CastleCops® Antivirus 2009

Need help? Click here to register for free! Absolutely zero advertisements on this site!

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Forum FAQ

Usergroups

Profile

Select FavForums

[IN PROGRESS]Antivirus 2009

All -> FavForums -> Trend Micro HijackThis Logs

[del.icio.us!] [digg it!] [reddit!]

View previous topic :: View next topic

Author

Message

Ramseys

Cadet
Cadet

Joined: Aug 19, 2008
Posts: 6
Location: USA

Posted: Tue Aug 19, 2008 11:20 pm Post subject: Antivirus 2009

For about the last four days, my desktop has been starting to run slow and it somehow gained a program by the name of Antivirus 2009. The program looks exactly like it was from Microsoft but it doesnt have any of the licensing or things like that that prove its from Microsoft. The antivirus program pops up about every 2-3 minutes and it says i have a major security issue. The program will scan the computer and when its done it will ask to remove the infected files.When i click yes to remove said files it prompts for licensing information which you have to buy from some website for $49.95. I have Avast! Antivirus already on the computer but it isnt really working the best because its still there. Anywho, this is the HijackThis Log from Notepad. ------------------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:49:18 PM, on 8/19/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\UTSCSI.EXE C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Digital Media Reader\shwiconem.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\DOCUME~1\Owner\LOCALS~1\Temp\setup1019.exe C:\Program Files\AV9\av2009.exe C:\DOCUME~1\Owner\LOCALS~1\Temp\C.tmp C:\Program Files\BigFix\bigfix.exe C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.juno.com/s/search?r=minisearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s/search?r=minisearch R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?r=minisearch R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing) O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing) O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16 O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\juspc.exe" -w O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACK O4 - HKCU\..\Run: [Somefox] C:\DOCUME~1\Owner\LOCALS~1\Temp\setup1019.exe O4 - HKCU\..\Run: [16672946613157070427905260296443] C:\Program Files\AV9\av2009.exe O4 - HKCU\..\Run: [ieupdate] "C:\WINDOWS\system32\ieupdates.exe" O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = ? O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/23.21/uploader2.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?AuthParam=1218841259_0ca90be436e3204ed4e6fdfd406830fa&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab&File=jinstall-6u7-windows-i586-jc.cab O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE O24 - Desktop Component 0: (no name) - http://157.182.176.131:8900/web-ct/en8/img/logo_pill_round2.gif O24 - Desktop Component 1: (no name) - http://vista.wvu.edu:8080/webct/applicationframework/images/webct_vista_logo_small.gif O24 - Desktop Component 2: (no name) - http://vista.wvu.edu:8080/webct/mywebct/images/logo.gif O24 - Desktop Component 3: (no name) - http://www.39dollarglasses.com/store/images//home/wsj.gif O24 - Desktop Component 4: (no name) - http://swapink.com/Merchant5/graphics/sfnt_swapandsave_new.gif -- End of file - 8465 bytes -------------------------------------------------------------- Thank you to anyone who tries to help.

YounGun

1st Responder
Site Moderator

Joined: Dec 11, 2004
Posts: 4369

Posted: Wed Aug 20, 2008 3:40 pm Post subject:

Hi, my name is Victor and I will be helping you.

Please take your time to read thru my instructions and follow them carefully. I am not going to be able to reply immediately so please wait patiently for my reply.

Please download ATF Cleaner by Atribune.

This program is for Windows 98/ME/2K/XP and Vista

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click
No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu.

Before we start fixing your problems, I would like to see if any other startups are involved. To do this, I need to see another type of log please. Go here and download Silent Runners.vbs to a new folder on your Desktop (Clicking the the download link works if you use IE. If you use FireFox, rightclick on the link and choose "Save Link As") and run it. It generates a log too. It takes a minute or two and it will notify you with a popup when your log is ready (make sure you wait for the popups please) Please post the information back in this thread too (you may need to make a couple of posts). If your antivirus program queries the script, allow it to run. It's not malicious.

_________________
IT Stuff

Ramseys

Cadet
Cadet

Joined: Aug 19, 2008
Posts: 6
Location: USA

Posted: Thu Aug 21, 2008 1:46 am Post subject:

Hello Victor. I have used the ATF Cleaner program on my computer exactly like you said and it ran successfully. I also have ran the Silent Runners Program.The log from Silent Runners is as follows. I have also included a second report from Silent Runners after I found and used a program named Malwarebytes' Anti-Malware and it removed 19 various viruses including 5 parasites and trojans. The program said it removed a "Antivirus 2009 Trojan Virus", and it removed the icon from the toolbar and popups for now. This first report is from BEFORE I ran Malwarebytes'. ------------------------------------------------------------ "Silent Runners.vbs", revision 58, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "Yahoo! Pager" = "C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet" [file not found] "spc_w" = ""C:\Program Files\JUSearch\juspc.exe" -w" ["United Online, Inc."] "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "cdloader" = ""C:\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACK" ["magicJack L.P."] "Somefox" = "C:\DOCUME~1\Owner\LOCALS~1\Temp\setup1019.exe" [file not found] "16672946613157070427905260296443" = "C:\Program Files\AV9\av2009.exe" [null data] "ieupdate" = ""C:\WINDOWS\system32\ieupdates.exe"" [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"] "HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"] "RemoteControl" = ""C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."] "SunKistEM" = "C:\Program Files\Digital Media Reader\shwiconem.exe" ["Alcor Micro, Corp."] "(Default)" = "(empty string)" [file not found] "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "UserFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -u" "Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS] "avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" ["ALWIL Software"] "SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"" ["Sun Microsystems, Inc."] "LXBSCATS" = "rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" [file not found] {500BCA15-57A7-4eaf-8143-8C619470B13D}\(Default) = "XML module" -> {HKLM...CLSID} = "XML Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\msxml71.dll" [null data] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."] {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}\(Default) = (no title provided) -> {HKLM...CLSID} = "Microsoft copyright" \InProcServer32\(Default) = "sockins32.dll" [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {HKLM...CLSID} = "Display Panning CPL Extension" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Outlook File Icon Extension" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\Office\OLKFSTUB.DLL" [MS] "{472083B0-C522-11CF-8763-00608CC02F24}" = "avast" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook" -> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook" \InProcServer32\(Default) = "C:\PROGRA~1\WINDOW~4\MpShHook.dll" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ "WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" -> {HKLM...CLSID} = "WPDShServiceObj Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS] "WebProxy" = "{66186F05-BBBB-4a39-864F-72D84615C679}" -> {HKLM...CLSID} = "WebProxy" \InProcServer32\(Default) = "sockins32.dll" [file not found] HKLM\SOFTWA RE\Microsoft\Windows NT\CurrentVersion\Winlogon\ <<!>> "GinaDLL" = "MrvGINA.dll" ["Marvell(R)"] HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\ <<!>> "BootExecute" = "autocheck autochk "\|"SsiEfr.e" [file not found]\|"aswBoot.exe /M:5a0bc69ac" ["ALWIL Software"] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <<!>> dimsntfy\DLLName = "C:\WINDOWS\System32\dimsntfy.dll" [MS] <<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"] <<!>> WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\SOFTWARE\Classes\\shellex\ContextMenuHandlers\ avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\ "NoSplash" = (REG_DWORD) dword:0x00000001 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 {Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ LogitechQuickSync\ "Provider" = "Logitech QuickSync" "InvokeProgID" = "Applications\QSync.exe" "InvokeVerb" = "open" HKLM\SOFTWARE\Classes\Applications\QSync.exe\shell\open\command\(Default) = ""C:\Program Files\Logitech\Video\QSync.exe"" [file not found] MSWPDShellNamespaceHandler\ "Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501" "CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}" "InitCmdLine" = " " -> {HKLM...CLSID} = "WPDShextAutoplay" \LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS] PDVDPlayDVDMovieOnArrival\ "Provider" = "PowerDVD" "InvokeProgID" = "DVD" "InvokeVerb" = "PlayWithPowerDVD" HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD\Command\(Default) = ""C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe" "%L"" ["CyberLink Corp."] Startup items in "Owner" & "All Users" startup folders: ------------------------------------------------------- C:\Documents and Settings\All Users\Start Menu\Programs\Startup "Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"] "BigFix" -> shortcut to: "C:\Program Files\BigFix\bigfix.exe /atstartup" ["BigFix Inc."] "Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS] "NETGEAR WG311v3 Smart Wizard" -> shortcut to: "C:\WINDOWS\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe /HIDE" [null data] Enabled Scheduled Tasks: ------------------------ "MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS] "Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4}" -> {HKLM...CLSID} = "JunoBar" \InProcServer32\(Default) = "blank" [file not found] "{40D41A8B-D79B-43D7-99A7-9EE0F344C385}" -> {HKLM...CLSID} = "AIM Search" \InProcServer32\(Default) = "C:\Program Files\AIM Toolbar\AIMBar.dll" ["America Online, Inc"] Explorer Bars HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ HKLM\SOFTWARE\Classes\CLSID\{5345A7AE-805A-4923-B505-86B2FEBA3FE0}\(Default) = "iMeshBar Quick View" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <<H>> "{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8}" = (no title provided) -> {HKLM...CLSID} = "URLSearchHook Class" \InProcServer32\(Default) = "C:\Program Files\JUSearch\SearchEnh1.dll" ["United Online, Inc."] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"] avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"] avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"] avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"] CLCV0, UTSCSI, "C:\WINDOWS\system32\UTSCSI.EXE" [empty string] LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."] PrismXL, PrismXL, "C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS" ["New Boundary Technologies, Inc."] Windows Defender, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS] Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"C:\WINDOWS\System32\WUDFSvc.dll" [MS]} Print Monitors: --------------- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ 810 Series Port\Driver = "lxbslmpm.DLL" ["Lexmark International, Inc."] Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."] ---------- (launch time: 2008-08-20 18:54:13) <<!>>: Suspicious data at a malware launch point. <<H>>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see everywhere the script checks and everything it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 54 seconds. ---------- (total run time: 129 seconds) -------------------------------------------------------------- This is the Silent Runners report AFTER Using Malwarebytes'. -------------------------------------------------------------- "Silent Runners.vbs", revision 58, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "Yahoo! Pager" = "C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet" [file not found] "spc_w" = ""C:\Program Files\JUSearch\juspc.exe" -w" ["United Online, Inc."] "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "cdloader" = ""C:\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACK" ["magicJack L.P."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"] "HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"] "RemoteControl" = ""C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."] "SunKistEM" = "C:\Program Files\Digital Media Reader\shwiconem.exe" ["Alcor Micro, Corp."] "(Default)" = "(empty string)" [file not found] "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "UserFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -u" "Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS] "avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" ["ALWIL Software"] "SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"" ["Sun Microsystems, Inc."] "LXBSCATS" = "rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" [file not found] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {HKLM...CLSID} = "Display Panning CPL Extension" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Outlook File Icon Extension" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\Office\OLKFSTUB.DLL" [MS] "{472083B0-C522-11CF-8763-00608CC02F24}" = "avast" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook" -> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook" \InProcServer32\(Default) = "C:\PROGRA~1\WINDOW~4\MpShHook.dll" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ "WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" -> {HKLM...CLSID} = "WPDShServiceObj Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS] HKLM\SOFTWA RE\Microsoft\Windows NT\CurrentVersion\Winlogon\ <<!>> "GinaDLL" = "MrvGINA.dll" ["Marvell(R)"] HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\ <<!>> ("msapsspc.dll schannel.dll digest.dll msnsspc.dll" [MS]) "SecurityProviders" = "msapsspc.dll schannel.dll digest.dll msnsspc.dll" HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\ <<!>> "BootExecute" = "autocheck autochk "\|"SsiEfr.e" [file not found] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <<!>> dimsntfy\DLLName = "C:\WINDOWS\System32\dimsntfy.dll" [MS] <<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"] <<!>> WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\SOFTWARE\Classes\\shellex\ContextMenuHandlers\ avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}" -> {HKLM...CLSID} = "MBAMShlExt Class" \InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"] HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}" -> {HKLM...CLSID} = "MBAMShlExt Class" \InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"] Default executables: -------------------- HKLM\SOFTWARE\Classes\.scr\(Default) = "scrfile" <<!>> HKLM\SOFTWARE\Classes\scrfile\shell\open\command\(Default) = ""%1" %" [file not found] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\ "NoSplash" = (REG_DWORD) dword:0x00000001 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 {Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ LogitechQuickSync\ "Provider" = "Logitech QuickSync" "InvokeProgID" = "Applications\QSync.exe" "InvokeVerb" = "open" HKLM\SOFTWARE\Classes\Applications\QSync.exe\shell\open\command\(Default) = ""C:\Program Files\Logitech\Video\QSync.exe"" [file not found] MSWPDShellNamespaceHandler\ "Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501" "CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}" "InitCmdLine" = " " -> {HKLM...CLSID} = "WPDShextAutoplay" \LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS] PDVDPlayDVDMovieOnArrival\ "Provider" = "PowerDVD" "InvokeProgID" = "DVD" "InvokeVerb" = "PlayWithPowerDVD" HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD\Command\(Default) = ""C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe" "%L"" ["CyberLink Corp."] Startup items in "Owner" & "All Users" startup folders: ------------------------------------------------------- C:\Documents and Settings\All Users\Start Menu\Programs\Startup "Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"] "BigFix" -> shortcut to: "C:\Program Files\BigFix\bigfix.exe /atstartup" ["BigFix Inc."] "Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS] "NETGEAR WG311v3 Smart Wizard" -> shortcut to: "C:\WINDOWS\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe /HIDE" [null data] Enabled Scheduled Tasks: ------------------------ "MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS] "Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4}" -> {HKLM...CLSID} = "JunoBar" \InProcServer32\(Default) = "blank" [file not found] "{40D41A8B-D79B-43D7-99A7-9EE0F344C385}" -> {HKLM...CLSID} = "AIM Search" \InProcServer32\(Default) = "C:\Program Files\AIM Toolbar\AIMBar.dll" ["America Online, Inc"] Explorer Bars HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ HKLM\SOFTWARE\Classes\CLSID\{5345A7AE-805A-4923-B505-86B2FEBA3FE0}\(Default) = "iMeshBar Quick View" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <<H>> "{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8}" = (no title provided) -> {HKLM...CLSID} = "URLSearchHook Class" \InProcServer32\(Default) = "C:\Program Files\JUSearch\SearchEnh1.dll" ["United Online, Inc."] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"] avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"] avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"] avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"] CLCV0, UTSCSI, "C:\WINDOWS\system32\UTSCSI.EXE" [empty string] LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."] PrismXL, PrismXL, "C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS" ["New Boundary Technologies, Inc."] Windows Defender, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS] Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"C:\WINDOWS\System32\WUDFSvc.dll" [MS]} Print Monitors: --------------- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ 810 Series Port\Driver = "lxbslmpm.DLL" ["Lexmark International, Inc."] Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."] ---------- (launch time: 2008-08-20 21:22:32) <<!>>: Suspicious data at a malware launch point. <<H>>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see everywhere* the script checks and everything it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box. ---------- (total run time: 69 seconds, including 6 seconds for message boxes) --------------------------------------------------------------

YounGun

1st Responder
Site Moderator

Joined: Dec 11, 2004
Posts: 4369

Posted: Fri Aug 22, 2008 9:26 am Post subject:

Hi Smile

Please download Combofix from one of these locations:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Take note that the links are case sensitive
Save ComboFix to the desktop.
Note: It is important that it is saved directly to, and run from your desktop.

In the event you already have Combofix, please delete it as this is a new version.

Close any open browsers.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. Do not proceed with the rest of the fix if you fail to run combofix

Download and scan with SUPERAntiSpyware Free for Home Users

Double-click SUPERAntiSpyware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
Under "Configuration and Preferences", click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen.
Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
On the left, make sure you check C:\Fixed Drive.
On the right, under "Complete Scan", choose Perform Complete Scan.
Click "Next" to start the scan. Please be patient while it scans your computer.
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
Make sure everything has a checkmark next to it and click "Next".
A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
If asked if you want to reboot, click "Yes".
To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

_________________
IT Stuff

Ramseys

Cadet
Cadet

Joined: Aug 19, 2008
Posts: 6
Location: USA

Posted: Sat Aug 30, 2008 12:47 am Post subject:

I have done the programs. But,theres one thing...I did ComboFix, and then I did SUPERAntiSpyware.But, apperently when SUPERAntiSpyware rebooted, It lost the ComboFix log. So I redid the ComboFix log after the antispyware program.I dont know if that makes a difference, I just thought I would let you know. ComboFix Log: ------------------------------------------------------------- ComboFix 08-08-29.02 - Owner 2008-08-29 20:28:48.2 - NTFSx86 Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-30 ))))))))))))))))))))))))))))))) . 2008-08-29 19:19 . 2008-08-29 19:19 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-08-29 19:19 . 2008-08-29 19:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com 2008-08-29 19:19 . 2008-08-29 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-08-29 19:18 . 2008-08-29 19:18 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-08-20 20:33 . 2008-08-20 20:33 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-08-20 20:33 . 2008-08-20 20:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes 2008-08-20 20:33 . 2008-08-20 20:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-08-20 20:33 . 2008-08-17 15:04 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-08-20 20:33 . 2008-08-17 15:04 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-08-20 18:17 . 2008-08-20 18:17 74 --a------ C:\WINDOWS\st_affiliate.ini 2008-08-18 15:19 . 2008-08-18 15:19 <DIR> d-------- C:\Program Files\Trend Micro 2008-08-18 10:05 . 2008-08-18 10:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8 2008-08-15 19:02 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-08-15 19:00 . 2008-08-15 19:00 <DIR> d-------- C:\Program Files\Common Files\Java 2008-08-15 13:07 . 2008-08-18 09:33 <DIR> d-------- C:\Program Files\Coupons 2008-08-14 14:14 . 2008-08-14 14:14 <DIR> d-------- C:\WINDOWS\system32\scripting 2008-08-14 14:14 . 2008-08-14 14:14 <DIR> d-------- C:\WINDOWS\system32\en 2008-08-14 14:14 . 2008-08-14 14:14 <DIR> d-------- C:\WINDOWS\system32\bits 2008-08-14 14:14 . 2008-08-14 14:14 <DIR> d-------- C:\WINDOWS\l2schemas 2008-08-14 14:10 . 2008-08-14 14:14 <DIR> d-------- C:\WINDOWS\ServicePackFiles 2008-08-14 14:00 . 2008-08-14 14:00 <DIR> d-------- C:\WINDOWS\EHome 2008-08-14 11:52 . 2008-04-13 20:12 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll 2008-08-14 11:51 . 2008-04-13 20:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll 2008-08-14 10:31 . 2008-05-01 10:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll 2008-08-14 10:30 . 2008-04-11 15:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll 2008-08-06 23:35 . 2008-08-18 02:28 <DIR> d-------- C:\Program Files\Divx 2008-07-23 12:48 . 2008-07-23 12:48 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll 2008-07-23 12:48 . 2008-07-23 12:48 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll 2008-07-22 11:45 . 2008-07-22 11:45 <DIR> d-------- C:\WINDOWS\system32\Adobe 2008-07-16 13:41 . 2008-07-18 11:57 <DIR> d-------- C:\Program Files\SpamWeed 2008-07-16 12:58 . 2008-07-16 13:24 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MailWasherPro 2008-07-16 09:23 . 2008-07-16 09:23 45,056 --a------ C:\WINDOWS\system32\UTSCSI.EXE 2008-07-16 08:23 . 2008-08-29 20:22 748 --a------ C:\WINDOWS\win.ini 2008-07-16 08:23 . 2008-08-29 20:32 227 --a------ C:\WINDOWS\system.ini 2008-07-16 08:23 . 2004-08-04 22:00 2 --a------ C:\WINDOWS\desktop.ini 2008-07-16 08:23 . 2004-08-26 21:04 0 --a--c--- C:\WINDOWS\control.ini 2008-07-14 14:38 . 2008-07-25 10:12 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\mjusbsp 2008-07-07 16:26 . 2008-07-07 16:26 253,952 -----c--- C:\WINDOWS\system32\dllcache\es.dll 2008-07-06 21:02 . 2008-07-06 21:02 1,160 --a------ C:\WINDOWS\mozver.dat 2008-07-06 20:58 . 2008-07-06 20:58 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Talkback . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-28 10:56 --------- d-----w C:\Program Files\Lx_cats 2008-08-21 00:16 --------- d-----w C:\Program Files\Enigma Software Group 2008-08-20 01:43 --------- d-----w C:\Program Files\Looking Out Looking In 2008-08-20 01:42 --------- d-----w C:\Program Files\PCUploader 2008-08-18 14:33 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-08-18 14:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-08-18 12:53 --------- d-----w C:\Program Files\Google 2008-08-15 23:02 --------- d-----w C:\Program Files\Java 2008-08-05 13:56 --------- d-----w C:\Program Files\Yahoo! 2008-08-05 13:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\Yahoo! 2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll 2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll 2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll 2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll 2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll 2008-07-04 02:07 18,852 -c--a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat 2008-06-30 15:34 --------- d-----w C:\Program Files\Common Files\Adobe 2008-06-30 15:31 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM 2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll 2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll 2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll 2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll 2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll 2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll 2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe 2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe 2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll 2007-07-30 11:56 84,163 -c--a-w C:\Program Files\newspaper (311 x 389).jpg 2007-07-25 01:53 2,986 -c--a-w C:\Program Files\New Image (48 x 36).jpg 2005-10-06 19:17 280,576 -c--a-w C:\WINDOWS\inf\WG311v3\WG311v3XP.sys 2005-10-06 19:17 280,576 -c--a-w C:\WINDOWS\inf\WG311v3\WG311v3.sys 2005-03-01 15:16 212,992 -c--a-w C:\WINDOWS\inf\WG311v3\CopyWHQLDriver.exe 2004-12-29 00:06 184,680 -c--a-w C:\Documents and Settings\Owner\Application Data\shb.dat . ((((((((((((((((((((((((((((( snapshot@2008-08-29_19.12.05.17 ))))))))))))))))))))))))))))))))))))))))) . + 2008-08-29 23:19:49 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe + 2008-08-29 23:19:49 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe + 2008-08-30 00:20:52 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_558.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "spc_w"="C:\Program Files\JUSearch\juspc.exe" [2004-11-09 04:37 286786] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360] "cdloader"="C:\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe" [2008-06-12 15:37 50520] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-01-30 05:13 155648] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-11-18 09:11 118784] "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 05:42 32768] "SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-03-12 01:18 135168] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-09-22 20:15 98304] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 10:38 78008] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784] "LXBSCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll" [2004-03-17 12:26 65536] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 01:01 437160] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696] BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2006-04-29 09:38:35 2348584] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588] NETGEAR WG311v3 Smart Wizard.lnk - C:\WINDOWS\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe [2007-06-26 14:06:00 1078] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "MSACM.MSNAUDIO"= msnaudio.acm [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\WINDOWS\\system32\\LEXPPS.EXE"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\WinMXBETA\\WinMX.exe"= "C:\\Program Files\\AIM\\aim.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe"= R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 10:35] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 10:37] R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-01-11 17:39] S3 MBAMSwissArmy;MBAMSwissArmy;C:\WINDOWS\system32\drivers\mbamswissarmy.sys [2008-08-17 15:04] S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2002-10-16 10:11] S3 PciTest;WinMTA PCI Service;C:\WINDOWS\SYSTEM32\DRIVERS\pcitest.sys [2003-11-26 01:58] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eeee5df2-51d3-11dd-a65c-00146cc1d5ec}] \Shell\AutoRun\command - I:\autorun.exe \Shell\phone\command - I:\autorun.exe . Contents of the 'Scheduled Tasks' folder 2008-08-30 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20] 2008-08-30 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2005-09-09 14:21] . . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\ . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-29 20:32:11 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run LXBSCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-08-29 20:35:47 ComboFix-quarantined-files.txt 2008-08-30 00:35:26 ComboFix2.txt 2008-08-29 23:12:57 Pre-Run: 64,230,768,640 bytes free Post-Run: 64,215,224,320 bytes free 175 --- E O F --- 2008-08-27 00:32:55 -------------------------------------------------------------- HijackThis Log: -------------------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:42:41 PM, on 8/29/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\UTSCSI.EXE C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Digital Media Reader\shwiconem.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\BigFix\bigfix.exe C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\internet explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.juno.com/s/search?r=minisearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?r=minisearch R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16 O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\juspc.exe" -w O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACK O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = ? O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/23.21/uploader2.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?AuthParam=1218841259_0ca90be436e3204ed4e6fdfd406830fa&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab&File=jinstall-6u7-windows-i586-jc.cab O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE O24 - Desktop Component 0: (no name) - http://157.182.176.131:8900/web-ct/en8/img/logo_pill_round2.gif O24 - Desktop Component 1: (no name) - http://vista.wvu.edu:8080/webct/applicationframework/images/webct_vista_logo_small.gif O24 - Desktop Component 2: (no name) - http://vista.wvu.edu:8080/webct/mywebct/images/logo.gif O24 - Desktop Component 3: (no name) - http://www.39dollarglasses.com/store/images//home/wsj.gif O24 - Desktop Component 4: (no name) - http://swapink.com/Merchant5/graphics/sfnt_swapandsave_new.gif -- End of file - 7523 bytes -------------------------------------------------------------- SUPERAntiSpyware Log: -------------------------------------------------------------- SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 08/29/2008 at 08:05 PM Application Version : 4.20.1046 Core Rules Database Version : 3551 Trace Rules Database Version: 1539 Scan type : Complete Scan Total Scan Time : 00:40:20 Memory items scanned : 388 Memory threats detected : 0 Registry items scanned : 5278 Registry threats detected : 0 File items scanned : 22205 File threats detected : 75 Adware.Tracking Cookie C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjkyaodjmfo.stats.esomniture[2].txt C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wgl4uodzccp.stats.esomniture[2].txt C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt .advertising.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .advertising.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .advertising.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .advertising.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .advertising.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] ad.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] ad.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] ad.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] ad.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] ad.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] ad.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .atdmt.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .insightexpressai.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .insightexpressai.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .insightexpressai.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .insightexpressai.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .insightexpressai.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .insightexpressai.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .insightexpressai.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .insightexpressai.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .insightexpressai.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .insightexpressai.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .adopt.specificclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .specificclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .adopt.specificclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .specificclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .specificclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .specificclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .adopt.specificclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .adopt.specificclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .adopt.specificclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .specificclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .specificclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .specificclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .doubleclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .specificclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .interclick.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .interclick.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .interclick.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .interclick.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .prospect.adbureau.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .prospect.adbureau.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .prospect.adbureau.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .adrevolver.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .adrevolver.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .media.mtvnservices.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .media.mtvnservices.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] ads.revsci.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] media.adrevolver.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .2o7.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .2o7.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .2o7.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .questionmarket.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .questionmarket.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .serving-sys.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .serving-sys.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .serving-sys.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .serving-sys.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .serving-sys.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .serving-sys.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .bs.serving-sys.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .imrworldwide.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .imrworldwide.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .hulu.112.2o7.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .zedo.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .zedo.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] .zedo.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eexdbq2j.default\cookies.txt ] --------------------------------------------------------------

YounGun

1st Responder
Site Moderator

Joined: Dec 11, 2004
Posts: 4369

Posted: Tue Sep 02, 2008 6:43 pm Post subject:

Hi, Go to Microsoft's website => http://support.microsoft.com/kb/310994 Select the download that's appropriate for your Operating System Download the file & save it as it's originally named, next to ComboFix.exe. Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop