Sign in to follow this  
sirneedshelpnow

Warning! Spyware has been detected

Recommended Posts

Any help with this issue would be greatly appreciated. I didn't read the sticky before my original post so please delete the orginal as I couldn't edit or delete. My apologies.

 

EDIT: This is the text from sirneedshelpnow's original post here - I will close Topic to avoid confusion. (Edit by Spike-nz)

 

I was on myspace on two different computers at two different times and I was hit with the blue screen saying that my computer was infected with spyware and had a yellow triangle wanting me to download programs. I also my task manager is disabled by administrator. On my computer, I can download stuff (avg anti-spyware - free edition) and on the other I can't download anything. What do I do and can anyone please help me?

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:24:51 AM, on 4/8/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\brss01a.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe

C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Trend Micro\Antivirus\pccguide.exe

C:\Program Files\Trend Micro\Antivirus\PCClient.exe

C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe

C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Brother\ControlCenter2\brctrcen.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\system32\Brmfrmps.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\Program Files\America Online 9.0\aoltray.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe

C:\Program Files\Trend Micro\Antivirus\tmproxy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Kathy\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)

O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)

O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)

O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll

O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)

O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)

O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"

O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"

O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run

O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [indexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe

O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe

 

--

End of file - 9422 bytes

Edited by spike-nz
Contents of duplicate topic pasted into the top

Share this post


Link to post
Share on other sites

Hello and welcome to LS Support Forums :unsure:

 

Please rerun a scan with HijackThis and check the following objects for removal:

 

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,

O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)

O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)

O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)

O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)

O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)

O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)

O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)

O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)

 

Close ALL other open windows but HijackThis and hit FIX CHECKED. Exit HijackThis & reboot.

 

-------

 

Then... Please download Deckard's System Scanner (DSS) and save it to your Desktop.

  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Share this post


Link to post
Share on other sites

Only main.txt came up. I even looked inside the c:Deckard folder for it and nothing.

 

 

 

Deckard's System Scanner v20071014.68

Run by Kathy on 2008-04-09 18:58:15

Computer is in Normal Mode.

--------------------------------------------------------------------------------

 

 

 

-- HijackThis (run as Kathy.exe) -----------------------------------------------

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:58:16 PM, on 4/9/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\brss01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\system32\Brmfrmps.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe

C:\Program Files\Trend Micro\Antivirus\tmproxy.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe

C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe

C:\Program Files\Trend Micro\Antivirus\pccguide.exe

C:\Program Files\Trend Micro\Antivirus\PCClient.exe

C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe

C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Brother\ControlCenter2\brctrcen.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\America Online 9.0\aoltray.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Kathy\Desktop\dss.exe

C:\DOCUME~1\Kathy\Desktop\Kathy.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"

O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"

O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run

O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [indexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe

O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe

 

--

End of file - 8714 bytes

 

-- Files created between 2008-03-09 and 2008-04-09 -----------------------------

 

2008-04-07 16:51:05 0 d-------- C:\WINDOWS\ERUNT

2008-04-07 16:49:51 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot

2008-04-07 16:16:00 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

2008-04-07 16:15:48 0 d-------- C:\Program Files\SUPERAntiSpyware

2008-04-07 16:15:48 0 d-------- C:\Documents and Settings\Kathy\Application Data\SUPERAntiSpyware.com

2008-04-07 16:15:18 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-04-07 16:14:57 0 d-------- C:\Documents and Settings\Kathy\Application Data\Grisoft

2008-04-07 16:14:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft

2008-04-05 11:39:39 0 d--h----- C:\WINDOWS\PIF

2008-04-05 10:31:48 0 d-------- C:\Program Files\stc

2008-04-05 10:31:46 25856 --a------ C:\WINDOWS\mspphe.dll

2008-04-05 10:31:46 15616 --a------ C:\WINDOWS\bjam.dll

2008-04-05 10:31:45 22016 --a------ C:\WINDOWS\system32\WER8274.DLL

2008-04-05 10:31:45 13312 --a------ C:\WINDOWS\system32\MSIXU.DLL

2008-04-05 10:31:45 26368 --a------ C:\WINDOWS\2020search.dll

2008-04-05 10:31:44 18688 --a------ C:\WINDOWS\updatetc.exe

2008-04-05 10:31:44 23040 --a------ C:\WINDOWS\salm.exe

2008-04-05 10:31:44 0 d-------- C:\Program Files\180solutions

2008-04-05 10:31:43 21760 --a------ C:\WINDOWS\system32\MSNSA32.dll

2008-04-05 10:31:43 26368 --a------ C:\WINDOWS\saiemod.dll

2008-04-05 10:31:43 0 d-------- C:\WINDOWS\FLEOK

2008-04-05 10:31:42 31488 --a------ C:\WINDOWS\system32\SIPSPI32.dll

2008-04-05 10:31:42 20480 --a------ C:\WINDOWS\msapasrc.dll

2008-04-05 10:31:42 20480 --a------ C:\WINDOWS\msa64chk.dll

2008-04-05 10:31:41 26368 --a------ C:\WINDOWS\system32\shdocpe.dll

2008-04-05 10:31:41 11776 --a------ C:\WINDOWS\shdocpl.dll

2008-04-05 10:31:41 20736 --a------ C:\WINDOWS\ntnut.exe

2008-04-05 10:31:40 24576 --a------ C:\WINDOWS\winsb.dll

2008-04-05 10:31:40 27648 --a------ C:\WINDOWS\shdocpe.dll

2008-04-05 10:31:40 22272 --a------ C:\WINDOWS\browserad.dll

2008-04-05 10:31:40 0 d-------- C:\Program Files\Sysmnt

2008-04-05 10:31:39 8704 --a------ C:\WINDOWS\aviwrap32.dll

2008-04-05 10:31:39 17152 --a------ C:\WINDOWS\avisynthex32.dll

2008-04-05 10:31:39 26880 --a------ C:\WINDOWS\avifile32.dll

2008-04-05 10:31:39 22528 --a------ C:\WINDOWS\autodisc32.dll

2008-04-05 10:31:38 32000 --a------ C:\WINDOWS\audiosrv32.dll

2008-04-05 10:31:38 28416 --a------ C:\WINDOWS\ati2dvag32.dll

2008-04-05 10:31:37 9984 --a------ C:\WINDOWS\ati2dvaa32.dll

2008-04-05 10:31:37 18176 --a------ C:\WINDOWS\athprxy32.dll

2008-04-05 10:31:37 13312 --a------ C:\WINDOWS\asycfilt32.dll

2008-04-05 10:31:37 26880 --a------ C:\WINDOWS\asferror32.dll

2008-04-05 10:31:37 20992 --a------ C:\WINDOWS\apphelp32.dll

2008-04-05 10:31:36 32256 --a------ C:\WINDOWS\changeurl_30.dll

2008-04-05 10:12:05 0 d-------- C:\Documents and Settings\Kathy\Application Data\F?nts

2008-04-05 10:10:44 0 d-------- C:\Program Files\Bat

2008-04-05 10:10:34 0 d-------- C:\Documents and Settings\Kathy\Application Data\?ymantec

2008-03-25 21:10:50 0 d-------- C:\Documents and Settings\Mike\Application Data\MySpace

2008-03-24 14:58:06 0 d-------- C:\Documents and Settings\Kathy\Application Data\MySpace

2008-03-24 14:58:02 0 d-------- C:\Program Files\MySpace

 

 

-- Find3M Report ---------------------------------------------------------------

 

2008-04-07 17:05:09 0 d-------- C:\Program Files\Common Files

2008-04-05 10:12:05 0 d-------- C:\Documents and Settings\Kathy\Application Data\F?nts

2008-04-05 10:10:34 0 d-------- C:\Documents and Settings\Kathy\Application Data\?ymantec

2008-02-12 19:38:24 0 d-------- C:\Documents and Settings\Kathy\Application Data\Sonic

2008-02-12 19:37:58 0 d-------- C:\Documents and Settings\Kathy\Application Data\Leadertech

2008-02-12 19:36:17 0 d-------- C:\Documents and Settings\Kathy\Application Data\Apple Computer

2008-02-10 15:25:49 0 d-------- C:\Program Files\iTunes

2008-02-10 15:25:42 0 d-------- C:\Program Files\iPod

2008-02-10 15:25:26 0 d-------- C:\Program Files\QuickTime

2008-02-10 15:24:49 0 d-------- C:\Program Files\Apple Software Update

2008-02-10 15:22:58 0 d-------- C:\Program Files\MixMeister EZ Vinyl Converter

2008-02-09 12:17:56 0 d-------- C:\Documents and Settings\Kathy\Application Data\Adobe

 

 

-- Registry Dump ---------------------------------------------------------------

 

*Note* empty entries & legit default entries are not shown

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [09/29/2005 03:01 PM]

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [10/14/2005 09:49 PM]

"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [10/14/2005 09:46 PM]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [10/14/2005 09:50 PM]

"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [11/19/2003 06:48 PM]

"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [10/05/2005 04:12 AM]

"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [03/27/2006 05:16 PM]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/27/2007 10:41 AM]

"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [09/08/2005 08:20 PM]

"MMTray"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe" [09/08/2005 08:20 PM]

"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [06/10/2005 11:44 AM]

"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 11:44 AM]

"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [09/08/2005 06:20 AM]

"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [03/27/2006 05:25 PM]

"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [07/12/2005 08:05 PM]

"pccguide.exe"="C:\Program Files\Trend Micro\Antivirus\pccguide.exe" [02/17/2004 06:51 PM]

"PCClient.exe"="C:\Program Files\Trend Micro\Antivirus\PCClient.exe" [02/17/2004 06:51 PM]

"TM Outbreak Agent"="C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" [02/17/2004 06:50 PM]

"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [08/31/2005 12:06 PM]

"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [10/14/2003 10:22 AM]

"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [04/14/2004 02:46 PM]

"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [04/14/2004 03:04 PM]

"SetDefPrt"="C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe" [05/25/2004 09:16 AM]

"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [07/20/2004 09:34 AM]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [04/27/2007 12:25 PM]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 05:25 AM]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]

"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 11:09 AM]

"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [11/13/2007 05:46 PM]

"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/29/2008 04:03 PM]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [3/27/2006 5:16:15 PM]

Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [3/27/2006 5:14:04 PM]

Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [7/22/2005 3:47:22 AM]

Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2/13/2004 2:12:08 PM]

Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [4/3/2006 5:23:59 PM]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableRegistryTools"=0 (0x0)

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]

AutoRun\command- E:\setup.exe

 

 

 

 

-- End of Deckard's System Scanner: finished at 2008-04-09 18:58:40 ------------

Edited by sirneedshelpnow

Share this post


Link to post
Share on other sites

Please follow the instructions for running ComboFix here and post back with the log once done. :)

Share this post


Link to post
Share on other sites

Was following the directions as oulined in the link in the last post and came to the section for Windows Recovery Console. Which one do I need, computer says it's a Media Edition?

 

Windows XP Service Pack 2 (SP2)

For information about the Setup boot disk versions that are available for download, visit the following Microsoft Web sites:

 

Windows XP Home Edition SP2

 

Windows XP Professional SP2

Edited by sirneedshelpnow

Share this post


Link to post
Share on other sites

Unless I'm mistaken, that's XP Pro (media edition, that is). :)

Share this post


Link to post
Share on other sites

Tried running ComboFix after dragging the Windows Recovery Console icon on top. I double clicked on Combo Fix and hit run and a small blue screen appeared then disappeared in a matter of seconds and nothing prompted me to do anything or save any logs. Did I do something wrong?

Edited by sirneedshelpnow

Share this post


Link to post
Share on other sites

ComboFix should run automatically when you drag the recovery console installation file on it. Try again and see if anything happens? :)

 

If nothing happens, let's run a scanner and then just get rid of the rest manually.

 

Please download Malwarebytes' Anti-Malware and save it to your desktop.

alternate download link 1

alternate download link 2

  • Double-click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • If you have trouble with the update process, please download the latest updates here.
  • Double-click the mbam-rules.exe file on your desktop and let it update the application.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (see extra note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Please copy and paste the entire report in your next reply. :lol:

Extra note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Share this post


Link to post
Share on other sites

Hi Rawe,

 

I wanted to give you a heads up that I am leaving town and I should return by the middle of next week (4-16-08) and didn't want you to think I up and left. Please let me know if this will be a problem?

Share this post


Link to post
Share on other sites

No problem whatsoever. Thank you for letting me know - much appreciated. :)

 

Will be around when you get back.

Share this post


Link to post
Share on other sites

Sorry for the delay. I was able to get ComboFix to work and here is the log.

 

ComboFix 08-04-20.5 - Kathy 2008-04-22 16:04:12.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.505 [GMT -4:00]

Running from: C:\Documents and Settings\Kathy\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Kathy\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

* Created a new restore point

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\Kathy\Application Data\FNTS~1

C:\Documents and Settings\Kathy\Application Data\YMANTE~1

C:\Documents and Settings\Kathy\Application Data\YMANTE~1\?ymantec\

C:\Documents and Settings\Kathy\Application Data\YMANTE~1\ati2evxx.exe

C:\Program Files\180solutions

C:\Program Files\180solutions\sais.exe

C:\Program Files\stc

C:\Program Files\stc\csv5p070.exe

C:\Program Files\Sysmnt

C:\Program Files\Sysmnt\Ssmgr.exe

C:\WINDOWS\123messenger.per

C:\WINDOWS\2020search.dll

C:\WINDOWS\apphelp32.dll

C:\WINDOWS\asferror32.dll

C:\WINDOWS\asycfilt32.dll

C:\WINDOWS\athprxy32.dll

C:\WINDOWS\ati2dvaa32.dll

C:\WINDOWS\ati2dvag32.dll

C:\WINDOWS\audiosrv32.dll

C:\WINDOWS\autodisc32.dll

C:\WINDOWS\avifile32.dll

C:\WINDOWS\avisynthex32.dll

C:\WINDOWS\aviwrap32.dll

C:\WINDOWS\bjam.dll

C:\WINDOWS\browserad.dll

C:\WINDOWS\changeurl_30.dll

C:\WINDOWS\didduid.ini

C:\WINDOWS\FLEOK

C:\WINDOWS\licencia.txt

C:\WINDOWS\msa64chk.dll

C:\WINDOWS\msapasrc.dll

C:\WINDOWS\mspphe.dll

C:\WINDOWS\ntnut.exe

C:\WINDOWS\saiemod.dll

C:\WINDOWS\salm.exe

C:\WINDOWS\shdocpe.dll

C:\WINDOWS\shdocpl.dll

C:\WINDOWS\system32\msixu.dll

C:\WINDOWS\system32\MSNSA32.dll

C:\WINDOWS\system32\shdocpe.dll

C:\WINDOWS\system32\SIPSPI32.dll

C:\WINDOWS\system32\wer8274.dll

C:\WINDOWS\telefonos.txt

C:\WINDOWS\textos.txt

C:\WINDOWS\updatetc.exe

C:\WINDOWS\winsb.dll

 

.

((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))

.

 

2008-04-07 23:09 . 2008-04-07 23:09 <DIR> d-------- C:\Deckard

2008-04-07 16:51 . 2008-04-07 16:51 <DIR> d-------- C:\WINDOWS\ERUNT

2008-04-07 16:50 . 2008-04-07 21:04 <DIR> d-------- C:\SDFix

2008-04-07 16:49 . 2008-04-07 16:49 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot

2008-04-07 16:16 . 2008-04-07 16:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

2008-04-07 16:15 . 2008-04-07 18:36 <DIR> d-------- C:\Program Files\SUPERAntiSpyware

2008-04-07 16:15 . 2008-04-07 16:15 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-04-07 16:15 . 2008-04-07 16:15 <DIR> d-------- C:\Documents and Settings\Kathy\Application Data\SUPERAntiSpyware.com

2008-04-07 16:14 . 2008-04-07 16:14 <DIR> d-------- C:\Documents and Settings\Kathy\Application Data\Grisoft

2008-04-07 16:14 . 2008-04-07 16:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft

2008-04-07 16:14 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2008-04-05 11:39 . 2008-04-05 11:39 <DIR> d--h----- C:\WINDOWS\PIF

2008-04-05 10:11 . 2004-08-10 06:00 4,224 --a------ C:\WINDOWS\system32\beep.sys

2008-04-05 10:10 . 2008-04-05 10:14 <DIR> d-------- C:\Program Files\Bat

2008-03-25 21:10 . 2008-03-25 21:10 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\MySpace

2008-03-24 14:58 . 2008-03-24 14:58 <DIR> d-------- C:\Program Files\MySpace

2008-03-24 14:58 . 2008-03-24 14:58 <DIR> d-------- C:\Documents and Settings\Kathy\Application Data\MySpace

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-26 01:21 --------- d-----w C:\Documents and Settings\Mike\Application Data\Gtek

2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys

2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll

2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll

2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll

2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll

2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll

2008-02-15 09:07 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe

2006-12-08 13:59 56 --sh--r C:\WINDOWS\system32\62AB0835C5.sys

2007-10-08 20:14 5,852 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]

"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 17:46 135168]

"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584]

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 21:49 94208]

"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 21:46 77824]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 21:50 114688]

"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48 32881]

"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 04:12 94208]

"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-03-27 17:16 26112]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 10:41 282624]

"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 20:20 8192]

"MMTray"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe" [2005-09-08 20:20 110592]

"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856]

"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]

"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 06:20 122940]

"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-03-27 17:25 169472]

"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 20:05 1117184]

"pccguide.exe"="C:\Program Files\Trend Micro\Antivirus\pccguide.exe" [2004-02-17 18:51 950337]

"PCClient.exe"="C:\Program Files\Trend Micro\Antivirus\PCClient.exe" [2004-02-17 18:51 634949]

"TM Outbreak Agent"="C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" [2004-02-17 18:50 290816]

"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 12:06 106496]

"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22 155648]

"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 14:46 57393]

"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 15:04 40960]

"SetDefPrt"="C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe" [2004-05-25 09:16 49152]

"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 09:34 851968]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 12:25 257088]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 16:32 8699904]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2006-03-27 17:16:15 156784]

Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-03-27 17:14:04 24576]

Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-07-22 03:47:22 151552]

Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08 16423]

Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2006-04-03 17:23:59 819200]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"C:\\Program Files\\America Online 9.0\\waol.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=

"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

 

R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2003-12-19 21:15]

R3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2004-06-12 05:27]

R3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2004-01-10 04:28]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]

\Shell\AutoRun\command - E:\setup.exe

 

.

Contents of the 'Scheduled Tasks' folder

"2008-04-19 11:52:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

 

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-22 16:05:39

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

 

C:\WINDOWS\system32\drivers\clbdriver.sys 7168 bytes executable

C:\WINDOWS\system32\clb.dll 10752 bytes executable

C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable

C:\WINDOWS\system32\clbcatq.dll 498688 bytes executable

C:\WINDOWS\system32\clbcfg.dat 1680 bytes

C:\WINDOWS\system32\clbdll.dll 40960 bytes executable

C:\WINDOWS\system32\clbdll.old 40960 bytes executable

 

scan completed successfully

hidden files: 7

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\clbdriver]

"imagepath"="\??\globalroot\systemroot\system32\drivers\clbdriver.sys"

.

Completion time: 2008-04-22 16:06:20

ComboFix-quarantined-files.txt 2008-04-22 20:06:17

 

Pre-Run: 42,579,968,000 bytes free

Post-Run: 42,568,785,920 bytes free

 

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

 

198 --- E O F --- 2008-04-09 23:18:15

Share this post


Link to post
Share on other sites

No probs about the delay :)

 

Please open notepad and copy/paste the text in the quotebox into it

 

Rootkit::

C:\WINDOWS\system32\drivers\clbdriver.sys

 

Driver::

clbdriver

 

Save it as CFScript.txt on your desktop.

 

CFScript.gif

 

Referring to the picture above, drag CFScript.txt into ComboFix.exe

 

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

 

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Share this post


Link to post
Share on other sites

ComboFix 08-04-20.5 - Kathy 2008-04-22 17:00:40.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.519 [GMT -4:00]

Running from: C:\Documents and Settings\Kathy\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Kathy\Desktop\CFScript.txt

* Created a new restore point

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\system32\drivers\clbdriver.sys

 

.

((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))

.

 

2008-04-07 23:09 . 2008-04-07 23:09 <DIR> d-------- C:\Deckard

2008-04-07 16:51 . 2008-04-07 16:51 <DIR> d-------- C:\WINDOWS\ERUNT

2008-04-07 16:50 . 2008-04-07 21:04 <DIR> d-------- C:\SDFix

2008-04-07 16:49 . 2008-04-07 16:49 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot

2008-04-07 16:16 . 2008-04-07 16:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

2008-04-07 16:15 . 2008-04-07 18:36 <DIR> d-------- C:\Program Files\SUPERAntiSpyware

2008-04-07 16:15 . 2008-04-07 16:15 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-04-07 16:15 . 2008-04-07 16:15 <DIR> d-------- C:\Documents and Settings\Kathy\Application Data\SUPERAntiSpyware.com

2008-04-07 16:14 . 2008-04-07 16:14 <DIR> d-------- C:\Documents and Settings\Kathy\Application Data\Grisoft

2008-04-07 16:14 . 2008-04-07 16:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft

2008-04-07 16:14 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2008-04-05 13:34 . 2008-04-21 17:09 1,680 --a------ C:\WINDOWS\system32\clbcfg.dat

2008-04-05 11:39 . 2008-04-05 11:39 <DIR> d--h----- C:\WINDOWS\PIF

2008-04-05 10:11 . 2008-04-09 18:54 40,960 --a------ C:\WINDOWS\system32\clbdll.old

2008-04-05 10:11 . 2008-04-10 16:36 40,960 --a------ C:\WINDOWS\system32\clbdll.dll

2008-04-05 10:11 . 2004-08-10 06:00 4,224 --a------ C:\WINDOWS\system32\beep.sys

2008-04-05 10:10 . 2008-04-05 10:14 <DIR> d-------- C:\Program Files\Bat

2008-03-25 21:10 . 2008-03-25 21:10 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\MySpace

2008-03-24 14:58 . 2008-03-24 14:58 <DIR> d-------- C:\Program Files\MySpace

2008-03-24 14:58 . 2008-03-24 14:58 <DIR> d-------- C:\Documents and Settings\Kathy\Application Data\MySpace

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-26 01:21 --------- d-----w C:\Documents and Settings\Mike\Application Data\Gtek

2006-12-08 13:59 56 --sh--r C:\WINDOWS\system32\62AB0835C5.sys

2007-10-08 20:14 5,852 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

.

 

((((((((((((((((((((((((((((( [email protected]_16.06.05.60 )))))))))))))))))))))))))))))))))))))))))

.

+ 2005-07-26 04:20:23 110,080 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll

+ 2005-07-26 04:20:24 498,688 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll

+ 2004-08-10 10:00:00 110,080 -c----w C:\WINDOWS\$NtUninstallKB902400$\clbcatex.dll

+ 2004-08-10 10:00:00 501,248 -c----w C:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll

- 2008-04-10 20:36:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2008-04-22 21:02:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2004-08-10 10:00:00 10,752 ----a-w C:\WINDOWS\system32\clb.dll

+ 2005-07-26 04:39:43 110,080 ----a-w C:\WINDOWS\system32\clbcatex.dll

+ 2005-07-26 04:39:43 498,688 ----a-w C:\WINDOWS\system32\clbcatq.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]

"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 17:46 135168]

"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584]

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 21:49 94208]

"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 21:46 77824]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 21:50 114688]

"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48 32881]

"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 04:12 94208]

"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-03-27 17:16 26112]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 10:41 282624]

"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 20:20 8192]

"MMTray"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe" [2005-09-08 20:20 110592]

"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856]

"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]

"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 06:20 122940]

"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-03-27 17:25 169472]

"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 20:05 1117184]

"pccguide.exe"="C:\Program Files\Trend Micro\Antivirus\pccguide.exe" [2004-02-17 18:51 950337]

"PCClient.exe"="C:\Program Files\Trend Micro\Antivirus\PCClient.exe" [2004-02-17 18:51 634949]

"TM Outbreak Agent"="C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" [2004-02-17 18:50 290816]

"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 12:06 106496]

"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22 155648]

"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 14:46 57393]

"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 15:04 40960]

"SetDefPrt"="C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe" [2004-05-25 09:16 49152]

"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 09:34 851968]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 12:25 257088]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 16:32 8699904]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2006-03-27 17:16:15 156784]

Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-03-27 17:14:04 24576]

Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-07-22 03:47:22 151552]

Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08 16423]

Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2006-04-03 17:23:59 819200]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]

@="driver"

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"C:\\Program Files\\America Online 9.0\\waol.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=

"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

 

R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2003-12-19 21:15]

R3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2004-06-12 05:27]

R3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2004-01-10 04:28]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]

\Shell\AutoRun\command - E:\setup.exe

 

.

Contents of the 'Scheduled Tasks' folder

"2008-04-19 11:52:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

 

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-22 17:03:32

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\system32\brss01a.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\system32\Brmfrmps.exe

C:\WINDOWS\ehome\ehrecvr.exe

C:\WINDOWS\ehome\ehSched.exe

C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe

C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe

C:\Program Files\Trend Micro\Antivirus\tmproxy.exe

C:\WINDOWS\ehome\mcrdsvc.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehmsas.exe

C:\Program Files\Brother\Brmfcmon\BrMfcMon.exe

C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe

.

**************************************************************************

.

Completion time: 2008-04-22 17:06:27 - machine was rebooted

ComboFix-quarantined-files.txt 2008-04-22 21:06:23

ComboFix2.txt 2008-04-22 20:06:21

 

Pre-Run: 42,566,688,768 bytes free

Post-Run: 42,557,284,352 bytes free

 

170 --- E O F --- 2008-04-09 23:18:15

Share this post


Link to post
Share on other sites

Please open notepad and copy/paste the text in the quotebox into it

 

File::

C:\WINDOWS\system32\clbdll.dll

 

Registry::

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]

 

Save it as CFScript.txt on your desktop.

 

CFScript.gif

 

Referring to the picture above, drag CFScript.txt into ComboFix.exe

 

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

 

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Share this post


Link to post
Share on other sites

ComboFix 08-04-20.5 - Kathy 2008-04-23 9:30:37.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.466 [GMT -4:00]

Running from: C:\Documents and Settings\Kathy\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Kathy\Desktop\CFScript.txt

* Created a new restore point

 

FILE ::

C:\WINDOWS\system32\clbdll.dll

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\system32\clbdll.dll

 

.

((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))

.

 

2008-04-07 23:09 . 2008-04-07 23:09 <DIR> d-------- C:\Deckard

2008-04-07 16:51 . 2008-04-07 16:51 <DIR> d-------- C:\WINDOWS\ERUNT

2008-04-07 16:50 . 2008-04-07 21:04 <DIR> d-------- C:\SDFix

2008-04-07 16:49 . 2008-04-07 16:49 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot

2008-04-07 16:16 . 2008-04-07 16:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

2008-04-07 16:15 . 2008-04-07 18:36 <DIR> d-------- C:\Program Files\SUPERAntiSpyware

2008-04-07 16:15 . 2008-04-07 16:15 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-04-07 16:15 . 2008-04-07 16:15 <DIR> d-------- C:\Documents and Settings\Kathy\Application Data\SUPERAntiSpyware.com

2008-04-07 16:14 . 2008-04-07 16:14 <DIR> d-------- C:\Documents and Settings\Kathy\Application Data\Grisoft

2008-04-07 16:14 . 2008-04-07 16:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft

2008-04-07 16:14 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2008-04-05 13:34 . 2008-04-21 17:09 1,680 --a------ C:\WINDOWS\system32\clbcfg.dat

2008-04-05 11:39 . 2008-04-05 11:39 <DIR> d--h----- C:\WINDOWS\PIF

2008-04-05 10:11 . 2008-04-09 18:54 40,960 --a------ C:\WINDOWS\system32\clbdll.old

2008-04-05 10:11 . 2004-08-10 06:00 4,224 --a------ C:\WINDOWS\system32\beep.sys

2008-04-05 10:10 . 2008-04-05 10:14 <DIR> d-------- C:\Program Files\Bat

2008-03-25 21:10 . 2008-03-25 21:10 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\MySpace

2008-03-24 14:58 . 2008-03-24 14:58 <DIR> d-------- C:\Program Files\MySpace

2008-03-24 14:58 . 2008-03-24 14:58 <DIR> d-------- C:\Documents and Settings\Kathy\Application Data\MySpace

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-26 01:21 --------- d-----w C:\Documents and Settings\Mike\Application Data\Gtek

2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys

2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll

2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll

2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll

2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll

2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll

2008-02-15 09:07 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe

2006-12-08 13:59 56 --sh--r C:\WINDOWS\system32\62AB0835C5.sys

2007-10-08 20:14 5,852 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

.

 

((((((((((((((((((((((((((((( [email protected]_16.06.05.60 )))))))))))))))))))))))))))))))))))))))))

.

+ 2005-07-26 04:20:23 110,080 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll

+ 2005-07-26 04:20:24 498,688 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll

+ 2004-08-10 10:00:00 110,080 -c----w C:\WINDOWS\$NtUninstallKB902400$\clbcatex.dll

+ 2004-08-10 10:00:00 501,248 -c----w C:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll

- 2008-04-10 20:36:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2008-04-22 21:02:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2004-08-10 10:00:00 10,752 ----a-w C:\WINDOWS\system32\clb.dll

+ 2005-07-26 04:39:43 110,080 ----a-w C:\WINDOWS\system32\clbcatex.dll

+ 2005-07-26 04:39:43 498,688 ----a-w C:\WINDOWS\system32\clbcatq.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]

"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 17:46 135168]

"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584]

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 21:49 94208]

"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 21:46 77824]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 21:50 114688]

"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48 32881]

"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 04:12 94208]

"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-03-27 17:16 26112]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 10:41 282624]

"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 20:20 8192]

"MMTray"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe" [2005-09-08 20:20 110592]

"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856]

"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]

"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 06:20 122940]

"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-03-27 17:25 169472]

"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 20:05 1117184]

"pccguide.exe"="C:\Program Files\Trend Micro\Antivirus\pccguide.exe" [2004-02-17 18:51 950337]

"PCClient.exe"="C:\Program Files\Trend Micro\Antivirus\PCClient.exe" [2004-02-17 18:51 634949]

"TM Outbreak Agent"="C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" [2004-02-17 18:50 290816]

"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 12:06 106496]

"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22 155648]

"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 14:46 57393]

"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 15:04 40960]

"SetDefPrt"="C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe" [2004-05-25 09:16 49152]

"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 09:34 851968]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 12:25 257088]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 16:32 8699904]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2006-03-27 17:16:15 156784]

Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-03-27 17:14:04 24576]

Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-07-22 03:47:22 151552]

Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08 16423]

Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2006-04-03 17:23:59 819200]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"C:\\Program Files\\America Online 9.0\\waol.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=

"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

 

R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2003-12-19 21:15]

R3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2004-06-12 05:27]

R3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2004-01-10 04:28]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]

\Shell\AutoRun\command - E:\setup.exe

 

.

Contents of the 'Scheduled Tasks' folder

"2008-04-19 11:52:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

 

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-23 09:31:49

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-04-23 9:32:22

ComboFix-quarantined-files.txt 2008-04-23 13:32:19

ComboFix2.txt 2008-04-22 21:06:28

ComboFix3.txt 2008-04-22 20:06:21

 

Pre-Run: 42,528,526,336 bytes free

Post-Run: 42,515,173,376 bytes free

 

155 --- E O F --- 2008-04-09 23:18:15

Share this post


Link to post
Share on other sites

Scroll up a few posts back and run Malwarebytes' Anti-Malware with the instructions provided.

 

Instead of running Quick Scan though, please run the Full Scan.

 

Post back with the log and let me know how's the system running right now :)

Share this post


Link to post
Share on other sites

The system seems to be running a lot better now although I have not been online except to come here to post logs. I don't know if I have said this or not but you are awsome and thank you for all your help!!!

 

Malwarebytes' Anti-Malware 1.11

Database version: 673

 

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 81742

Time elapsed: 21 minute(s), 22 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 5

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 13

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_CLASSES_ROOT\AppID\{f663b917-591f-4172-8d87-3d7d729007ca} (Adware.Batco) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Batco (Adware.Batco) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\bat.DLL (Adware.Batco) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bat (Adware.Batco) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bat (Adware.Batco) -> Quarantined and deleted successfully.

 

Registry Values Infected:

HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> Quarantined and deleted successfully.

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

C:\Program Files\Bat (Adware.Batco) -> Quarantined and deleted successfully.

 

Files Infected:

C:\Program Files\Bat\Bat.dll (Adware.Batco) -> Quarantined and deleted successfully.

C:\Program Files\Bat\Bat.exe (Adware.Batco) -> Quarantined and deleted successfully.

C:\Program Files\Bat\un_BatSetup_15041.exe (Adware.Rabio) -> Quarantined and deleted successfully.

C:\Program Files\Bat\X_Bat.exe (Adware.Batco) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP575\A0033198.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP575\A0033210.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP575\A0034300.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Program Files\Bat\Bat.dll.intermediate.manifest (Adware.Batco) -> Quarantined and deleted successfully.

C:\Program Files\Bat\Bat.info (Adware.Batco) -> Quarantined and deleted successfully.

C:\Program Files\Bat\Bat.original (Adware.Batco) -> Quarantined and deleted successfully.

C:\Program Files\Bat\Info.dll (Adware.Batco) -> Quarantined and deleted successfully.

C:\Program Files\Bat\un_BatSetup_15041.txt (Adware.Batco) -> Quarantined and deleted successfully.

C:\Program Files\Bat\X_Bat.log (Adware.Batco) -> Quarantined and deleted successfully.

Edited by sirneedshelpnow

Share this post


Link to post
Share on other sites

Am happy to help. :)

 

Please do post a fresh HijackThis log, just to triple check.

 

You can also uninstall Malwarebytes' if you wish and empty it's quarantine.

Share this post


Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:43:56 AM, on 4/23/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\brss01a.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\system32\Brmfrmps.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe

C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Trend Micro\Antivirus\pccguide.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe

C:\Program Files\Trend Micro\Antivirus\PCClient.exe

C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe

C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe

C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe

C:\Program Files\Brother\ControlCenter2\brctrcen.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Trend Micro\Antivirus\tmproxy.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\America Online 9.0\aoltray.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

c:\program files\common files\installshield\updateservice\isuspm.exe

C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Kathy\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"

O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"

O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run

O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [indexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe

O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe

 

--

End of file - 9119 bytes

Share this post


Link to post
Share on other sites

Hello again...

 

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • On the pulldown-menu, choose Windows as your platform.
  • Check "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue.
  • Click on the link under Windows Offline Installation to download the file and save it to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name. They should have next icon next to it: javaicon.jpg
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

Now to clean out the Java cache:

 

Go into the Control Panel and double-click the Java Icon.

  • Under Temporary Internet Files, click the Settings button.
  • Then click Delete Files...
  • There are two options in the window to clear the cache - Leave BOTH checked

    Applications and Applets
    Trace and Log Files

  • Click OK on Delete Temporary Files window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.

----------

 

Looks fine. :)

 

Click Start -> Run and type in:

 

ComboFix /u

 

Click on OK. When shown the disclaimer, select 2.

 

Please download OTCleanIt and save it to desktop.

  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to reboot during the cleanup, select YES.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

 

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

 

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

 

Here's some tips for future to prevent spyware:

 

Detect and Remove Programs:

Prevention Programs:

  • Comodo BOClean <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
  • SpywareBlaster <= SpywareBlaster will prevent spyware from being installed. Detailed installation guide provided.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known adsites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.

Other necessary Programs:

  • Antivirus Program <= An antivirus program is a must! Whether it is a free version like Avast! or Anti-Vir, or a shareware version like NOD32 this is a must have. (Note to only use 1 at-the-time)
  • Firewall <= A firewall is definitely a must have. Two good free versions are Comodo and Online Armor. (Note to only use 1 at-the-time)
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.

And also see TonyKlein's good advice:

So how did I get infected in the first place?

 

Setup guide for Comodo Firewall

Setup guide for Avast! 4 Free

Setup guide for AVG Free Antivirus

Share this post


Link to post
Share on other sites
Sign in to follow this