Jump to content

Malwarebytes installation errors


Recommended Posts

When attempting to install MWB I get various VB errors such as "vbAccelerator SGRID II Control - Runtime '0'"

Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:54:51 PM, on 1/19/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

F:\WINDOWS\System32\smss.exe

F:\WINDOWS\system32\winlogon.exe

F:\WINDOWS\system32\services.exe

F:\WINDOWS\system32\lsass.exe

F:\WINDOWS\system32\svchost.exe

F:\WINDOWS\System32\svchost.exe

F:\WINDOWS\system32\spoolsv.exe

F:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

F:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

F:\WINDOWS\system32\CTsvcCDA.exe

F:\Program Files\Creative\Shared Files\CTDevSrv.exe

F:\Program Files\Java\jre6\bin\jqs.exe

F:\WINDOWS\system32\nvsvc32.exe

F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

F:\WINDOWS\system32\svchost.exe

F:\WINDOWS\Explorer.EXE

F:\WINDOWS\system32\ctfmon.exe

F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

F:\WINDOWS\System32\svchost.exe

F:\Program Files\Mozilla Firefox\firefox.exe

F:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

F:\Documents and Settings\Administrator\My Documents\Antivirus\mb.exe

F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-H1HL2.tmp\mb.tmp

F:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: (no name) - - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O2 - BHO: FCTBPos00Pos - {B1BE275B-78BF-4A33-81AB-380699CFF329} - F:\Program Files\Gaia Online Toolbar\Toolbar.dll (file missing)

O2 - BHO: (no name) - {BC4292D3-4159-409B-B859-FEEE3AC9CD3E} - (no file)

O2 - BHO: (no name) - {BDA7A5CB-BAC3-4799-93AE-127ACE4B19A1} - F:\WINDOWS\system32\ddcCVnll.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Gaia Online Toolbar - {B3535C18-0E70-4D4B-B36B-BBFE139BB144} - F:\Program Files\Gaia Online Toolbar\Toolbar.dll (file missing)

O4 - HKLM\..\RunOnce: [spybotSnD] "F:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] F:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O8 - Extra context menu item: &Search - ?p=ZJman000

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1232201186203

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre...ows-i586-jc.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{BDC3A7D6-38C4-42EF-A8A4-DDE52C71FEBC}: NameServer = 192.168.1.1

O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: qoMGXpQH - qoMGXpQH.dll (file missing)

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - F:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - F:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - F:\Program Files\Creative\Shared Files\CTDevSrv.exe

O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - F:\WINDOWS\system32\imapi.exe (file missing)

O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - F:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--

End of file - 7112 bytes

Edited by AdvancedSetup
Removed Quote Tags
Link to post
Share on other sites

  • Root Admin

Please do not use the Quote Tags when posting, thanks.

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

ComboFix Log

ComboFix 09-01-21.02 - Administrator 2009-01-21 23:29:38.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.312 [GMT -5:00]

Running from: f:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\recycler\ADAPT_Installer.exe

f:\documents and settings\Administrator\Application Data\FunWebProducts

f:\documents and settings\Administrator\Application Data\FunWebProducts\Data\Administrator\avatar.dat

f:\documents and settings\Administrator\Application Data\FunWebProducts\Data\Administrator\outfit.dat

f:\documents and settings\Administrator\Application Data\FunWebProducts\Data\Administrator\register.dat

f:\documents and settings\Administrator\Application Data\FunWebProducts\Data\Administrator\zbucks.dat

f:\program files\MyWebSearch

f:\program files\MyWebSearch\bar\Message\COMMON\ask_logo.gif

f:\program files\MyWebSearch\bar\Message\COMMON\autoup.gif

f:\program files\MyWebSearch\bar\Message\COMMON\autoup.htm

f:\program files\MyWebSearch\bar\Message\COMMON\center.htm

f:\program files\MyWebSearch\bar\Message\COMMON\index.htm

f:\program files\MyWebSearch\bar\Message\COMMON\mid_dots.gif

f:\program files\MyWebSearch\bar\Message\COMMON\mws_logo.gif

f:\program files\MyWebSearch\bar\Message\COMMON\protect.htm

f:\program files\MyWebSearch\bar\Message\COMMON\shocked.gif

f:\program files\MyWebSearch\bar\Message\COMMON\stop.gif

f:\program files\MyWebSearch\bar\Message\COMMON\systray.htm

f:\program files\MyWebSearch\bar\Message\COMMON\systrayp.htm

f:\program files\MyWebSearch\bar\Message\COMMON\tp_grad.gif

f:\program files\MyWebSearch\bar\Message\COMMON\warn.gif

f:\windows\system32\ahtn.htm

f:\windows\system32\drivers\seneka.sys

f:\windows\system32\drivers\senekanhrdotcp.sys

f:\windows\system32\llnVCcdd.ini

f:\windows\system32\llnVCcdd.ini2

f:\windows\system32\log.exe

f:\windows\system32\miacueyn.ini

f:\windows\system32\prunnet.exe

f:\windows\system32\rrnuorea.ini

f:\windows\system32\senekadf.dat

f:\windows\system32\senekafuhxybdn.dll

f:\windows\system32\senekakojmkhme.dat

f:\windows\system32\senekalog.dat

f:\windows\system32\test.ttt

f:\windows\system32\warning.gif

f:\windows\system32\win32hlp.cnf

f:\windows\system32\wpmtlwsm.ini

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_SENEKA

-------\Legacy_MYWEBSEARCHSERVICE

((((((((((((((((((((((((( Files Created from 2008-12-22 to 2009-01-22 )))))))))))))))))))))))))))))))

.

2009-01-19 20:48 . 2009-01-19 20:48 <DIR> d-------- f:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-20 05:14 --------- d-----w f:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-20 05:13 --------- d-----w f:\program files\Malwarebytes' Anti-Malware

2009-01-20 04:58 685,056 ----a-w f:\windows\is-MKQ60.exe

2009-01-20 04:54 --------- d-----w f:\program files\Trend Micro

2009-01-20 04:20 --------- d-----w f:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-20 02:31 98,304 ----a-w f:\windows\DUMP789b.tmp

2009-01-20 02:06 98,304 ----a-w f:\windows\DUMP77fe.tmp

2009-01-20 01:52 --------- d-----w f:\program files\SUPERAntiSpyware

2009-01-20 01:52 --------- d-----w f:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-01-20 01:49 98,304 ----a-w f:\windows\DUMP7ed4.tmp

2009-01-20 01:47 --------- d-----w f:\program files\Common Files\Wise Installation Wizard

2009-01-20 01:46 1,315,910 ----a-w F:\MGtools.exe

2009-01-20 00:51 --------- d--h--w f:\program files\InstallShield Installation Information

2009-01-20 00:51 --------- d-----w f:\program files\KingsIsle Entertainment

2009-01-18 01:25 --------- d-----w f:\program files\Google

2009-01-17 21:49 98,304 ----a-w f:\windows\DUMP8879.tmp

2009-01-17 21:10 --------- d-----w f:\program files\Warcraft III

2009-01-14 21:11 38,496 ----a-w f:\windows\system32\drivers\mbamswissarmy.sys

2009-01-14 21:11 15,504 ----a-w f:\windows\system32\drivers\mbam.sys

2009-01-13 02:38 --------- d-----w f:\documents and settings\Administrator\Application Data\Apple Computer

2009-01-04 04:54 --------- d-----w f:\program files\Spybot - Search & Destroy

2009-01-03 03:52 --------- d-----w f:\documents and settings\Administrator\Application Data\BitTorrent

2008-12-31 17:14 --------- d-----w f:\program files\Java

2008-12-06 03:52 --------- d-----w f:\program files\QuickPar

2008-12-05 21:18 --------- d-----w f:\documents and settings\Administrator\Application Data\GrabIt

2008-11-15 00:26 98,304 ----a-w f:\windows\DUMP801c.tmp

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="f:\windows\system32\ctfmon.exe" [2004-08-03 15360]

"swg"="f:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-17 68856]

"SUPERAntiSpyware"="f:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2006-10-04 f:\windows\system32\narrator.exe]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "f:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 f:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

-rahs---- 2008-09-16 12:16 1833296 f:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Games\\World of Warcraft\\BackgroundDownloader.exe"=

"f:\\Program Files\\Warcraft III\\Warcraft III.exe"=

"f:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"f:\\Program Files\\BitTorrent\\bittorrent.exe"=

"f:\\Program Files\\Curse\\CurseClient.exe"=

"f:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 SASDIFSV;SASDIFSV;f:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]

R1 SASKUTIL;SASKUTIL;f:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]

R3 SASENUM;SASENUM;f:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

S0 naprpfke;naprpfke;f:\windows\system32\drivers\fantulsw.sys []

.

Contents of the 'Scheduled Tasks' folder

2009-01-17 f:\windows\Tasks\AppleSoftwareUpdate.job

- f:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

.

- - - - ORPHANS REMOVED - - - -

BHO-{B1BE275B-78BF-4A33-81AB-380699CFF329} - (no file)

BHO-{BC4292D3-4159-409B-B859-FEEE3AC9CD3E} - (no file)

BHO-{CE398837-5FFD-40CC-AD6A-BC4E39B2727B} - f:\windows\system32\ddcCVnll.dll

Toolbar-{B3535C18-0E70-4D4B-B36B-BBFE139BB144} - (no file)

Notify-qoMGXpQH - qoMGXpQH.dll

Notify-WgaLogon - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Search - ?p=ZJman000

TCP: {BDC3A7D6-38C4-42EF-A8A4-DDE52C71FEBC} = 192.168.1.1

FF - ProfilePath - f:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hhlshx2w.default\

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-21 23:42:18

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

f:\windows\system32\drivers\fantulsw.sys 25088 bytes executable

f:\documents and settings\Administrator\Application Data\MySpace\IM\Extra\0

f:\documents and settings\Administrator\Application Data\MySpace\IM\Extra\0\BkGndImages

f:\documents and settings\Administrator\Application Data\MySpace\IM\Extra\110954055

f:\documents and settings\Administrator\Application Data\MySpace\IM\Extra\110954055\Smileys

f:\documents and settings\Administrator\Application Data\MySpace\IM\Extra\110954055\Smileys\Smileys.xml 63 bytes

f:\documents and settings\Administrator\Application Data\MySpace\IM\Extra\110954055\Zaps

f:\documents and settings\Administrator\Application Data\MySpace\IM\Extra\110954055\Zaps\Zaps.xml 4790 bytes

f:\documents and settings\Administrator\Application Data\MySpace\IM\Extra\370676138

f:\documents and settings\Administrator\Application Data\MySpace\IM\Extra\370676138\Smileys

f:\documents and settings\Administrator\Application Data\MySpace\IM\Extra\370676138\Smileys\Smileys.xml 63 bytes

f:\documents and settings\Administrator\Application Data\MySpace\IM\Extra\370676138\Zaps

f:\documents and settings\Administrator\Application Data\MySpace\IM\Extra\370676138\Zaps\Zaps.xml 4790 bytes

f:\documents and settings\Administrator\Application Data\MySpace\IM\SkypeCache\getlatestversion ver=1.0.754.0&uhash=97d23127d2e22ab9bf37909183115929 12 bytes

f:\documents and settings\Administrator\Application Data\MySpace\IM\SkypeCache\getlatestversion ver=1.0.754.0&uhash=bbb074fbf10b629f75cb4e4673374584 12 bytes

f:\documents and settings\Administrator\Application Data\MySpace\IM\SkypeCache\myspace#3aclevertrickster_8686

f:\documents and settings\Administrator\Application Data\MySpace\IM\SkypeCache\myspace#3aclevertrickster_8686\config.lck 0 bytes

f:\documents and settings\Administrator\Application Data\MySpace\IM\SkypeCache\myspace#3aclevertrickster_8686\config.xml 3155 bytes

f:\documents and settings\Administrator\Application Data\MySpace\IM\SkypeCache\myspace#3aclevertrickster_8686\contactgroup256.dbb 2661 bytes

f:\documents and settings\Administrator\Application Data\MySpace\IM\SkypeCache\myspace#3aclevertrickster_8686\index2.dat 464 bytes

f:\documents and settings\Administrator\Application Data\MySpace\IM\SkypeCache\myspace#3aclevertrickster_8686\profile256.dbb 169 bytes

f:\documents and settings\Administrator\Application Data\MySpace\IM\SkypeCache\myspace#3aclevertrickster_8686\user1024.dbb 7116 bytes

f:\documents and settings\Administrator\Application Data\MySpace\IM\SkypeCache\myspace#3aclevertrickster_8686\user256.dbb 2979 bytes

f:\documents and settings\Administrator\Application Data\MySpace\IM\SkypeCache\myspace#3aclevertrickster_8686\voicemail

f:\documents and settings\Administrator\Application Data\MySpace\IM\SkypeCache\myspace#3ajellybean91195

f:\documents and settings\Administrator\Application Data\MySpace\IM\SkypeCache\myspace#3ajellybean91195\config.lck 0 bytes

f:\documents and settings\Administrator\Application Data\MySpace\IM\SkypeCache\myspace#3ajellybean91195\config.xml 3848 bytes

f:\documents and settings\Administrator\Application Data\MySpace\IM\SkypeCache\myspace#3ajellybean91195\contactgroup256.dbb 2661 bytes

f:\documents and settings\Administrator\Application Data\MySpace\IM\SkypeCache\myspace#3ajellybean91195\index2.dat 592 bytes

f:\documents and settings\Administrator\Application Data\MySpace\IM\SkypeCache\myspace#3ajellybean91195\profile256.dbb 240 bytes

f:\documents and settings\Administrator\Application Data\MySpace\IM\SkypeCache\myspace#3ajellybean91195\user1024.dbb 2912 bytes

f:\documents and settings\Administrator\Application Data\MySpace\IM\SkypeCache\myspace#3ajellybean91195\user256.dbb 5398 bytes

f:\documents and settings\Administrator\Application Data\MySpace\IM\SkypeCache\myspace#3ajellybean91195\voicemail

f:\documents and settings\Administrator\Application Data\MySpace\IM\SkypeCache\shared.lck 0 bytes

f:\documents and settings\Administrator\Application Data\MySpace\IM\SkypeCache\shared.xml 32044 bytes

scan completed successfully

hidden files: 35

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)

f:\program files\SUPERAntiSpyware\SASWINLO.dll

.

------------------------ Other Running Processes ------------------------

.

f:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe

f:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe

f:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

f:\windows\system32\CTSVCCDA.EXE

f:\program files\Creative\Shared Files\CTDevSrv.exe

f:\program files\Java\jre6\bin\jqs.exe

f:\windows\system32\nvsvc32.exe

f:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

f:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-01-21 23:46:18 - machine was rebooted

ComboFix-quarantined-files.txt 2009-01-22 04:46:15

Pre-Run: 36,969,623,552 bytes free

Post-Run: 36,916,051,968 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

f:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

217 --- E O F --- 2008-11-12 08:03:59

HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:50:37 PM, on 1/21/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

F:\WINDOWS\System32\smss.exe

F:\WINDOWS\system32\winlogon.exe

F:\WINDOWS\system32\services.exe

F:\WINDOWS\system32\lsass.exe

F:\WINDOWS\system32\svchost.exe

F:\WINDOWS\System32\svchost.exe

F:\WINDOWS\system32\spoolsv.exe

F:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

F:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

F:\WINDOWS\system32\CTsvcCDA.exe

F:\Program Files\Creative\Shared Files\CTDevSrv.exe

F:\Program Files\Java\jre6\bin\jqs.exe

F:\WINDOWS\system32\nvsvc32.exe

F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

F:\WINDOWS\system32\svchost.exe

F:\WINDOWS\system32\ctfmon.exe

F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

F:\WINDOWS\System32\svchost.exe

F:\WINDOWS\system32\wscntfy.exe

F:\WINDOWS\explorer.exe

F:\Program Files\Mozilla Firefox\firefox.exe

F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: (no name) - - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O8 - Extra context menu item: &Search - ?p=ZJman000

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1232201186203

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre...ows-i586-jc.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{BDC3A7D6-38C4-42EF-A8A4-DDE52C71FEBC}: NameServer = 192.168.1.1

O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - F:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - F:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - F:\Program Files\Creative\Shared Files\CTDevSrv.exe

O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - F:\WINDOWS\system32\imapi.exe (file missing)

O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - F:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--

End of file - 6174 bytes

Link to post
Share on other sites

  • Root Admin

Please download Lop S&D

Double-click on Lop S&D.exe

Choose the language, then choose Option 1 (Search)

Wait till the end of the scan

Post the log which is created: (%SystemDrive%\lopR.txt), typcially C:\lopR.txt

Then....

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

When we're done you can go back and install the latest version but for now please do not install any.

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply

Then look for the following Java folders and if found delete them.

C:\Program Files\Java

C:\Program Files\Common Files\Java

C:\Documents and Settings\All Users\Application Data\Java

C:\Documents and Settings\All Users\Application Data\Sun\Java

C:\Documents and Settings\username\Application Data\Java

C:\Documents and Settings\username\Application Data\Sun\Java

When that's done you can update Java to the latest version

Download and Update Java Runtime

The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 11.

  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Go to Java Runtime Environment (JRE) 6 Update 11 about half way down the page and click on the Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says jre-6u11-windows-i586-p.exe and save the downloaded file to your desktop.
  • Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
  • Uncheck the Toolbar button (unless you want the toolbar)
  • Reboot your computer

Then run this

    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup215.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

Disable your current AV and run this

Download to the desktop: Dr.Web CureIt

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    check.gif
    If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.
Link to post
Share on other sites

I was able to complete all the steps above except for the installation of Java. After uninstalling Java using your procedure and attempting to re-install the installation would just hang up. (double-clicking on the install file and nothing would happen. Looking at task manager the task is in the list but no install diaglog.)

LopR Log

--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 2

X86-based PC ( Multiprocessor Free : Intel® Pentium® 4 CPU 2.60GHz )

BIOS : BIOS Date: 04/09/04 13:44:32 Ver: 08.00.08

USER : Administrator ( Administrator )

BOOT : Normal boot

Antivirus : Avira AntiVir PersonalEdition 8.0.1.30 (Activated)

A:\ (USB)

C:\ (Local Disk) - NTFS - Total:189 Go (Free:16 Go)

D:\ (CD or DVD) - CDFS - Total:0 Go (Free:0 Go)

E:\ (CD or DVD)

F:\ (Local Disk) - NTFS - Total:57 Go (Free:34 Go)

"F:\Lop SD" ( MAJ : 19-12-2008|23:40 )

Option : [1] ( Thu 01/22/2009|20:24 )

--------------------\\ Listing folders in APPLIC~1

[03/28/2008|05:24] F:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Adobe

[02/22/2008|06:47] F:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Ahead

[01/12/2009|09:38] F:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Apple Computer

[01/02/2009|10:52] F:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> BitTorrent

[03/29/2008|02:48] F:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Google

[12/05/2008|04:18] F:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> GrabIt

[02/07/2008|07:32] F:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Identities

[03/28/2008|05:24] F:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Macromedia

[08/14/2008|05:30] F:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Microsoft

[01/17/2009|09:36] F:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Mozilla

[03/17/2008|04:20] F:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> MySpace

[02/09/2008|11:14] F:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Nexon

[12/31/2008|12:13] F:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Sun

[01/19/2009|08:48] F:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> SUPERAntiSpyware.com

[01/17/2009|05:12] F:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> WinRAR

[11/05/2008|05:13] F:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> {3276BE95_AF08_429F_A64F_CA64CB79BCF6}

[03/10/2008|05:45] F:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe

[03/07/2008|08:54] F:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple

[03/07/2008|08:57] F:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple Computer

[02/07/2008|08:26] F:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Avira

[10/14/2008|08:35] F:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Blizzard

[03/08/2008|09:41] F:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Creative

[01/17/2009|08:25] F:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Google

[01/19/2009|11:20] F:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Malwarebytes

[05/06/2008|06:20] F:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft

[07/29/2008|12:19] F:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> NeoEdge Networks

[01/20/2009|12:14] F:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Spybot - Search & Destroy

[01/19/2009|08:52] F:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SUPERAntiSpyware.com

[07/29/2008|12:20] F:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Trymedia

[02/07/2008|07:21] F:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft

[02/07/2008|07:21] F:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft

[10/07/2008|09:49] F:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Adobe

[10/07/2008|09:49] F:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Macromedia

[02/07/2008|07:21] F:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft

--------------------\\ Scheduled Tasks located in F:\WINDOWS\Tasks

[01/17/2009 06:53 PM][--a------] F:\WINDOWS\tasks\AppleSoftwareUpdate.job

[01/21/2009 11:41 PM][--ah-----] F:\WINDOWS\tasks\SA.DAT

[08/23/2001 07:00 AM][-r-h-----] F:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in F:\Program Files

[09/01/2008|02:55] F:\Program Files\<DIR> Adobe

[03/08/2008|09:24] F:\Program Files\<DIR> Alcohol Soft

[11/05/2008|05:17] F:\Program Files\<DIR> Apple Software Update

[02/07/2008|08:26] F:\Program Files\<DIR> Avira

[09/09/2008|02:33] F:\Program Files\<DIR> BitTorrent

[08/07/2008|09:50] F:\Program Files\<DIR> CCleaner

[01/21/2009|11:38] F:\Program Files\<DIR> Common Files

[02/07/2008|07:17] F:\Program Files\<DIR> ComPlus Applications

[03/08/2008|09:39] F:\Program Files\<DIR> Creative

[10/14/2008|09:23] F:\Program Files\<DIR> Curse

[04/25/2008|08:55] F:\Program Files\<DIR> Disney

[04/04/2008|11:53] F:\Program Files\<DIR> DVD Decrypter

[01/17/2009|08:25] F:\Program Files\<DIR> Google

[02/22/2008|02:43] F:\Program Files\<DIR> GrabIt

[01/19/2009|07:51] F:\Program Files\<DIR> InstallShield Installation Information

[02/07/2008|08:02] F:\Program Files\<DIR> Intel

[01/03/2009|12:00] F:\Program Files\<DIR> Internet Explorer

[11/05/2008|05:12] F:\Program Files\<DIR> iPod

[11/05/2008|05:13] F:\Program Files\<DIR> iTunes

[12/31/2008|12:14] F:\Program Files\<DIR> Java

[01/19/2009|07:51] F:\Program Files\<DIR> KingsIsle Entertainment

[01/20/2009|12:13] F:\Program Files\<DIR> Malwarebytes' Anti-Malware

[08/14/2008|02:10] F:\Program Files\<DIR> Messenger

[02/07/2008|07:21] F:\Program Files\<DIR> microsoft frontpage

[02/07/2008|07:18] F:\Program Files\<DIR> Movie Maker

[01/22/2009|06:37] F:\Program Files\<DIR> Mozilla Firefox

[09/24/2008|09:52] F:\Program Files\<DIR> MSBuild

[02/07/2008|07:16] F:\Program Files\<DIR> MSN

[02/07/2008|07:17] F:\Program Files\<DIR> MSN Gaming Zone

[09/24/2008|09:47] F:\Program Files\<DIR> MSXML 6.0

[03/17/2008|04:20] F:\Program Files\<DIR> MySpace

[02/22/2008|06:45] F:\Program Files\<DIR> Nero

[02/07/2008|07:19] F:\Program Files\<DIR> NetMeeting

[02/07/2008|07:19] F:\Program Files\<DIR> Online Services

[02/09/2008|03:06] F:\Program Files\<DIR> Outlook Express

[12/05/2008|10:52] F:\Program Files\<DIR> QuickPar

[11/05/2008|05:11] F:\Program Files\<DIR> QuickTime

[09/24/2008|09:52] F:\Program Files\<DIR> Reference Assemblies

[06/17/2008|05:09] F:\Program Files\<DIR> Refresher 1.2

[04/18/2008|01:49] F:\Program Files\<DIR> Safari

[08/03/2008|10:41] F:\Program Files\<DIR> Shockwave.com

[01/03/2009|11:54] F:\Program Files\<DIR> Spybot - Search & Destroy

[01/19/2009|08:52] F:\Program Files\<DIR> SUPERAntiSpyware

[02/07/2008|08:19] F:\Program Files\<DIR> SystemRequirementsLab

[01/19/2009|11:54] F:\Program Files\<DIR> Trend Micro

[02/07/2008|07:32] F:\Program Files\<DIR> Uninstall Information

[01/22/2009|08:10] F:\Program Files\<DIR> Warcraft III

[02/09/2008|03:07] F:\Program Files\<DIR> Windows Media Player

[02/07/2008|07:17] F:\Program Files\<DIR> Windows NT

[02/07/2008|07:19] F:\Program Files\<DIR> WindowsUpdate

[02/21/2008|07:54] F:\Program Files\<DIR> WinRAR

[02/07/2008|07:21] F:\Program Files\<DIR> xerox

--------------------\\ Listing Folders in F:\Program Files\Common Files

[03/10/2008|05:45] F:\Program Files\Common Files\<DIR> Adobe

[02/22/2008|06:45] F:\Program Files\Common Files\<DIR> Ahead

[11/05/2008|05:10] F:\Program Files\Common Files\<DIR> Apple

[10/14/2008|09:11] F:\Program Files\Common Files\<DIR> Blizzard Entertainment

[02/09/2008|11:13] F:\Program Files\Common Files\<DIR> INCA Shared

[02/07/2008|08:22] F:\Program Files\Common Files\<DIR> InstallShield

[04/27/2008|08:40] F:\Program Files\Common Files\<DIR> Microsoft Shared

[02/07/2008|07:19] F:\Program Files\Common Files\<DIR> MSSoap

[06/22/2015|06:43] F:\Program Files\Common Files\<DIR> ODBC

[02/07/2008|07:19] F:\Program Files\Common Files\<DIR> Services

[06/22/2015|06:43] F:\Program Files\Common Files\<DIR> SpeechEngines

[10/07/2008|09:49] F:\Program Files\Common Files\<DIR> Symantec Shared

[02/09/2008|03:06] F:\Program Files\Common Files\<DIR> System

[01/19/2009|08:47] F:\Program Files\Common Files\<DIR> Wise Installation Wizard

--------------------\\ Process

( 30 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

No Lop folder found !

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN

--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-22 20:25:45

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden files ...

F:\WINDOWS\System32\ddcCVnll.dll 299008 bytes executable

F:\WINDOWS\System32\drivers\fantulsw.sys 25088 bytes executable

scan completed successfully

hidden processes: 0

hidden files: 2

--------------------\\ Searching for other infections

No other infections found !

[F:2][D:0]-> F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp

[F:4][D:0]-> F:\DOCUME~1\ADMINI~1\Cookies

[F:3][D:1]-> F:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\content.IE5

1 - "F:\Lop SD\LopR_1.txt" - Thu 01/22/2009|20:26 - Option : [1]

--------------------\\ Scan completed at 20:26:47

JavaRa Logfile

JavaRa 1.13 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Thu Jan 22 20:33:50 2009

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

------------------------------------

Finished reporting.

JavaRa 1.13 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Thu Jan 22 20:34:37 2009

------------------------------------

Finished reporting.

JavaRa 1.13 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Thu Jan 22 20:34:57 2009

------------------------------------

Finished reporting.

Dr Web Curit - Found no viruses and did not produce a logfile.

HIJack This Logfile

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:17:14 AM, on 1/24/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

F:\WINDOWS\System32\smss.exe

F:\WINDOWS\system32\winlogon.exe

F:\WINDOWS\system32\services.exe

F:\WINDOWS\system32\lsass.exe

F:\WINDOWS\system32\svchost.exe

F:\WINDOWS\System32\svchost.exe

F:\WINDOWS\system32\spoolsv.exe

F:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

F:\WINDOWS\Explorer.EXE

F:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

F:\WINDOWS\system32\CTsvcCDA.exe

F:\Program Files\Creative\Shared Files\CTDevSrv.exe

F:\WINDOWS\system32\nvsvc32.exe

F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

F:\WINDOWS\system32\svchost.exe

F:\WINDOWS\system32\ctfmon.exe

F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

F:\WINDOWS\system32\dwwin.exe

F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SSUPDATE.EXE

F:\WINDOWS\System32\svchost.exe

F:\WINDOWS\system32\wscntfy.exe

F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: (no name) - - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - (no file)

O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O8 - Extra context menu item: &Search - ?p=ZJman000

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1232201186203

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre...ows-i586-jc.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{BDC3A7D6-38C4-42EF-A8A4-DDE52C71FEBC}: NameServer = 192.168.1.1

O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - F:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - F:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - F:\Program Files\Creative\Shared Files\CTDevSrv.exe

O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - F:\WINDOWS\system32\imapi.exe (file missing)

O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - F:\Program Files\Java\jre6\bin\jqs.exe (file missing)

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--

End of file - 6025 bytes

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.