBlaster
2008-01-30 14:57 . 2005-08-25 18:19   115,920   --a------   C:\WINDOWS\system32\MSINET.OCX
2008-01-29 01:12 . 2005-05-09 07:19   3,013,305   --a------   C:\WINDOWS\system32\MAIN.exe
2008-01-28 13:53 . 2008-02-01 20:14   220   --a------   C:\WINDOWS\wininit.ini
2008-01-28 12:22 . 2008-01-28 12:22   <DIR>   d--------   C:\Program Files\Spybot - Search & Destroy
2008-01-28 11:26 . 2008-01-28 13:59   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-27 23:07 . 2008-01-30 14:51   <DIR>   d--------   C:\Documents and Settings\DYKE\Application Data\AVG7
2008-01-27 23:06 . 2008-01-27 23:06   <DIR>   d--------   C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-27 23:04 . 2008-01-27 23:04   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-27 23:04 . 2008-02-02 11:18   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\avg7
2008-01-22 21:26 . 2008-01-22 21:26   244   --ah-----   C:\sqmnoopt04.sqm
2008-01-22 21:26 . 2008-01-22 21:26   232   --ah-----   C:\sqmdata04.sqm
2008-01-21 23:50 . 2008-01-21 23:50   244   --ah-----   C:\sqmnoopt03.sqm
2008-01-21 23:50 . 2008-01-21 23:50   232   --ah-----   C:\sqmdata03.sqm
2008-01-17 01:44 . 2008-01-28 01:34   141   -r-hs----   C:\autorun.inf
2008-01-13 16:46 . 2008-01-13 16:46   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
2008-01-13 16:46 . 2008-01-13 16:46   1,409   --a------   C:\WINDOWS\QTFont.for
2008-01-07 22:58 . 2008-01-07 22:58   244   --ah-----   C:\sqmnoopt01.sqm
2008-01-07 22:58 . 2008-01-07 22:58   232   --ah-----   C:\sqmdata01.sqm
2008-01-07 22:58 . 2008-01-07 22:58   160   --ah-----   C:\sqmnoopt02.sqm
2008-01-07 22:58 . 2008-01-07 22:58   148   --ah-----   C:\sqmdata02.sqm
2008-01-07 22:13 . 2008-01-07 22:13   244   --ah-----   C:\sqmnoopt00.sqm
2008-01-07 22:13 . 2008-01-07 22:13   232   --ah-----   C:\sqmdata00.sqm

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 10:00   ---------   d-----w   C:\Program Files\DAEMON Tools SearchBar
2008-01-28 16:59   ---------   d-----w   C:\Program Files\Norton SystemWorks
2008-01-28 16:59   ---------   d-----w   C:\Program Files\Common Files\Symantec Shared
2008-01-28 16:56   ---------   d-----w   C:\Program Files\Symantec
2008-01-28 16:55   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-21 16:43   ---------   d-----w   C:\Program Files\Common Files\Teleca Shared
2007-12-21 16:37   ---------   d-----w   C:\Program Files\Windows Live Toolbar
2007-12-21 16:37   ---------   d-----w   C:\Program Files\GetRight
2007-12-21 16:37   ---------   d-----w   C:\Program Files\All Video to VCD SVCD DVD Creator & Burner
2007-12-21 15:59   ---------   d-----w   C:\Documents and Settings\DYKE\Application Data\AdobeUM
2007-12-16 15:10   203,264   ----a-w   C:\WINDOWS\system32\TigerLIVE StraightUp.scr
2007-12-14 03:32   12,632   ----a-w   C:\WINDOWS\system32\lsdelete.exe
2007-12-05 14:45   ---------   d-----w   C:\Program Files\Windows Live Favorites
2007-11-16 06:34   81,920   ----a-w   C:\WINDOWS\DUMPcd55.tmp
2007-11-14 07:26   450,560   ------w   C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-11 12:29   8,464   ----a-w   C:\WINDOWS\system32\sporder.dll
2007-11-07 09:26   721,920   ----a-w   C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26   721,920   ------w   C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-08-31 18:55   1,433   -c--a-w   C:\Program Files\INSTALL.LOG
2004-05-21 08:59   62,865   -c--a-w   C:\WINDOWS\inf\IM\odysseyIM3.sys
2004-05-21 08:59   45,056   -c--a-w   C:\WINDOWS\inf\IM\imdinst.exe
2004-05-21 08:59   12,739   -c--a-w   C:\WINDOWS\inf\IM\odNetInstall.dll
2005-07-08 16:26   848   -csha-w   C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"STDSB"="C:\WINDOWS\System32\STDSB.exe" [2002-02-27 19:30 28672]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2002-04-11 07:18 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2002-04-11 07:18 413696]
"SoundMan"="SOUNDMAN.EXE" [2002-08-02 19:00 46592 C:\WINDOWS\SOUNDMAN.EXE]
"SiS KHooker"="C:\WINDOWS\System32\khooker.exe" [2002-01-25 02:30 290816]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:31 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-18 12:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 12:39 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 12:39 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 12:39 455168]
"MPTBox"="C:\Program Files\Canon\MultiPASS4\MPTBox.exe" [2002-11-01 16:13 167936]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-02-20 20:01 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-28 16:13 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24 278528]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 01:06 487424]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-27 23:05 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [ ]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-27 23:05 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-07-09 00:41:45 113664]
D-Link AirPlus G+ Wireless Adapter Utility.lnk - C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE [2005-09-04 02:25:13 667648]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 16:15:54 65588]
Symantec Fax Starter Edition Port.lnk - C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-24 05:51:52 45568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="LogonUI.EXE"

R2 MTC0003_STDSB;Scroll Bar Driver;C:\WINDOWS\system32\STDSB.sys [2002-06-19 12:23]
R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2004-05-21 16:59]
S3 PCTINDIS5;PCTINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\PCTINDIS5.SYS [2005-06-09 13:15]
S3 se44bus;Sony Ericsson Device 068 driver (WDM);C:\WINDOWS\system32\DRIVERS\se44bus.sys [2006-11-30 21:58]
S3 se44mdfl;Sony Ericsson Device 068 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se44mdfl.sys [2006-11-30 14:58]
S3 se44mdm;Sony Ericsson Device 068 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se44mdm.sys [2006-11-30 14:58]
S3 se44mgmt;Sony Ericsson Device 068 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se44mgmt.sys [2006-11-30 14:58]
S3 se44nd5;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (NDIS);C:\WINDOWS\system32\DRIVERS\se44nd5.sys [2006-11-30 14:58]
S3 se44obex;Sony Ericsson Device 068 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se44obex.sys [2006-11-30 14:58]
S3 se44unic;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (WDM);C:\WINDOWS\system32\DRIVERS\se44unic.sys [2006-11-30 14:58]
S3 TNET1130;D-Link AirPlus G+ Wireless Adapter;C:\WINDOWS\system32\DRIVERS\GPlus.sys [2004-05-21 16:59]
S3 V90drv;v90drv;C:\WINDOWS\system32\DRIVERS\v90drv.sys [2001-11-29 07:09]
S3 w550bus;Sony Ericsson W550 driver (WDM);C:\WINDOWS\system32\DRIVERS\w550bus.sys []
S3 w550mdfl;Sony Ericsson W550 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w550mdfl.sys []
S3 w550mdm;Sony Ericsson W550 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\w550mdm.sys []
S3 w550mgmt;Sony Ericsson W550 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\w550mgmt.sys []
S3 w550obex;Sony Ericsson W550 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\w550obex.sys []
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2001-01-08 09:53]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1bf01190-906c-11dc-b956-0040d031f6ce}]
\Shell\AutoRun\command - m1t8ta.com
\Shell\explore\Command - m1t8ta.com
\Shell\open\Command - m1t8ta.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56456191-8f64-11dc-b94e-0040d031f6ce}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Boot.exe e
\Shell\Open\command - E:\Boot.exe e

.
Contents of the 'Scheduled Tasks' folder
"2008-02-02 08:47:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 17:31:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-02-02 17:35:01
.
2008-02-01 18:56:00   --- E O F ---  


And here's the new HiJackThis log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:45:16 PM, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\STDSB.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Canon\MultiPASS4\MPTBox.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENSG/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\System32\STDSB.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MPTBox] C:\Program Files\Canon\MultiPASS4\MPTBox.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-sg\msntabres.dll.mui/229?5bfd861866d44dfe952bd7d1ef3874d0
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-sg\msntabres.dll.mui/230?5bfd861866d44dfe952bd7d1ef3874d0
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.apple.com.edgesuite.net/qt...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.Email Removed.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194705133578
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 8145 bytes

Thnx ^^
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Spyware and Malware
« Reply #5 on: February 02, 2008, 10:35:29 PM »
Try the following and then we'll go from there
use the Internet Explorer browser (or FireFox with IETab), and do an online scan with [color=\"blue\"]Kaspersky Online Scanner[/color]

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet [color=\"#3333FF\"]Explorer 7[/color] users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%[/i].)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
        [color=\"#6666CC\"]Extended[/color]
    • Scan Options:
        [color=\"#6666CC\"]Scan Archives[/color]
        [color=\"#6666CC\"]Scan Mail Bases[/color]
        [/list]
        [/list]
        • Click OK and, under select a target to scan, select My Computer
        When the scan is done, in the [color=\"Navy\"]Scan is completed [/color]window (below), any infection is displayed.
        There is no option to clean/disinfect, however, we need to analyze the information on the report.


        To obtain the report:
        Click on: Save Report As (above - red blinking arrow)
        Next, in the [color=\"Navy\"]Save as [/color]prompt, [color=\"navy\"]Save in[/color] area, select: Desktop
        In the [color=\"navy\"]File name[/color] area, use KScan, or something similar
        In [color=\"navy\"]Save as type[/color], click the drop arrow and select: Text file [*.txt]
        Then, click: Save
        Please post the [color=\"Navy\"]Kaspersky Online Scanner Report [/color]in your reply.

        Along with a fresh hijackthis log
        Logged

        Do you want to post your own logs from FRST?

        Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

        Offline vid85

        • Newbie
        • *
        • Posts: 27
        • Karma: +0/-0
          • View Profile
        Spyware and Malware
        « Reply #6 on: February 03, 2008, 10:03:00 AM »
        Hi, here's the Kaspersky Online Scanner Report:

        -------------------------------------------------------------------------------
         KASPERSKY ONLINE SCANNER REPORT
         Sunday, February 03, 2008 11:04:11 PM
         Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
         Kaspersky Online Scanner version: 5.0.98.0
         Kaspersky Anti-Virus database last update:  3/02/2008
         Kaspersky Anti-Virus database records: 546327
        -------------------------------------------------------------------------------

        Scan Settings:
           Scan using the following antivirus database: extended
           Scan Archives: true
           Scan Mail Bases: true

        Scan Target - My Computer:
           C:\
           D:\

        Scan Statistics:
           Total number of scanned objects: 48865
           Number of viruses found: 11
           Number of infected objects: 23
           Number of suspicious objects: 0
           Duration of the scan process: 02:30:09

        Infected Object Name / Virus Name / Last Action
        C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log   Object is locked   skipped
        C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log   Object is locked   skipped
        C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck   Object is locked   skipped
        C:\Documents and Settings\DYKE\Application Data\Microsoft\MSNLiveFav\LiveFavorites.xml   Object is locked   skipped
        C:\Documents and Settings\DYKE\Cookies\index.dat   Object is locked   skipped
        C:\Documents and Settings\DYKE\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
        C:\Documents and Settings\DYKE\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
        C:\Documents and Settings\DYKE\Local Settings\History\History.IE5\index.dat   Object is locked   skipped
        C:\Documents and Settings\DYKE\Local Settings\Temporary Internet Files\Content.IE5\index.dat   Object is locked   skipped
        C:\Documents and Settings\DYKE\Local Settings\Temporary Internet Files\PhishingFilter\45E13EC5-3DB7-4B3D-9F80-073A58AB5E82.dat   Object is locked   skipped
        C:\Documents and Settings\DYKE\NTUSER.DAT   Object is locked   skipped
        C:\Documents and Settings\DYKE\ntuser.dat.LOG   Object is locked   skipped
        C:\Documents and Settings\LocalService\Cookies\index.dat   Object is locked   skipped
        C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
        C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
        C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat   Object is locked   skipped
        C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat   Object is locked   skipped
        C:\Documents and Settings\LocalService\NTUSER.DAT   Object is locked   skipped
        C:\Documents and Settings\LocalService\ntuser.dat.LOG   Object is locked   skipped
        C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
        C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
        C:\Documents and Settings\NetworkService\NTUSER.DAT   Object is locked   skipped
        C:\Documents and Settings\NetworkService\ntuser.dat.LOG   Object is locked   skipped
        C:\Program Files\DAEMON Tools SearchBar\search.dll   Infected: not-a-virus:AdTool.Win32.WhenU.c   skipped
        C:\Program Files\DAEMON Tools SearchBar\search.dll_old   Infected: not-a-virus:AdTool.Win32.WhenU.c   skipped
        C:\Program Files\DAEMON Tools SearchBar\Search.exe   Infected: not-a-virus:AdTool.Win32.WhenU.c   skipped
        C:\Program Files\DAEMON Tools SearchBar\searchupdate.exe   Infected: not-a-virus:AdWare.Win32.SaveNow.ao   skipped
        C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\03FA619B.dll   Infected: Worm.Win32.AutoRun.bur   skipped
        C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\3A4C06DE.exe   Infected: Worm.Win32.RJump.a   skipped
        C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\46C3276A   Infected: Trojan-Downloader.Win32.Dluca.ct   skipped
        C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\54A8428A.EXE   Infected: Virus.Win32.VB.bu   skipped
        C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\54F67B11.com   Infected: Worm.Win32.AutoRun.bur   skipped
        C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\54F9250D.exe   Infected: Worm.Win32.AutoRun.bur   skipped
        C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\5D56009B.exe   Infected: Worm.Win32.RJump.a   skipped
        C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\6A431FB5.exe   Infected: Virus.Win32.AutoRun.nw   skipped
        C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\6A4649B1.exe   Infected: Virus.Win32.AutoRun.nw   skipped
        C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\6F7170D5.swf   Infected: Trojan-Downloader.SWF.Gida.a   skipped
        C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\7EE31AA5.EXE   Infected: Virus.Win32.VB.bu   skipped
        C:\RECYCLER\NPROTECT\00015932.exe   Infected: not-a-virus:AdTool.Win32.WhenU.c   skipped
        C:\System Volume Information\_restore{DB6066BB-749D-4F9E-823D-B1EAD6E02BF6}\RP446\A0444173.dll   Infected: not-a-virus:AdTool.Win32.WhenU.c   skipped
        C:\System Volume Information\_restore{DB6066BB-749D-4F9E-823D-B1EAD6E02BF6}\RP450\A0444997.exe   Infected: not-a-virus:AdWare.Win32.RK.t   skipped
        C:\System Volume Information\_restore{DB6066BB-749D-4F9E-823D-B1EAD6E02BF6}\RP450\A0445003.dll   Infected: Trojan-PSW.Win32.OnLineGames.oob   skipped
        C:\System Volume Information\_restore{DB6066BB-749D-4F9E-823D-B1EAD6E02BF6}\RP452\change.log   Object is locked   skipped
        C:\WINDOWS\$NtUninstallQ308387$\autolfn.exe   Object is locked   skipped
        C:\WINDOWS\$NtUninstallQ308387$\spuninst\spuninst.exe   Object is locked   skipped
        C:\WINDOWS\$NtUninstallQ308387$\spuninst\spuninst.inf   Object is locked   skipped
        C:\WINDOWS\$NtUninstallQ308402$\spcmdcon.sys   Object is locked   skipped
        C:\WINDOWS\$NtUninstallQ308402$\spuninst\spuninst.exe   Object is locked   skipped
        C:\WINDOWS\$NtUninstallQ308402$\spuninst\spuninst.inf   Object is locked   skipped
        C:\WINDOWS\$NtUninstallQ308402$\srrstr.dll   Object is locked   skipped
        C:\WINDOWS\$NtUninstallQ308677$\spuninst\spuninst.exe   Object is locked   skipped
        C:\WINDOWS\$NtUninstallQ308677$\spuninst\spuninst.inf   Object is locked   skipped
        C:\WINDOWS\$NtUninstallQ308677$\userenv.dll   Object is locked   skipped
        C:\WINDOWS\$NtUninstallQ308678$\msobmain.dll   Object is locked   skipped
        C:\WINDOWS\$NtUninstallQ308678$\msobshel.htm   Object is locked   skipped
        C:\WINDOWS\$NtUninstallQ308678$\spuninst\spuninst.exe   Object is locked   skipped
        C:\WINDOWS\$NtUninstallQ308678$\spuninst\spuninst.inf   Object is locked   skipped
        C:\WINDOWS\$NtUninstallQ315000$\netsetup.exe   Object is locked   skipped
        C:\WINDOWS\$NtUninstallQ315000$\spuninst\spuninst.exe   Object is locked   skipped
        C:\WINDOWS\$NtUninstallQ315000$\spuninst\spuninst.inf   Object is locked   skipped
        C:\WINDOWS\$NtUninstallQ315000$\ssdpapi.dll   Object is locked   skipped
        C:\WINDOWS\$NtUninstallQ315000$\ssdpsrv.dll   Object is locked   skipped
        C:\WINDOWS\$NtUninstallQ315000$\upnp.dll   Object is locked   skipped
        C:\WINDOWS\Debug\PASSWD.LOG   Object is locked   skipped
        C:\WINDOWS\RESTORE.INS/C:/OEMCUST/TOOLS/WIN32/PSKILL.EXE   Infected: not-a-virus:NetTool.Win32.PsKill.a   skipped
        C:\WINDOWS\RESTORE.INS   ARJ: infected - 1   skipped
        C:\WINDOWS\SchedLgU.Txt   Object is locked   skipped
        C:\WINDOWS\SoftwareDistribution\ReportingEvents.log   Object is locked   skipped
        C:\WINDOWS\Sti_Trace.log   Object is locked   skipped
        C:\WINDOWS\system\RESTORE.INS/C:/OEMCUST/TOOLS/WIN32/PSKILL.EXE   Infected: not-a-virus:NetTool.Win32.PsKill.a   skipped
        C:\WINDOWS\system\RESTORE.INS   ARJ: infected - 1   skipped
        C:\WINDOWS\system32\CatRoot2\edb.log   Object is locked   skipped
        C:\WINDOWS\system32\CatRoot2\tmp.edb   Object is locked   skipped
        C:\WINDOWS\system32\config\AppEvent.Evt   Object is locked   skipped
        C:\WINDOWS\system32\config\DEFAULT   Object is locked   skipped
        C:\WINDOWS\system32\config\default.LOG   Object is locked   skipped
        C:\WINDOWS\system32\config\SAM   Object is locked   skipped
        C:\WINDOWS\system32\config\SAM.LOG   Object is locked   skipped
        C:\WINDOWS\system32\config\SecEvent.Evt   Object is locked   skipped
        C:\WINDOWS\system32\config\SECURITY   Object is locked   skipped
        C:\WINDOWS\system32\config\SECURITY.LOG   Object is locked   skipped
        C:\WINDOWS\system32\config\SOFTWARE   Object is locked   skipped
        C:\WINDOWS\system32\config\software.LOG   Object is locked   skipped
        C:\WINDOWS\system32\config\SysEvent.Evt   Object is locked   skipped
        C:\WINDOWS\system32\config\SYSTEM   Object is locked   skipped
        C:\WINDOWS\system32\config\system.LOG   Object is locked   skipped
        C:\WINDOWS\system32\h323log.txt   Object is locked   skipped
        C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR   Object is locked   skipped
        C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP   Object is locked   skipped
        C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER   Object is locked   skipped
        C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP   Object is locked   skipped
        C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP   Object is locked   skipped
        C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA   Object is locked   skipped
        C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP   Object is locked   skipped
        C:\WINDOWS\wiadebug.log   Object is locked   skipped
        C:\WINDOWS\wiaservc.log   Object is locked   skipped
        C:\WINDOWS\WindowsUpdate.log   Object is locked   skipped

        Scan process completed.

        And here's a fresh hijackthis log:

        Logfile of Trend Micro HijackThis v2.0.2
        Scan saved at 11:08:19 PM, on 2/3/2008
        Platform: Windows XP SP2 (WinNT 5.01.2600)
        MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
        Boot mode: Normal

        Running processes:
        C:\WINDOWS\System32\smss.exe
        C:\WINDOWS\system32\winlogon.exe
        C:\WINDOWS\system32\services.exe
        C:\WINDOWS\system32\lsass.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
        C:\WINDOWS\Explorer.EXE
        C:\WINDOWS\system32\spoolsv.exe
        C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
        C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
        C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
        C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
        C:\WINDOWS\system32\slserv.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\System32\STDSB.exe
        C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
        C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
        C:\WINDOWS\SOUNDMAN.EXE
        C:\WINDOWS\System32\khooker.exe
        C:\Program Files\Canon\MultiPASS4\MPTBox.exe
        C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
        C:\Program Files\QuickTime\qttask.exe
        C:\Program Files\iTunes\iTunesHelper.exe
        C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
        C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
        C:\Program Files\iPod\bin\iPodService.exe
        C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
        C:\Program Files\Common Files\Teleca Shared\Generic.exe
        C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
        C:\Program Files\MSN Messenger\usnsvc.exe
        C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
        C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
        R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENSG/SAOS01?FORM=TOOLBR
        O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
        O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
        O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
        O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
        O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
        O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\System32\STDSB.exe
        O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
        O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
        O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
        O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
        O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
        O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
        O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
        O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
        O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
        O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
        O4 - HKLM\..\Run: [MPTBox] C:\Program Files\Canon\MultiPASS4\MPTBox.exe
        O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
        O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
        O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
        O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
        O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
        O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
        O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
        O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
        O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
        O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
        O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
        O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
        O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
        O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
        O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
        O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
        O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
        O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
        O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
        O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
        O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-sg\msntabres.dll.mui/229?5bfd861866d44dfe952bd7d1ef3874d0
        O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-sg\msntabres.dll.mui/230?5bfd861866d44dfe952bd7d1ef3874d0
        O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
        O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
        O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
        O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
        O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
        O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
        O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
        O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.apple.com.edgesuite.net/qt...meInstaller.exe
        O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.Email Removed.com/mail/w2/resources/MSNPUpld.cab
        O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
        O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194705133578
        O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
        O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
        O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
        O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
        O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe (file missing)
        O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
        O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
        O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe

        --
        End of file - 8156 bytes
        Logged

        Offline guestolo

        • Site Donator
        • Administrator
        • Hero Member
        • *****
        • Posts: 16034
        • Karma: +1/-0
          • View Profile
          • http://
        Spyware and Malware
        « Reply #7 on: February 03, 2008, 04:23:49 PM »
        Does this computer still have Daemon tools installed?
        They installed the WhenuSearch toolbar which is not recommended

        Did the computer have Norton SystemWorks installed and it has been removed?
        Logged

        Do you want to post your own logs from FRST?

        Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

        Offline vid85

        • Newbie
        • *
        • Posts: 27
        • Karma: +0/-0
          • View Profile
        Spyware and Malware
        « Reply #8 on: February 03, 2008, 09:04:23 PM »
        Hi, I'm not sure if the DAEMON TOOLS still installed as I could not found Daemon Tools under Add/Remove, but I did found a folder called "DAEMON TOOLS SEARCHBAR" in the Program Files folder. Shld I delete it?

        As for the Norton SystemWorks, yes, this com was installed with Norton SystemWorks and it had be remove, but there's a folder "Norton SystemWorks" in the Program Files folder as well, so shld i delete it too?
        Logged

        Offline guestolo

        • Site Donator
        • Administrator
        • Hero Member
        • *****
        • Posts: 16034
        • Karma: +1/-0
          • View Profile
          • http://
        Spyware and Malware
        « Reply #9 on: February 03, 2008, 09:49:28 PM »
        Can you do the following
        Norton didn't appear to be completely removed
        Go to the following link
        http://service1.symantec.com/SUPPORT/nsw.n...001091013435207
        Run all of STEP 2

        Afterwards, when you have finished rebooting
        Let's see if we can uninstall the toolbar
        Go to START>>RUN>>copy/paste the next line below in bold to the Open field

        C:\Program Files\WhenUSearch\Uninst.exe /tWHSE
        Don't hit OK yet, instead make sure to close any browser windows down then click OK

        Come back here
        download the [color=\"red\"]OTMoveIt2 by OldTimer[/color][/url].
        • Save it to your desktop.
        • Double-click OTMoveIt2.exe to run it.
        • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
          ==============================================================================
          E:\Boot.exe
          C:\Program Files\DAEMON Tools SearchBar
          C:\Program Files\WhenUSearch
          HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1bf01190-906c-11dc-b956-0040d031f6ce}
          HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56456191-8f64-11dc-b94e-0040d031f6ce}

          ==============================================================================
        • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the [color=\"yellow\"]yellow[/color] bar) and choose Paste.

        • Click the red [color=\"red\"]Moveit![/color] button.
        • Close OTMoveIt2
        If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

        OTMoveIt would of created a log at this location
        C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

        Post that log please along with a fresh hijackthis log
        Along with thoset logs, can you also do the following
        Scan a couple files for me

        go to this link

        http://www.virustotal.com/flash/index_en.html
        Copy and paste a few of those files, one at a time to the Upload a File
        As eg.. copy>>paste this
        C:\WINDOWS\system32\MAIN.exe


        Then use the SEND FILE button
        Let it finish scanning
        Could you post back the results this scan back here please
        Do the same for this file
        C:\WINDOWS\wininit.ini
        « Last Edit: February 04, 2008, 09:19:58 AM by guestolo »
        Logged

        Do you want to post your own logs from FRST?

        Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

        Offline vid85

        • Newbie
        • *
        • Posts: 27
        • Karma: +0/-0
          • View Profile
        Spyware and Malware
        « Reply #10 on: February 04, 2008, 02:43:39 AM »
        Hi there, when I do this step:
        "Go to START>>RUN>>copy/paste the next line below in bold to the Open field

        C:\Program Files\WhenUSearch\Uninst.exe /tWHSE
        Don't hit OK yet, instead make sure to close any browser windows down then click OK"

        It seems that the files or folder could not be located. It says that the C:\Program Files\WhenUSearch refers to a location that is unavailable. When I try to search the folder manually, it could not be found too.

        So shld I continue the steps from:

        "download the OTMoveIt2 by OldTimer." ??
        Logged

        Offline guestolo

        • Site Donator
        • Administrator
        • Hero Member
        • *****
        • Posts: 16034
        • Karma: +1/-0
          • View Profile
          • http://
        Spyware and Malware
        « Reply #11 on: February 04, 2008, 09:19:02 AM »
        Quote
        So shld I continue the steps from:

        "download the OTMoveIt2 by OldTimer." ??

        Yes, please continue
        Logged

        Do you want to post your own logs from FRST?

        Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

        Offline vid85

        • Newbie
        • *
        • Posts: 27
        • Karma: +0/-0
          • View Profile
        Spyware and Malware
        « Reply #12 on: February 04, 2008, 11:05:01 AM »
        Hi, this is the log from OTMoveIt2:

        [Custom Input]
        < E:\Boot.exe >
        File/Folder E:\Boot.exe not found.
        < C:\Program Files\DAEMON Tools SearchBar >
        C:\Program Files\DAEMON Tools SearchBar moved successfully.
        < C:\Program Files\WhenUSearch >
        File/Folder C:\Program Files\WhenUSearch not found.
        < HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1bf01190-906c-11dc-b956-0040d031f6ce} >
        Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1bf01190-906c-11dc-b956-0040d031f6ce}\\ deleted successfully.
        < HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56456191-8f64-11dc-b94e-0040d031f6ce} >
        Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56456191-8f64-11dc-b94e-0040d031f6ce}\\ deleted successfully.
         
        OTMoveIt2 v1.0.17 log created on 02042008_234622

        And here is the hijakcthis log:

        Logfile of Trend Micro HijackThis v2.0.2
        Scan saved at 11:58:51 PM, on 2/4/2008
        Platform: Windows XP SP2 (WinNT 5.01.2600)
        MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
        Boot mode: Normal

        Running processes:
        C:\WINDOWS\System32\smss.exe
        C:\WINDOWS\system32\winlogon.exe
        C:\WINDOWS\system32\services.exe
        C:\WINDOWS\system32\lsass.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
        C:\WINDOWS\Explorer.EXE
        C:\WINDOWS\system32\spoolsv.exe
        C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
        C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
        C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
        C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
        C:\WINDOWS\system32\slserv.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\System32\STDSB.exe
        C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
        C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
        C:\WINDOWS\SOUNDMAN.EXE
        C:\WINDOWS\System32\khooker.exe
        C:\Program Files\Canon\MultiPASS4\MPTBox.exe
        C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
        C:\Program Files\QuickTime\qttask.exe
        C:\Program Files\iTunes\iTunesHelper.exe
        C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
        C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
        C:\Program Files\iPod\bin\iPodService.exe
        C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
        C:\Program Files\Common Files\Teleca Shared\Generic.exe
        C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
        C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
        C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
        C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
        R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENSG/SAOS01?FORM=TOOLBR
        O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
        O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
        O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
        O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
        O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
        O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\System32\STDSB.exe
        O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
        O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
        O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
        O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
        O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
        O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
        O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
        O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
        O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
        O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
        O4 - HKLM\..\Run: [MPTBox] C:\Program Files\Canon\MultiPASS4\MPTBox.exe
        O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
        O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
        O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
        O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
        O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
        O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
        O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
        O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
        O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
        O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
        O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
        O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
        O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
        O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
        O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
        O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
        O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
        O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
        O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
        O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
        O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-sg\msntabres.dll.mui/229?5bfd861866d44dfe952bd7d1ef3874d0
        O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-sg\msntabres.dll.mui/230?5bfd861866d44dfe952bd7d1ef3874d0
        O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
        O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
        O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
        O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
        O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
        O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
        O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
        O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.apple.com.edgesuite.net/qt...meInstaller.exe
        O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.Email Removed.com/mail/w2/resources/MSNPUpld.cab
        O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
        O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194705133578
        O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
        O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
        O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
        O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
        O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe (file missing)
        O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
        O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
        O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe

        --
        End of file - 8160 bytes

        Here is the scan result for C:\WINDOWS\system32\MAIN.exe:

        Antivirus     Version     Last Update     Result
        AhnLab-V3   2008.2.4.10   2008.02.04   -
        AntiVir   7.6.0.62   2008.02.04   -
        Authentium   4.93.8   2008.02.04   -
        Avast   4.7.1098.0   2008.02.03   -
        AVG   7.5.0.516   2008.02.04   -
        BitDefender   7.2   2008.02.04   -
        CAT-QuickHeal   9.00   2008.02.04   -
        ClamAV   0.92   2008.02.04   -
        DrWeb   4.44.0.09170   2008.02.04   -
        eSafe   7.0.15.0   2008.01.28   suspicious Trojan/Worm
        eTrust-Vet   31.3.5509   2008.02.04   -
        Ewido   4.0   2008.02.04   -
        FileAdvisor   1   2008.02.04   -
        Fortinet   3.14.0.0   2008.02.04   -
        F-Prot   4.4.2.54   2008.02.03   -
        F-Secure   6.70.13260.0   2008.02.04   -
        Ikarus   T3.1.1.20   2008.02.04   -
        Kaspersky   7.0.0.125   2008.02.04   -
        McAfee   5221   2008.02.01   -
        Microsoft   1.3204   2008.02.04   -
        NOD32v2   2847   2008.02.04   -
        Norman   5.80.02   2008.02.01   -
        Panda   9.0.0.4   2008.02.04   -
        Prevx1   V2   2008.02.04   Generic.Malware
        Rising   20.29.22.00   2008.01.30   -
        Sophos   4.26.0   2008.02.04   -
        Sunbelt   2.2.907.0   2008.02.02   -
        Symantec   10   2008.02.04   -
        TheHacker   6.2.9.208   2008.02.04   -
        VBA32   3.12.6.0   2008.02.03   -
        VirusBuster   4.3.26:9   2008.02.04   -
        Webwasher-Gateway   6.6.2   2008.02.04   -

        And this is the result for C:\WINDOWS\wininit.ini:

        Antivirus     Version     Last Update     Result
        AhnLab-V3   2008.2.4.10   2008.02.04   -
        AntiVir   7.6.0.62   2008.02.04   -
        Authentium   4.93.8   2008.02.04   -
        Avast   4.7.1098.0   2008.02.03   -
        AVG   7.5.0.516   2008.02.04   -
        BitDefender   7.2   2008.02.04   -
        CAT-QuickHeal   9.00   2008.02.04   -
        ClamAV   0.92   2008.02.04   -
        DrWeb   4.44.0.09170   2008.02.04   -
        eSafe   7.0.15.0   2008.01.28   -
        eTrust-Vet   31.3.5509   2008.02.04   -
        Ewido   4.0   2008.02.04   -
        FileAdvisor   1   2008.02.04   -
        Fortinet   3.14.0.0   2008.02.04   -
        F-Prot   4.4.2.54   2008.02.03   -
        F-Secure   6.70.13260.0   2008.02.04   -
        Ikarus   T3.1.1.20   2008.02.04   -
        Kaspersky   7.0.0.125   2008.02.04   -
        McAfee   5221   2008.02.01   -
        Microsoft   1.3204   2008.02.04   -
        NOD32v2   2847   2008.02.04   -
        Norman   5.80.02   2008.02.01   -
        Panda   9.0.0.4   2008.02.04   -
        Prevx1   V2   2008.02.04   -
        Rising   20.29.22.00   2008.01.30   -
        Sophos   4.26.0   2008.02.04   -
        Sunbelt   2.2.907.0   2008.02.02   -
        Symantec   10   2008.02.04   -
        TheHacker   6.2.9.208   2008.02.04   -
        VBA32   3.12.6.0   2008.02.03   -
        VirusBuster   4.3.26:9   2008.02.04   -
        Webwasher-Gateway   6.6.2   2008.02.04   -
        Logged

        Offline guestolo

        • Site Donator
        • Administrator
        • Hero Member
        • *****
        • Posts: 16034
        • Karma: +1/-0
          • View Profile
          • http://
        Spyware and Malware
        « Reply #13 on: February 04, 2008, 08:05:57 PM »
        Just some final steps
        Do a "System scan only" with Hijackthis and put a check next to these entries:

        O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
        O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')

        O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
        O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE


        After you have ticked the above entries, close All other open windows
        Including this one
        Leave Hijackthis open and click FIX CHECKED
        OK the prompt and exit Hijackthis

        OTMoveit2
        • Double-click OTMoveIt2.exe to run it.
        • Copy the file paths below to the clipboard in blue by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
          ==============================================================================
          [color=\"#0000FF\"]C:\WINDOWS\system32\MAIN.exe
          C:\Program Files\Norton SystemWorks
          C:\RECYCLER\NPROTECT[/color]

          ==============================================================================
        • Return to OTMoveIt2, right-click on the "Paste List of Files/Folders to be Moved" window  and choose "Paste".
        • Click the red "[color=\"red\"]MoveIt![/color]" button.
        • Close OTMoveIt when it has completed.
        [color=\"red\"]Note[/color]:  If an entry cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".

        come back here and post a fresh hijackthis log
        Also post the new log from OTMoveIt
        Let me know how things are running

        NOTE: the USB thumbdrive your friend has MUST be disinfected properly before using it again on this computer
        Logged

        Do you want to post your own logs from FRST?

        Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

        Offline vid85

        • Newbie
        • *
        • Posts: 27
        • Karma: +0/-0
          • View Profile
        Spyware and Malware
        « Reply #14 on: February 09, 2008, 03:49:02 AM »
        Hey.. Sorri for the late reply.. Here's the new hijackthis log:

        Logfile of Trend Micro HijackThis v2.0.2
        Scan saved at 4:51:23 PM, on 2/9/2008
        Platform: Windows XP SP2 (WinNT 5.01.2600)
        MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
        Boot mode: Normal

        Running processes:
        C:\WINDOWS\System32\smss.exe
        C:\WINDOWS\system32\winlogon.exe
        C:\WINDOWS\system32\services.exe
        C:\WINDOWS\system32\lsass.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\Explorer.EXE
        C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
        C:\WINDOWS\system32\spoolsv.exe
        C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
        C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
        C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
        C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
        C:\WINDOWS\system32\slserv.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\System32\STDSB.exe
        C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
        C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
        C:\WINDOWS\SOUNDMAN.EXE
        C:\WINDOWS\System32\khooker.exe
        C:\Program Files\Canon\MultiPASS4\MPTBox.exe
        C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
        C:\Program Files\QuickTime\qttask.exe
        C:\Program Files\iTunes\iTunesHelper.exe
        C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
        C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
        C:\Program Files\iPod\bin\iPodService.exe
        C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
        C:\WINDOWS\system32\wuauclt.exe
        C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
        C:\PROGRA~1\Mozilla Firefox\firefox.exe

        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
        R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENSG/SAOS01?FORM=TOOLBR
        O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
        O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
        O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
        O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
        O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
        O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\System32\STDSB.exe
        O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
        O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
        O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
        O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
        O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
        O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
        O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
        O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
        O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
        O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
        O4 - HKLM\..\Run: [MPTBox] C:\Program Files\Canon\MultiPASS4\MPTBox.exe
        O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
        O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
        O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
        O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
        O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
        O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
        O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
        O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
        O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
        O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
        O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
        O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
        O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
        O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
        O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
        O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
        O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
        O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
        O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-sg\msntabres.dll.mui/229?5bfd861866d44dfe952bd7d1ef3874d0
        O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-sg\msntabres.dll.mui/230?5bfd861866d44dfe952bd7d1ef3874d0
        O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
        O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
        O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
        O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
        O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
        O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
        O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
        O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.apple.com.edgesuite.net/qt...meInstaller.exe
        O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.Email Removed.com/mail/w2/resources/MSNPUpld.cab
        O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
        O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194705133578
        O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
        O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
        O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
        O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
        O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe (file missing)
        O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
        O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
        O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe

        --
        End of file - 7807 bytes

        And here's the new OTMoveIt log:

        C:\WINDOWS\system32\MAIN.exe moved successfully.
        File/Folder C:\Program Files\Norton SystemWorks not found.
        C:\RECYCLER\NPROTECT moved successfully.
         
        OTMoveIt2 v1.0.17 log created on 02092008_145740

        Everything seems running well after i did all the steps, and remove the spyware/adware using spybot search and destroy and ad-aware. ^^
        Logged

        Offline guestolo

        • Site Donator
        • Administrator
        • Hero Member
        • *****
        • Posts: 16034
        • Karma: +1/-0
          • View Profile
          • http://
        Spyware and Malware
        « Reply #15 on: February 09, 2008, 10:24:09 PM »
        If everything is running better, I suggest that you do the following
        Older System Restore points are infected
        Go to START>>All Programs>>Accessories>>System Tools>>System Restore
        Select>>Create a New restore point
        Give it a name, any name,
        eg... Michelle
         and click Create
        Windows will prompt when it was created successfully

        When that's done

        Go to START>>RUN>>type the following
        cleanmgr
        Hit OK
        Let if finish calculating

        Select the More Options tab
        and click Cleanup.. under 'System Restore'
        This will clear all later restore points except for the one you just made

        Ok the prompts, it may take a few seconds to remove old restore points
        Ok again after it's ready and let it finish cleaning

        Go to START>>RUN>>Copy then paste the next command below in bold
        Then hit OK

        combofix /u

        This will uninstall combofix and it's components

        OTMoveit.exe
        • Please double-click OTMoveIt.exe to run it.
        • Click the Cleanup! button
          A list will be downloaded>>Allow it Internet access if prompted by your Firewall
          Don't change anything in this list
        • Select Yes at the prompt
          Wait for the confirmation box to open to reboot the computer
          Don't mouseclick during the wait as you may cause the tool to stall
        • Select Yes to reboot Now
        NOTE: This procedure will also delete OTMoveit.exe from desktop and other tools we used for cleaning

        I suggest that you add SpywareBlaster to your protection software
        SpywareBlaster 3.5.1 by JavaCool  
          *Will block bad ActiveX Controls
          *Block Malevolent cookies in Internet Explorer and Firefox
          *Restrict actions of potentially dangerous sites in Internet Explorer
        After installation, Check for updates
        After updating, select "Protection" on the Left
        Then select "Enable all Protection"
        "Check for updates every couple of weeks"
        after every update just simply click the "enable protection on all unprotected items"

        Take a look at the following
        Why Did I get Infected in the First Place?

        I hope that helps
        Logged

        Do you want to post your own logs from FRST?

        Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

        Offline vid85

        • Newbie
        • *
        • Posts: 27
        • Karma: +0/-0
          • View Profile
        Spyware and Malware
        « Reply #16 on: February 11, 2008, 10:47:24 AM »
        Hey thnx alot!!! Everything looks ok now. Thnx for the help ^^
        Logged

        Offline guestolo

        • Site Donator
        • Administrator
        • Hero Member
        • *****
        • Posts: 16034
        • Karma: +1/-0
          • View Profile
          • http://
        Spyware and Malware
        « Reply #17 on: February 11, 2008, 10:50:55 PM »
        Your welcome, I'll lock this topic as your problems are resolved
        Take care  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
        Logged

        Do you want to post your own logs from FRST?

        Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

        Pages: [1]
        « previous next »