Jump to content


Photo

Please help, smitfraud, trojan.avg have taken over my pc...


  • Please log in to reply
1 reply to this topic

#1 goldenboy

goldenboy

    Member

  • New Member
  • Pip
  • 1 posts

Posted 30 May 2007 - 09:36 PM

Hello!!! I would consider myself to know a thing or two about removing spyware, malware etc... But something has come up where i cant fix it. So im praying someone here can help me beat this thing.

Here is what happened. I use rapidshare on a regular basis. The file i really wanted was some third party rapidshare like site, so i downloaded the file using it. I dont remember what the name of it was, but it was bout two weeks ago.

Next thing you know, i have constant pop-ups. I have spybot, immunized, and have a crappy antivirus program called e-trust. I got it for free from a friend who works at best buy, but i will be purchasing kapersky as soon as this is fixed.

They (spybot and e-trust) find and claim to fix or cure the problem, but when i reboot, it comes back only when i open iexplorer. The easy thing to do would be to install firefox, but that still leaves my pc with a trojan.

Ive already made hijack logs, used drweb, atfcleaner, combofix, rootchk, vundofix, and downloaded a bunch of trial antispyware software. Hell, i'd buy superantispyware if i wasnt afraid to use a credit card with this damn thing in my pc.

Here is my hijack log,

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:33:19 PM, on 5/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Common Files\AOL\1159911479\ee\aolsoftware.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\TrojanHunter 4.6\TrojanHunter.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Owner.R2D2\Desktop\virus and spyware software\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.c...h...TB&M=MX6448
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\tmp14.tmp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: (no name) - {d29fdd1e-2121-4d8a-8074-6d3d7cf07d1b} - C:\WINDOWS\system32\disvol.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\opmmmm.dll",realset
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by128fd.bay12...es/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1159494046593
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1159494266062
O20 - AppInit_DLLs: c:\windows\system32\vtsttrr.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: disvol - C:\WINDOWS\SYSTEM32\disvol.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 0: (no name) - http://www.tednugent.....20of sz88.jpg

--
End of file - 9339 bytes
--------------------------------------------------------------------------

here is my combo fix log

ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\Owner.R2D2\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\WINDOWS\system32\tmp1C.tmp.dll"
"C:\WINDOWS\system32\tmp1F.tmp.dll"
"C:\WINDOWS\system32\tmp7.tmp.dll"
"C:\WINDOWS\system32\tmp9D.tmp.dll"
"C:\WINDOWS\system32\tmpA.tmp.dll"
"C:\WINDOWS\system32\tmpA3.tmp.dll"
"C:\WINDOWS\system32\tmpD.tmp.dll"


((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-28 ))))))))))))))))))))))))))))))))))


2007-05-28 16:52 <DIR> d-------- C:\Documents and Settings\OWNER~1.R2D\DoctorWeb
2007-05-28 16:52 <DIR> d-------- C:\DOCUME~1\OWNER~1.R2D\DoctorWeb
2007-05-28 14:33 233,754 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmp21.tmp.exe
2007-05-28 14:33 17,010 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmp20.tmp.exe
2007-05-28 14:33 106,470 --a------ C:\WINDOWS\wvtuus.dll
2007-05-28 14:21 50,402 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmp1F.tmp.exe
2007-05-28 14:02 50,402 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmp1C.tmp.exe
2007-05-28 10:29 233,754 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmp16.tmp.exe
2007-05-28 10:29 17,010 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmp15.tmp.exe
2007-05-28 10:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-28 10:10 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-05-28 10:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-28 10:10 <DIR> d-------- C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\SUPERAntiSpyware.com
2007-05-28 10:09 50,402 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmp7.tmp.exe
2007-05-27 17:16 233,469 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmpF.tmp.exe
2007-05-27 11:06 50,345 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmpA3.tmp.exe
2007-05-27 10:21 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-26 21:24 233,464 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmpD.tmp.exe
2007-05-26 21:24 17,010 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmpE.tmp.exe
2007-05-26 21:24 106,524 --a------ C:\WINDOWS\xxywtu.dll
2007-05-26 20:52 50,371 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmp8.tmp.exe
2007-05-26 20:52 17,010 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmp9.tmp.exe
2007-05-26 18:52 233,283 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmp8E.tmp.exe
2007-05-26 18:49 50,425 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmp88.tmp.exe
2007-05-26 18:46 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-26 18:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-05-26 18:13 233,476 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmp72.tmp.exe
2007-05-26 18:13 <DIR> d-------- C:\Program Files\CCleaner
2007-05-26 18:12 50,425 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmp70.tmp.exe
2007-05-26 18:12 17,010 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmp71.tmp.exe
2007-05-26 17:18 233,067 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmp67.tmp.exe
2007-05-26 17:18 106,526 --a------ C:\WINDOWS\yaxuur.dll
2007-05-26 16:52 50,463 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmp60.tmp.exe
2007-05-26 16:52 17,010 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmp61.tmp.exe
2007-05-26 15:26 50,339 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmp9D.tmp.exe
2007-05-26 15:26 17,010 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmp9E.tmp.exe
2007-05-26 14:15 17,010 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmpC.tmp.exe
2007-05-26 14:15 17,010 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmpB.tmp.exe
2007-05-26 14:15 106,549 --a------ C:\WINDOWS\hgghfg.dll
2007-05-26 14:13 50,456 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmpA.tmp.exe
2007-05-26 13:57 233,513 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmp34.tmp.exe
2007-05-26 13:56 50,337 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmp32.tmp.exe
2007-05-26 13:56 17,010 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmp33.tmp.exe
2007-05-26 12:36 50,337 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmp2E.tmp.exe
2007-05-26 12:36 50,337 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmp2D.tmp.exe
2007-05-26 12:36 233,513 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmp2F.tmp.exe
2007-05-26 11:19 50,503 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmp26.tmp.exe
2007-05-26 11:19 233,675 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmp28.tmp.exe
2007-05-26 11:19 17,010 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmp27.tmp.exe
2007-05-26 09:33 233,754 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmp1E.tmp.exe
2007-05-26 09:33 106,450 --a------ C:\WINDOWS\qoppmm.dll
2007-05-26 09:32 17,010 --a------ C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\tmp1D.tmp.exe
2007-05-25 23:52 58,796 --a------ C:\WINDOWS\48x.exe
2007-05-25 23:52 37,535 --a------ C:\WINDOWS\system32\disvol.dll
2007-05-25 23:52 12,010 --a------ C:\WINDOWS\system32\vtsttrr.dll
2007-05-24 01:39 <DIR> d-------- C:\Program Files\The_Jolly_Roger


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-27 16:52:03 -------- d-----w C:\Program Files\Starcraft
2007-05-27 01:23:02 -------- d-----w C:\Program Files\uTorrent
2007-05-26 23:13:26 -------- d-----w C:\Program Files\Yahoo!
2007-05-25 04:34:15 -------- d-----w C:\Program Files\vso
2007-05-25 04:34:04 -------- d-----w C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\Vso
2007-05-25 04:34:03 87,608 ----a-w C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\ezpinst.exe
2007-05-25 04:34:03 47,360 ----a-w C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\pcouffin.sys
2007-05-24 06:56:39 -------- d-----w C:\Program Files\ShotDrinks.com
2007-05-22 02:39:45 -------- d-----w C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\AdobeUM
2007-05-18 02:38:45 -------- d-----w C:\Program Files\PokerStars.NET
2007-05-17 15:35:04 -------- d-----w C:\Program Files\Winamp
2007-05-13 17:34:39 -------- d-----w C:\Program Files\Viewpoint
2007-05-02 14:07:12 630,464 ----a-w C:\WINDOWS\system32\drivers\VetEFile.sys
2007-05-02 14:07:12 108,656 ----a-w C:\WINDOWS\system32\drivers\VetEBoot.sys
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 01:46:23 -------- d-----w C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\Ahead
2007-04-12 03:25:39 -------- d-----w C:\Program Files\Drug Lord 2
2007-04-11 18:59:09 -------- d-----w C:\Program Files\HighGrow
2007-04-11 00:35:42 -------- d-----w C:\Program Files\Common Files\Logitech
2007-04-11 00:35:32 -------- d-----w C:\Program Files\Logitech
2007-04-11 00:35:25 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-08 05:25:55 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-04-07 11:17:26 -------- d-----w C:\Program Files\Nero
2007-04-07 11:17:26 -------- d-----w C:\Program Files\Common Files\Ahead
2007-04-06 06:08:02 -------- d-----w C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\Help
2007-04-05 04:02:59 -------- d-----w C:\Program Files\support.com
2007-03-29 07:20:18 -------- d-----w C:\DOCUME~1\OWNER~1.R2D\APPLIC~1\CyberLink
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 17:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 17:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 10:28]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 02:04]
{CA6319C0-31B7-401E-A518-A07C3DB8F777}=c:\windows\system32\BAE.dll [2006-01-31 13:54]
{d29fdd1e-2121-4d8a-8074-6d3d7cf07d1b}=C:\WINDOWS\system32\disvol.dll [2007-05-25 23:52]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 09:47]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 09:47]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 19:41]
"SigmatelSysTrayApp"="stsystra.exe" []
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-05-23 21:22]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 18:16]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 19:39]
"CaISSDT"="C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe" [2005-12-01 10:54]
"eTrustPPAP"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe" [2006-09-28 23:19]
"QOELOADER"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe" [2006-09-28 23:19]
"CaAvTray"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe" [2006-09-28 23:19]
"CAVRID"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe" [2006-09-28 23:19]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-05 14:03]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 11:59]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-22 03:24]
"NWEReboot"="" []
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2005-05-31 02:04]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 07:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-03 15:18]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2006-05-09 19:24]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-23 10:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 09:13]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\disvol]
disvol.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\vtsttrr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner.R2D2^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Owner.R2D2\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1159911479\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE


Contents of the 'Scheduled Tasks' folder
2007-05-26 20:43:27 C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-28 19:56:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

? [3040]


scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-28 19:57:32
C:\ComboFix-quarantined-files.txt ... 2007-05-28 19:57
C:\ComboFix2.txt ... 2007-05-27 10:21
-----------------------------------------------------------------------------------------------------

So yeah, this is where im at...

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 02 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button