Author Topic: Advice Please (Read 6635 times)

skyblue · « **on:** April 19, 2008, 12:55:19 PM »

just scanned with avg and it has come up with these results ,is their anything i should be worried about

[recovering space - attachment deleted by admin]

evilfantasy · « **Reply #1 on:** April 19, 2008, 01:52:02 PM »

Empty your recycle bin. Clear all temp. files. Post a Hijackthis log.

skyblue · « **Reply #2 on:** April 19, 2008, 03:06:14 PM »

Thank you
Done as you said, heres the log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:02:57, on 19/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\PCPal\PCPalSrvHost.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\SPYWAR~4\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ZyXEL\ZyXEL G-202 Wireless Adapter Utility\ZyXEL G-202.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRAM FILES\SKYPE\PHONE\SKYPE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60076
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~4\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: ZyXEL G-202 Wireless Adapter Utility.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: Photobucket Publisher - http://pic.photobucket.com/plugins/csve/photobucket_publisher.CAB
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) -
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} (StreamPlug Class) - http://www.streamplug.com/StreamPlug/beta/SP.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PCPalSrvHost - Unknown owner - C:\Program Files\PCPal\PCPalSrvHost.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8260 bytes

evilfantasy · « **Reply #3 on:** April 19, 2008, 03:21:56 PM »

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop from either of these two links.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware

Click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad.
Please copy and paste the log into your next reply

Note: If you accidentally close the log it can be retrieved at any time from the Malwarebytes' Anti-Malware main screen.

Launch Malwarebytes' Anti-Malware.
Click the Logs tab.
Double-click log-mm.dd.yyyy [xxxxxx].txt

skyblue · « **Reply #4 on:** April 19, 2008, 03:59:25 PM »

Nothing to delete
Heres the log

Malwarebytes' Anti-Malware 1.05
Database version: 440

Scan type: Full Scan (C:\|)
Objects scanned: 68644
Time elapsed: 23 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

evilfantasy · « **Reply #5 on:** April 19, 2008, 04:09:34 PM »

OK, I think you are in the clear. The RECYCLERS shouldn't be able to harm you so lets do a cleaning.

Go to:

Start
Run
type: CLEANMGR.EXE
Press Enter.

When prompted select the C: drive and click OK.
Check the boxes for:

Temporary Internet Files
Downloaded Program Files
Recycle Bin
Temporary Files

Click OK or Enter

Be careful with torrents. There are more with malware than there are without.

Let me know if anything else comes up.

skyblue · « **Reply #6 on:** April 20, 2008, 11:03:29 AM »

Quote

Let me know if anything else comes up.

Thanks evil for your advice
done everthing you have mentioned,
i have not been downloading any torrents since your advice.
just done a avg scan heres the result

[recovering space - attachment deleted by admin]

evilfantasy · « **Reply #7 on:** April 20, 2008, 11:14:41 AM »

I would like to check with this scan now.

Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)

Important! Combofix.exe MUST be saved to and ran from the Desktop.

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
- Click this link to see a list of security programs that should be disabled and how to disable them.
- If yours is not listed and you don't know how to disable it, please ask.
Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
Double click combofix.exe & follow the prompts.
Choose Yes to accept the Disclaimers.[

When finished, it will produce a log for you.
Post that log in your next reply.

Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall

If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.

.
Next post please add the combofix log.

skyblue · « **Reply #8 on:** April 20, 2008, 11:44:30 AM »

ComboFix 08-04-20.1 - Mike 2008-04-20 18:20:51.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.105 [GMT 1:00]
Running from: C:\Documents and Settings\Mike\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Mike\Application Data\inst.exe
C:\WINDOWS\system32\drivers\npf.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.

2008-04-19 20:56 . 2008-04-19 21:58   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Avira
2008-04-19 20:38 . 2003-03-18 20:20   1,060,864   --a--c---   C:\WINDOWS\system32\MFC71.dll
2008-04-19 20:37 . 2008-04-19 20:44   <DIR>   d--------   C:\Program Files\Alwil Software
2008-04-19 16:36 . 2008-04-19 19:13   <DIR>   d--------   C:\Program Files\EsetOnlineScanner
2008-04-19 14:56 . 2008-04-19 14:56   <DIR>   d--------   C:\Program Files\Sun
2008-04-19 07:35 . 2008-04-19 07:37   <DIR>   d--------   C:\Documents and Settings\Mike\.SunDownloadManager
2008-04-18 13:53 . 2004-06-23 18:26   1,994,752   ---------   C:\WINDOWS\UNNMP.exe
2008-04-18 13:53 . 2004-07-06 11:06   52,493   ---------   C:\WINDOWS\UNNMP.cfg
2008-04-18 13:50 . 2001-07-09 11:50   155,648   --a------   C:\WINDOWS\system32\NeroCheck.exe
2008-04-18 13:49 . 2004-06-23 18:26   1,994,752   ---------   C:\WINDOWS\UNNeroVision.exe
2008-04-18 13:49 . 2004-07-06 11:06   115,259   ---------   C:\WINDOWS\UNNeroVision.cfg
2008-04-17 20:52 . 2008-04-17 21:28   <DIR>   d--------   C:\dvdsanta
2008-04-17 14:33 . 2008-03-05 16:03   479,752   --a------   C:\WINDOWS\system32\XAudio2_0.dll
2008-04-17 14:33 . 2008-03-05 16:03   238,088   --a------   C:\WINDOWS\system32\xactengine3_0.dll
2008-04-17 14:33 . 2008-03-05 16:00   25,608   --a------   C:\WINDOWS\system32\X3DAudio1_3.dll
2008-04-17 14:32 . 2008-04-17 14:32   <DIR>   d--h-----   C:\WINDOWS\msdownld.tmp
2008-04-17 14:32 . 2008-03-05 15:56   3,786,760   --a------   C:\WINDOWS\system32\D3DX9_37.dll
2008-04-17 14:32 . 2008-03-05 15:56   1,420,824   --a------   C:\WINDOWS\system32\D3DCompiler_37.dll
2008-04-17 14:32 . 2008-02-05 23:07   462,864   --a------   C:\WINDOWS\system32\d3dx10_37.dll
2008-04-17 14:32 . 2008-04-17 14:32   98,304   --a------   C:\WINDOWS\system32\qttask.exe
2008-04-17 14:31 . 2008-04-17 14:31   <DIR>   d--------   C:\WINDOWS\system32\QuickTime
2008-04-17 14:31 . 2008-04-17 14:31   <DIR>   d--------   C:\Program Files\QuickTime Alternative
2008-04-17 14:31 . 2008-04-17 14:31   <DIR>   d--------   C:\Program Files\Media Player Classic
2008-04-17 14:31 . 2004-09-23 18:57   6,676,480   --a------   C:\WINDOWS\system32\QuickTime.qts
2008-04-17 14:31 . 2004-09-23 18:57   747,008   --a------   C:\WINDOWS\system32\Indeo4.qtx
2008-04-17 14:31 . 2002-12-20 12:40   675,328   --a------   C:\WINDOWS\system32\ir50_32.qtx
2008-04-17 14:31 . 2004-09-23 18:57   430,592   --a------   C:\WINDOWS\system32\QuickTimeVR.qtx
2008-04-17 14:31 . 2004-10-27 13:01   360,504   --a------   C:\WINDOWS\system32\QTPlugin.ocx
2008-04-17 14:31 . 2004-09-23 18:57   323,072   --a------   C:\WINDOWS\system32\QuickTime.cpl
2008-04-17 14:31 . 2004-01-12 17:57   86,016   --a------   C:\WINDOWS\system32\QuickTime.ax
2008-04-17 14:31 . 2004-09-23 18:57   70,144   --a------   C:\WINDOWS\system32\QuickTimeCheck.ocx
2008-04-17 13:35 . 2008-04-17 13:35   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-17 11:28 . 2008-04-17 12:06   <DIR>   d--------   C:\my dvd
2008-04-17 09:17 . 2008-04-17 09:17   <DIR>   d--------   C:\Program Files\Cedelia

skyblue · « **Reply #9 on:** April 20, 2008, 11:49:00 AM »

2008-04-17 08:41 . 2008-04-17 21:50   <DIR>   d--------   C:\Program Files\Easy Avi Divx Xvid to DVD Burner
2008-04-17 08:41 . 2008-04-17 22:42   67   --a------   C:\WINDOWS\Easy Avi Divx Xvid to DVD Burner.INI
2008-04-17 08:35 . 2008-04-17 21:35   <DIR>   d--------   C:\Documents and Settings\Mike\Application Data\DVD Flick
2008-04-17 08:24 . 2000-05-19 17:56   81,920   --a------   C:\WINDOWS\system32\mbmouse.ocx
2008-04-17 08:24 . 2000-11-05 15:27   36,864   --a------   C:\WINDOWS\system32\trayicon.ocx
2008-04-17 00:58 . 2008-04-19 09:39   <DIR>   dr-h-----   C:\$VAULT$.AVG
2008-04-16 23:06 . 2008-04-17 20:28   <DIR>   d--------   C:\Program Files\Any Video Converter
2008-04-16 23:06 . 2008-04-18 00:06   <DIR>   d--------   C:\Documents and Settings\Mike\Application Data\Any Video Converter
2008-04-16 22:33 . 2008-04-16 22:33   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\vsosdk
2008-04-16 20:49 . 2008-04-16 20:49   47,360   --a------   C:\WINDOWS\system32\drivers\pcouffin.sys
2008-04-16 20:49 . 2008-04-17 21:33   47,360   --a------   C:\Documents and Settings\Mike\Application Data\pcouffin.sys
2008-04-15 23:25 . 2008-04-15 23:29   256   --a------   C:\WINDOWS\onlineeye.INI
2008-04-13 09:02 . 2008-04-13 09:02   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\PCPitstop
2008-04-13 09:01 . 2008-04-14 15:21   <DIR>   d--------   C:\Program Files\PCPitstop
2008-04-10 13:05 . 2008-04-14 19:49   <DIR>   d--------   C:\Documents and Settings\Mike\Application Data\Web Page Maker V2
2008-04-10 09:00 . 2008-04-20 18:08   <DIR>   d--------   C:\Program Files\Spyware Terminator
2008-04-10 09:00 . 2008-04-20 18:14   <DIR>   d--------   C:\Documents and Settings\Mike\Application Data\Spyware Terminator
2008-04-10 09:00 . 2008-04-20 12:59   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-04-10 09:00 . 2008-04-10 09:00   138,752   --a------   C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-04-09 18:30 . 2008-04-09 18:30   0   --ah-----   C:\Documents and Settings\NetworkService\NTUSER.DAT_TU_31280.LOG
2008-04-09 18:30 . 2008-04-09 18:30   0   --ah-----   C:\Documents and Settings\Mike\ntuser.dat_TU_90818.LOG
2008-04-09 18:30 . 2008-04-09 18:30   0   --ah-----   C:\Documents and Settings\LocalService\NTUSER.DAT_TU_25715.LOG
2008-04-09 18:06 . 2008-04-09 18:06   <DIR>   d--------   C:\Documents and Settings\Mike\Application Data\TuneUp Software
2008-04-07 08:16 . 2008-04-07 08:16   <DIR>   d--------   C:\Program Files\DeskSweeper
2008-04-06 11:58 . 2008-04-06 12:42   <DIR>   d--------   C:\Documents and Settings\Mike\Application Data\U3
2008-04-05 12:50 . 2008-04-05 13:06   <DIR>   d--------   C:\Program Files\Yahoo!
2008-04-04 17:41 . 2008-04-09 18:30   6,553,600   --a------   C:\Documents and Settings\Mike\ntuser.dat_BAK_90818
2008-04-03 19:49 . 2008-04-03 19:49   <DIR>   d--------   C:\Documents and Settings\Mike\Application Data\Grisoft
2008-04-03 19:49 . 2007-05-30 13:10   10,872   --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-03 19:04 . 2008-04-20 17:21   <DIR>   d--------   C:\Documents and Settings\Mike\Application Data\AVG7
2008-04-03 19:03 . 2008-04-03 19:03   <DIR>   d--------   C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-03 19:03 . 2008-04-03 20:37   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\avg7
2008-04-03 18:26 . 2008-04-03 18:26   <DIR>   d--------   C:\Documents and Settings\Mike\Application Data\AVGTOOLBAR
2008-04-03 18:25 . 2008-04-03 18:31   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\avg8
2008-04-01 20:15 . 2008-04-01 20:15   <DIR>   d--h-----   C:\Documents and Settings\All Users\Application Data\{A25FEDC1-F6D7-440C-BCE2-B71F595F6646}
2008-03-31 23:56 . 2008-04-01 00:03   <DIR>   d--------   C:\Program Files\Veoh Networks
2008-03-31 22:11 . 2008-03-31 22:35   <DIR>   d--------   C:\Program Files\Bestel Software
2008-03-31 20:25 . 2008-03-31 20:25   0   --a------   C:\WINDOWS\nsreg.dat
2008-03-31 20:06 . 2008-03-31 20:06   <DIR>   d--------   C:\!KillBox
2008-03-25 21:28 . 2008-04-10 22:06   <DIR>   d--------   C:\Program Files\Wise Registry Cleaner 3
2008-03-24 17:16 . 2008-04-20 18:27   74,139,680   --ahs----   C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-24 17:16 . 2008-04-20 18:27   824,108   --ahs----   C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-24 17:13 . 2008-03-14 00:11   75,248   --a------   C:\WINDOWS\zllsputility.exe
2008-03-24 16:59 . 2008-03-24 16:59   <DIR>   d--------   C:\Program Files\ZyXEL
2008-03-24 16:59 . 2006-04-14 16:35   31,744   --a------   C:\WINDOWS\system32\drivers\ZDPSp50a64.sys
2008-03-24 16:59 . 2006-04-14 16:35   17,151   --a------   C:\WINDOWS\system32\drivers\ZDPNDIS5.sys
2008-03-24 09:31 . 2008-03-24 09:31   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\PC Tools
2008-03-23 23:21 . 2008-03-23 23:21   <DIR>   d--------   C:\Program Files\Zone Labs
2008-03-21 17:42 . 2008-03-23 20:59   805   --a------   C:\rollback.ini
2008-03-21 13:32 . 2008-03-21 13:32   <DIR>   d--------   C:\Program Files\SonicWallES

2008-04-20 17:26   89,088   ----a-w   C:\WINDOWS\Internet Logs\xDB2.tmp
2008-04-20 15:46   ---------   d-----w   C:\Documents and Settings\Mike\Application Data\SiteAdvisor
2008-04-20 06:40   ---------   d-----w   C:\Documents and Settings\Mike\Application Data\LimeWire
2008-04-20 00:02   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-04-19 21:57   ---------   d-----w   C:\Program Files\Malwarebytes' Anti-Malware
2008-04-19 20:57   63,488   ----a-w   C:\WINDOWS\Internet Logs\xDB1.tmp
2008-04-19 20:50   ---------   d-----w   C:\Program Files\Lavasoft
2008-04-19 20:50   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-19 19:03   ---------   d-----w   C:\Program Files\SUPERAntiSpyware
2008-04-19 15:37   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\iolo
2008-04-19 13:52   ---------   d-----w   C:\Program Files\Java
2008-04-18 13:01   ---------   d-----w   C:\Documents and Settings\Mike\Application Data\Ahead
2008-04-18 12:52   ---------   d-----w   C:\Program Files\Ahead
2008-04-17 20:33   ---------   d-----w   C:\Program Files\VSO
2008-04-17 20:33   ---------   d-----w   C:\Documents and Settings\Mike\Application Data\Vso
2008-04-15 20:46   ---------   d-----w   C:\Documents and Settings\Mike\Application Data\Skype
2008-04-14 19:34   ---------   d-----w   C:\Program Files\MSECACHE
2008-04-10 21:07   ---------   d-----w   C:\Program Files\Wise Disk Cleaner
2008-04-10 20:55   ---------   d-----w   C:\Program Files\RogueRemover FREE
2008-04-10 20:49   ---------   d---a-w   C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-10 20:49   ---------   d-----w   C:\Program Files\SpywareBlaster
2008-04-05 11:51   ---------   d-----w   C:\Program Files\FLV Player
2008-04-03 18:03   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-01 08:37   ---------   d-----w   C:\Program Files\DivX
2008-03-31 22:57   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-03-31 07:43   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\grey ante kind mess
2008-03-25 22:10   ---------   d-----w   C:\Program Files\Auslogics
2008-03-22 16:07   ---------   d-----w   C:\Program Files\Spybot - Search & Destroy
2008-03-21 11:29   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-03-19 09:47   1,845,248   ----a-w   C:\WINDOWS\system32\win32k.sys
2008-03-18 19:38   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\ExPLabs.com
2008-03-13 23:11   1,086,952   ----a-w   C:\WINDOWS\system32\zpeng24.dll
2008-03-13 08:08   ---------   d-----w   C:\Program Files\Real
2008-03-13 08:08   ---------   d-----w   C:\Program Files\Common Files\Real
2008-03-12 23:35   ---------   d-----w   C:\Documents and Settings\NetworkService\Application Data\SiteAdvisor
2008-03-08 13:45   164   ----a-w   C:\install.dat
2008-03-08 13:44   ---------   d-----w   C:\Documents and Settings\Mike\Application Data\GetRightToGo
2008-03-05 12:25   ---------   d-----w   C:\Program Files\Spyware Doctor
2008-03-03 19:53   ---------   d-----w   C:\Program Files\CyberLink
2008-03-03 19:53   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\CyberLink
2008-03-03 17:42   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\WinZip
2008-03-01 15:46   ---------   d-----w   C:\Program Files\Windows Media Connect 2
2008-03-01 13:58   ---------   d-----w   C:\Program Files\VS Revo Group
2008-03-01 13:06   826,368   ----a-w   C:\WINDOWS\system32\wininet.dll
2008-03-01 08:41   ---------   d-----w   C:\Program Files\PurgeIE
2008-02-29 08:45   ---------   d-----w   C:\Program Files\Microsoft Silverlight
2008-02-28 20:21   ---------   d-----w   C:\Program Files\TVUPlayer
2008-02-27 18:58   ---------   d--h--w   C:\Documents and Settings\Mike\Application Data\GTek
2008-02-25 20:10   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Registry Helper
2008-02-24 20:14   ---------   d-----w   C:\Program Files\Common Files\Download Manager
2008-02-24 20:14   ---------   d-----w   C:\Documents and Settings\Mike\Application Data\Malwarebytes
2008-02-24 20:14   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-24 10:43   ---------   d-----w   C:\Program Files\Enigma Software Group
2008-02-23 20:00   ---------   d-----w   C:\Program Files\SpywareGuard
2008-02-23 19:27   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\BOC425
2008-02-23 16:21   ---------   d-----w   C:\Program Files\Common Files\Adobe
2008-02-23 15:30   812,344   ----a-w   C:\sniper fix.exe
2008-02-22 18:44   86,016   -c--a-w   C:\WINDOWS\system32\VACFix.exe
2008-02-22 10:29   ---------   d-----w   C:\Program Files\MSXML 4.0
2008-02-21 11:23   ---------   d-----w   C:\Documents and Settings\Mike\Application Data\TSO
2008-02-21 02:05   200,704   ----a-w   C:\WINDOWS\system32\ssldivx.dll
2008-02-21 02:05   1,044,480   ----a-w   C:\WINDOWS\system32\libdivx.dll
2008-02-21 02:03   156,992   -c--a-w   C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-02-20 06:51   282,624   ----a-w   C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32   45,568   ----a-w   C:\WINDOWS\system32\dnsrslvr.dll
2008-02-11 08:39   253,952   -c--a-w   C:\WINDOWS\system32\OnlineScannerDLLA.dll
2008-02-11 08:39   237,568   -c--a-w   C:\WINDOWS\system32\OnlineScannerDLLW.dll
2008-02-08 12:53   110,592   -c--a-w   C:\WINDOWS\system32\OnlineScannerLang.dll
2008-02-08 10:37   82,432   -c--a-w   C:\WINDOWS\system32\IEDFix.exe
2008-02-06 22:36   30,615   -c--a-w   C:\Documents and Settings\Mike\x.exe
2008-02-05 07:48   77,824   -c--a-w   C:\WINDOWS\system32\OnlineScannerUninstaller.exe
2007-10-25 07:07   32,768   -csha-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007102520071026\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-10-26 17:06 292152]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-13 19:05 36640]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-14 00:11 919016]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 08:57 579584]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-04-10 09:00 2957824]
"QuickTime Task"="C:\WINDOWS\system32\qttask.exe" [2008-04-17 14:32 98304]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-03 19:03 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ZyXEL G-202 Wireless Adapter Utility.lnk - C:\Program Files\ZyXEL\ZyXEL G-202 Wireless Adapter Utility\ZyXEL G-202.exe [2008-03-24 16:59:11 10870784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 21:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 21:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PowerDVD"=C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Mike\\My Documents\\My Music\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\PROGRAM FILES\\SKYPE\\PHONE\\SKYPE.EXE"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 18:31]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-04-10 09:00]
R2 adunidrv;UniDriver for OneCare;C:\WINDOWS\system32\DRIVERS\adunidrv.sys [2007-09-25 11:43]
R2 advproct;Microsoft Corporation Process Trigger Driver;C:\WINDOWS\system32\DRIVERS\advproct.sys [2007-09-25 13:49]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 18:35]
R2 palproct;Gteko ProcessTriggerDriver;C:\WINDOWS\system32\DRIVERS\palproct.sys [2007-04-11 17:55]
R2 palunidr;UniDriver for PCPal;C:\WINDOWS\system32\DRIVERS\palunidr.sys [2007-04-11 17:55]
R2 PCPalSrvHost;PCPalSrvHost;"C:\Program Files\PCPal\PCPalSrvHost.exe" [2007-10-24 18:43]
R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys [2006-02-14 16:02]
R3 ZY202_XP;ZyXEL 802.11g XG202 1211 Driver;C:\WINDOWS\system32\DRIVERS\WlanUZXP.sys [2006-04-14 16:35]
R4 ZDCNDIS5;ZDCNDIS5 NDIS Protocol Driver;C:\WINDOWS\ZDCNDIS5.sys [2006-04-14 16:35]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;C:\Program Files\Lavalys\EVEREST Home Edition\kerneld.wnt [2005-08-18 08:00]
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-04-07 20:17]
S3 W35UND;W89C35 802.11bg WLAN USB Adapter Driver;C:\WINDOWS\system32\DRIVERS\W35UND.SYS [2006-01-12 16:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{83b933c2-03c5-11dd-8250-0013498da9f0}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 18:29:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\EverestDriver]
"ImagePath"="\??\C:\Program Files\Lavalys\EVEREST Home Edition\kerneld.wnt"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Skype\Phone\Skype.exe
.
**************************************************************************
.
Completion time: 2008-04-20 18:33:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-20 17:33:15

Pre-Run: 26,350,305,280 bytes free
Post-Run: 26,740,350,976 bytes free

271   --- E O F ---   2008-04-17 13:00:54

evilfantasy · « **Reply #10 on:** April 20, 2008, 12:01:35 PM »

Looks good.

Uninstall ComboFix

Click Start then Run and enter everything from the Code box below into the run box and then click OK.

Code: [Select]

"%userprofile%\Desktop\cf" /u
Note: The space between the cf" and the /u must be there.

The above procedure will

Delete ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

.
----------

Lets clear your system restore of infected restore points.

Reset and Re-enable your System Restore to remove any infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are infected, but that's good news)

Turn OFF System Restore

On the Desktop, right-click My Computer
Click Properties
Click the System Restore tab.
Check Turn off System Restore
Click Apply, and then click OK

Restart your computer

Turn ON System Restore

On the Desktop, right-click My Computer
Click Properties
Click the System Restore tab.
UN-Check Turn off System Restore
Click Apply, and then click OK

System Restore will now be active again

Now set a new restore point

Go to Start, then Programs, then Accessories, then System Tools
Choose System Restore
When the program starts, make sure that Create a Restore Point is checked, the click Next
Give the restore point a name, then click Create, then Close to complete.

.
----------

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
----------

Learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Let me know how everything is now.

skyblue · « **Reply #11 on:** April 20, 2008, 12:47:01 PM »

Thanks for all your advice and help all taken on board
i will run an avg scan shortly let you know how it goes ,

while you are there received this pm whats that all about

aliph
Newbie

Offline

Posts: 1

hey
« Sent to: skyblue on: Today at 05:07:54 PM »

--------------------------------------------------------------------------------
i got an assignment..i gotta submit it on tuesday..i'm kinda hoping u can help...

task 3...20 marks
the administration staff and manager will access this system via an initial system entry screen with a password- this will give access to a main menu screen. the main menu will provide a choice of access to the following screens:

a. add /delete nurse
b. update nurse details
c. add nursing hours worked
d. add/delete institution
e. update institution details
f. add request for nurse
g. search available staff/ complete request
h. print report (manager only)
i. exit

(i) using pseudocode, write the top level code for a module showing how the various screens can be accessed.

note the pseudocode for add, delete, update , search, print and exit procedures is not required.

(ii) Draw a flowchart for the above module in part (i)

evilfantasy · « **Reply #12 on:** April 20, 2008, 12:51:12 PM »

Looks like alphie is basically spamming for homework help. I would ignore and delete it.

No problem on the help. Everything should be OK now - I hope

Computer Hope Forum

News:

Author Topic: Advice Please (Read 6635 times)

skyblue

Advice Please

evilfantasy

Re: Advice Please

skyblue

Re: Advice Please

evilfantasy

Re: Advice Please

skyblue

Re: Advice Please

evilfantasy

Re: Advice Please

skyblue

Re: Advice Please

evilfantasy

Re: Advice Please

skyblue

Re: Advice Please

skyblue

Re: Advice Please

evilfantasy

Re: Advice Please

skyblue

Re: Advice Please

evilfantasy

Re: Advice Please