12 replies to this topic

[tonyluo]

I have AVG antispyware delete some bad stuffs, but they will keep coming back,
please someone take a look of my HJT scanning file, thanks!


Logfile of HijackThis v1.99.1
Scan saved at 18:02, on 07-08-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\apache\APACHE.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\apache\APACHE.EXE
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: 0 - {92F1701D-7D4C-4A93-B7B5-11A1C841F7B3} - C:\Program Files\MSN\lavuhaxo.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://pictures.aolcdn.com/ap/Resources/1....ns.10.1.0.0.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1178233001421
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A995501-276A-45B1-BCD1-7DE6D7FD88E3}: NameServer = 72.21.36.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA777ED9-DA27-49F5-A522-E766B4CEB726}: NameServer = 72.21.36.74
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: PHPGeekUtil - Unknown owner - c:\apache\APACHE.EXE" --ntservice (file missing)
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[AndyManchesta]

Hi tonyluo, Welcome to the forum

Run HijackThis and choose Do A System Scan then place a check next to this entry

O2 - BHO: 0 - {92F1701D-7D4C-4A93-B7B5-11A1C841F7B3} - C:\Program Files\MSN\lavuhaxo.dll (file missing)

Close all open browser and other windows except for HijackThis and press the Fix Checked button

Download Blacklight beta HERE and save it to your desktop.
Run the program, accept statement > click next then scan
When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the blbeta.exe file

Please then download WebRoot SpySweeper from HERE (It's a 14 day trial):

• Click the Download now link on the right to download the program.
  
• Double-click the file to install it as follows:

• Click "Next", read the agreement, Click "Next"
  
• Choose "Custom" click "Next".
  
• Leave the default installation directory as it is, then click "Next".
  
• UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
  
• On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
  
• Finally, click "Install"

• Once the program is installed, it will open.
  
• It will prompt you to update to the latest definitions, click Yes.
  
• Once the definitions are installed, disconnect from the internet.
  
• Click Options on the left side.
  
• Click the Sweep Options tab.
  
• Under What to Sweep please put a check next to the following:
  
• Sweep Memory
  
• Sweep Registry
  
• Sweep Cookies
  
• Sweep All User Accounts
  
• Enable Direct Disk Sweeping
  
• Sweep Contents of Compressed Files
  
• Sweep for Rootkits
  
• Please UNCHECK Do not Sweep System Restore Folder.

• Click Sweep Now on the left side.
  
• Click the Start button.
  
• When it's done scanning, click the Next button.
  
• Make sure everything has a check next to it, then click the Next button.
  
• It will remove all of the items found.
  
• Click Session Log in the upper right corner, copy everything in that window.
  
• Click the Summary tab and click Finish.
  
• Paste the contents of the session log you copied into your next reply.

Post back the Spysweeper log and the Blacklight log if its finds any hidden files and also let us know what the filenames and paths are that AVG keeps detecting if possible,

Cheers

Andy

[tonyluo]

Thank you for your help! I actually used SuperAntiSpyware instead of AVG AntiSpyware, it'll detect some bad cookies, but those popup will come back after reboot PC when PC sometimes got frozen.

No hidden files found after using blacklight so far.

Here is Spy Sweeper Session Log:

03:46: Removal process completed. Elapsed time 00:02:04
03:46: A reboot was required but declined.
03:44: Quarantining All Traces: adlegend cookie
03:44: Quarantining All Traces: about cookie
03:44: Quarantining All Traces: websponsors cookie
03:44: HKLM: system\currentcontrolset\services\core\ is in use. It will be removed on reboot.
03:44: HKLM: system\controlset001\services\core\ is in use. It will be removed on reboot.
03:44: C:\WINDOWS\system32\drivers\core.sys is in use. It will be removed on reboot.
03:44: core adware is in use. It will be removed on reboot.
03:44: Quarantining All Traces: core adware
03:44: Quarantining All Traces: trojan-downloader-micro1
03:44: Quarantining All Traces: coolwebsearch (cws)
03:44: Quarantining All Traces: virtumonde
03:44: Removal process initiated
03:24: Traces Found: 19
03:24: Custom Sweep has completed. Elapsed time 03:24:56
03:23: File Sweep Complete, Elapsed Time: 02:57:47
03:13: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudctoolbar15.zip]
03:08: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudctoolbar4.zip]
03:08: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudctoolbar14.zip]
03:05: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudctoolbar3.zip]
03:01: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudctoolbar2.zip]
03:00: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudctoolbar7.zip]
03:00: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudctoolbar9.zip]
03:00: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudctoolbar8.zip]
03:00: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudctoolbar1.zip]
03:00: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudctoolbar.zip]
03:00: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\newdotnet2.zip]
03:00: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudctoolbar6.zip]
03:00: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudctoolbar5.zip]
03:00: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\newdotnet1.zip]
02:59: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudctoolbar16.zip]
02:54: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudctoolbar13.zip]
02:54: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudctoolbar17.zip]
02:54: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudctoolbar12.zip]
02:54: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudctoolbar11.zip]
02:54: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudctoolbar10.zip]
02:53: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\newdotnet.zip]
02:53: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\microsoftwindowssecuritycenterfirewalldisablenotify.zip]
02:53: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\microsoftwindowssecuritycenterantivirusdisablenotify.zip]
02:53: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\surfsidekick.zip]
02:52: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms7ee28b04-e368-4dea-ae85-1a759944429c.tmp]
02:52: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsce676b06-8431-46d2-8907-9cfdd34d02b4.tmp]
02:52: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms0299d547-1040-4ff9-8354-e3dcd3c33b8e.tmp]
02:52: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms66160380-6602-433a-996c-5b378dded223.tmp]
02:52: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms1df57137-a2c6-413d-bdb7-5808c953ded0.tmp]
02:52: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsfb63f6c3-743a-4659-8ce6-5e36175299d1.tmp]
02:52: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmse64a643c-9ed1-409d-9c73-bdb882377405.tmp]
02:52: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmse091fefc-0cd6-415a-958d-f036fa87842e.tmp]
02:52: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms7ee28b04-e368-4dea-ae85-1a759944429c.tmp". The operation completed successfully
02:52: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsce676b06-8431-46d2-8907-9cfdd34d02b4.tmp". The operation completed successfully
02:52: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms0299d547-1040-4ff9-8354-e3dcd3c33b8e.tmp". The operation completed successfully
02:52: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms66160380-6602-433a-996c-5b378dded223.tmp". The operation completed successfully
02:52: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms1df57137-a2c6-413d-bdb7-5808c953ded0.tmp". The operation completed successfully
02:52: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsfb63f6c3-743a-4659-8ce6-5e36175299d1.tmp". The operation completed successfully
02:52: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmse64a643c-9ed1-409d-9c73-bdb882377405.tmp". The operation completed successfully
02:52: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmse091fefc-0cd6-415a-958d-f036fa87842e.tmp". The operation completed successfully
02:49: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms5165a450-329b-479c-b1c3-c4442b323689.tmp]
02:47: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsd66bed76-44a0-40f9-b0af-f32c3ed9c2a5.tmp]
02:44: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 08-01-2007 - 07-30-51.sbu]
02:40: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\windows\system32\config\default]
02:38: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\tony luo\ntuser.dat]
02:38: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\windows\system32\drivers\fidbox.dat]
02:37: C:\WINDOWS\system32\drivers\core.sys (ID = 513403)
02:37: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\windows\system32\config\system]
02:31: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms0ede987e-c5fa-4013-9500-f24b357b5656.tmp]
02:30: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\pagefile.sys]
02:26: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 06-22-2007 - 23-20-23.sbu]
01:59: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms39f5699a-f940-4d59-822a-a3414d6473b6.tmp]
01:59: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 06-13-2007 - 17-46-40.sbu]
01:56: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsc01687d6-65c9-41b1-9cd7-abe1c722c734.tmp]
01:50: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 05-09-2007 - 14-48-02.sbu]
01:49: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms5c219788-405f-4dcf-a10a-49749d99e52b.tmp]
01:43: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsbd6087a8-1d6d-44e2-95bc-c5068b5b90eb.tmp]
01:36: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 06-28-2007 - 00-28-44.sbu]
01:30: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 08-05-2007 - 12-14-18.sbu]
01:30: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 07-03-2007 - 16-58-57.sbu]
01:27: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 08-10-2007 - 16-23-05.sbu]
01:23: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 06-23-2007 - 21-51-11.sbu]
01:17: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 05-08-2007 - 16-03-12.sbu]
01:17: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms6b7552c2-7315-4b99-a04c-a49bffbba522.tmp]
01:17: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 07-01-2007 - 11-35-31.sbu]
01:16: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 07-19-2007 - 21-56-30.sbu]
01:16: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 08-09-2007 - 17-10-16.sbu]
01:14: Warning: AntiVirus engine for IFO returned [Error Code DFFBFDF0] on [c:\windows\system32\config\security]
01:09: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\windows\system32\catroot2\tmp.edb]
01:08: Warning: AntiVirus engine for IFO returned [File Corrupted] on [c:\documents and settings\tony luo\local settings\temporary internet files\content.ie5\yr87mz6f\page_not_responding[1].html]
01:08: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 06-12-2007 - 07-08-16.sbu]
01:06: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 07-03-2007 - 10-05-40.sbu]
01:06: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 07-17-2007 - 15-04-02.sbu]
01:05: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms67a5e474-3a6c-4240-a6e8-55c8f91d9825.tmp]
01:05: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\windows\system32\config\software]
01:04: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 07-28-2007 - 20-36-47.sbu]
01:03: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 07-18-2007 - 08-08-11.sbu]
01:03: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 07-31-2007 - 09-29-22.sbu]
01:03: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 06-26-2007 - 00-53-46.sbu]
01:02: Warning: AntiVirus engine for IFO returned [File Corrupted] on [c:\documents and settings\tony luo\local settings\temporary internet files\content.ie5\kdeehe84\headimg[1]]
00:59: Warning: AntiVirus engine for IFO returned [Error Code DFFBFDF0] on [c:\windows\system32\config\sam]
00:53: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 06-15-2007 - 16-05-01.sbu]
00:53: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 06-15-2007 - 10-38-24.sbu]
00:53: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\program files\lavasoft\ad-aware se personal\skins\ad-aware se default.ask]
00:51: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\mcafee.com\agent\news\valert.ui]
00:51: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms3689b046-7b5a-46f7-ae05-417a243709b7.tmp]
00:50: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 07-11-2007 - 19-15-05.sbu]
00:47: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 06-24-2007 - 18-01-53.sbu]
00:45: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\program files\mcafee.com\agent\uninst\screm.ui]
00:42: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 08-10-2007 - 01-59-17.sbu]
00:42: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 08-08-2007 - 19-29-30.sbu]
00:41: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 05-05-2007 - 22-47-27.sbu]
00:38: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 07-28-2007 - 08-06-40.sbu]
00:38: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 08-04-2007 - 07-28-03.sbu]
00:37: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\hiberfil.sys]
00:36: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 06-22-2007 - 12-21-52.sbu]
00:36: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 05-12-2007 - 21-12-24.sbu]
00:36: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 05-17-2007 - 22-22-09.sbu]
00:36: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 07-01-2007 - 09-49-36.sbu]
00:34: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 06-04-2007 - 09-33-44.sbu]
00:33: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 06-30-2007 - 11-59-49.sbu]
00:32: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 08-12-2007 - 17-16-10.sbu]
00:29: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 06-26-2007 - 20-43-24.sbu]
00:29: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 07-04-2007 - 22-43-35.sbu]
00:29: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 08-03-2007 - 21-27-22.sbu]
00:29: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\tony luo\application data\superantispyware.com\superantispyware\quarantine\quarantine - 07-03-2007 - 23-58-52.sbu]
00:26: C:\WINDOWS\system32\bund1 (1 subtraces) (ID = 2147561570)
00:26: C:\WINDOWS\system32\micro1 (ID = 2147550659)
00:26: Found Trojan Horse: trojan-downloader-micro1
00:26: Starting File Sweep
00:26: Cookie Sweep Complete, Elapsed Time: 00:00:00
00:26: c:\documents and settings\tony luo\cookies\tony luo@adlegend[2].txt (ID = 2074)
00:26: Found Spy Cookie: adlegend cookie
00:26: c:\documents and settings\tony luo\cookies\tony luo@about[2].txt (ID = 2037)
00:26: Found Spy Cookie: about cookie
00:26: c:\documents and settings\tony luo\cookies\tony luo@a.websponsors[1].txt (ID = 3665)
00:25: Found Spy Cookie: websponsors cookie
00:25: Starting Cookie Sweep
00:25: Registry Sweep Complete, Elapsed Time:00:00:45
00:25: HKU\S-1-5-21-2422525118-3929007035-3564027493-1006\software\microsoft\windows\currentversion\ext\stats\{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6}\ (ID = 1922744)
00:25: Found Adware: coolwebsearch (cws)
00:25: HKLM\system\currentcontrolset\enum\root\legacy_tnidriver\ (ID = 2255202)
00:25: HKLM\system\controlset002\enum\root\legacy_tnidriver\ (ID = 2255201)
00:25: HKLM\system\currentcontrolset\services\core\ (ID = 2152215)
00:25: HKLM\system\currentcontrolset\services\tnidriver\ (ID = 2136507)
00:25: HKLM\system\controlset001\enum\root\legacy_tnidriver\ (ID = 2136375)
00:25: HKLM\software\microsoft\aoprndtws\ (ID = 2128500)
00:25: HKLM\system\controlset002\services\core\ (ID = 2118420)
00:25: HKLM\system\controlset002\enum\root\legacy_core\ (ID = 2118399)
00:25: HKLM\system\controlset001\services\core\ (ID = 2118343)
00:25: HKLM\system\controlset001\enum\root\legacy_core\ (ID = 2118323)
00:25: Found Adware: core adware
00:25: HKLM\software\microsoft\uniqdata\ (ID = 1997747)
00:25: Found Adware: virtumonde
00:25: Starting Registry Sweep
00:25: Memory Sweep Complete, Elapsed Time: 00:25:28
00:04: ApplicationMinimized - EXIT
00:04: ApplicationMinimized - ENTER
00:01: Warning: AntiVirus engine for IFO returned [Error Code 8000FFFF] on [C:\DOCUMENTS AND SETTINGS\TONY LUO\LOCAL SETTINGS\HISTORY\HISTORY.IE5\MSHIST012007081420070815\INDEX.DAT]
23:59: Starting Memory Sweep
23:59: Start Custom Sweep
23:59: Sweep initiated using definitions version 968
20:46: Warning: AntiVirus engine for IFO returned [Error Code 8000FFFF] on [C:\WINDOWS\INTERNET LOGS\ZALOG.TXT]
20:39: Warning: AntiVirus engine for IFO returned [Error Code 8000FFFF] on [C:\WINDOWS\SYSTEM32\DLA\DLA.INI]
20:38: Warning: AntiVirus engine for IFO returned [Error Code 8000FFFF] on [C:\WINDOWS\TEMP\WGAERRLOG.TXT]
20:38: Warning: AntiVirus engine for IFO returned [Error Code 8000FFFF] on [C:\DOCUMENTS AND SETTINGS\TONY LUO\LOCAL SETTINGS\TEMP\TZK268.TMP]
20:38: Warning: AntiVirus engine for IFO returned [Error Code 8000FFFF] on [C:\DOCUMENTS AND SETTINGS\TONY LUO\LOCAL SETTINGS\HISTORY\HISTORY.IE5\MSHIST012007081420070815\INDEX.DAT]
20:38: Warning: AntiVirus engine for IFO returned [Error Code 8000FFFF] on [C:\WINDOWS\INTERNET LOGS\BU_TOSAVE.RDB]
20:38: Warning: AntiVirus engine for IFO returned [Error Code 8000FFFF] on [C:\WINDOWS\DEBUG\USERMODE\USERENV.LOG]
19:03: Warning: AntiVirus engine for IFO returned [Error Code 8000FFFF] on [C:\DOCUMENTS AND SETTINGS\TONY LUO\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\INDEX.DAT]
19:03: Warning: AntiVirus engine for IFO returned [Error Code 8000FFFF] on [C:\DOCUMENTS AND SETTINGS\TONY LUO\RECENT\22222.LNK]
18:29: None
18:29: Traces Found: 0
18:29: Memory Sweep Complete, Elapsed Time: 00:00:12
18:29: Sweep Canceled
18:29: Starting Memory Sweep
18:29: Start Custom Sweep
18:29: Sweep initiated using definitions version 968
18:24: Your definitions are up to date.
18:22: Your virus definitions have been updated.
18:22: Informational: Loaded AntiVirus Engine: 2.47.0; SDK Version: 4.19E; Virus Definitions: 07-08-14 16:07:50 (GMT)
18:20: Your spyware definitions have been updated.
18:14: None
18:14: Traces Found: 0
18:13: Sweep Canceled
18:13: Start Full Sweep
18:13: Sweep initiated using definitions version 906
18:13: Informational: ShieldEmail: Start monitoring port 25 for mail activities
18:13: Informational: ShieldEmail: Start monitoring port 110 for mail activities
Keylogger: Off
E-mail Attachment: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: Off
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
18:12: Shield States
18:12: License Check Status (0): Success
18:12: Spyware Definitions: 906
18:11: Spy Sweeper 5.5.7.48 started
18:11: Spy Sweeper 5.5.7.48 started
18:11: | Start of Session, 07-08-14 |
***************

AndyManchesta, on Aug 13 2007, 03:52 PM, said:

Hi tonyluo, Welcome to the forum

Run HijackThis and choose Do A System Scan then place a check next to this entry

O2 - BHO: 0 - {92F1701D-7D4C-4A93-B7B5-11A1C841F7B3} - C:\Program Files\MSN\lavuhaxo.dll (file missing)

Close all open browser and other windows except for HijackThis and press the Fix Checked button

Download Blacklight beta HERE and save it to your desktop.
Run the program, accept statement > click next then scan
When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the blbeta.exe file

Please then download WebRoot SpySweeper from HERE (It's a 14 day trial):

• Click the Download now link on the right to download the program.
  
• Double-click the file to install it as follows:

• Click "Next", read the agreement, Click "Next"
  
• Choose "Custom" click "Next".
  
• Leave the default installation directory as it is, then click "Next".
  
• UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
  
• On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
  
• Finally, click "Install"

• Once the program is installed, it will open.
  
• It will prompt you to update to the latest definitions, click Yes.
  
• Once the definitions are installed, disconnect from the internet.
  
• Click Options on the left side.
  
• Click the Sweep Options tab.
  
• Under What to Sweep please put a check next to the following:
  
• Sweep Memory
  
• Sweep Registry
  
• Sweep Cookies
  
• Sweep All User Accounts
  
• Enable Direct Disk Sweeping
  
• Sweep Contents of Compressed Files
  
• Sweep for Rootkits
  
• Please UNCHECK Do not Sweep System Restore Folder.

• Click Sweep Now on the left side.
  
• Click the Start button.
  
• When it's done scanning, click the Next button.
  
• Make sure everything has a check next to it, then click the Next button.
  
• It will remove all of the items found.
  
• Click Session Log in the upper right corner, copy everything in that window.
  
• Click the Summary tab and click Finish.
  
• Paste the contents of the session log you copied into your next reply.

Post back the Spysweeper log and the Blacklight log if its finds any hidden files and also let us know what the filenames and paths are that AVG keeps detecting if possible,

Cheers

Andy

[AndyManchesta]

I wouldnt worry about cookies as they are just harmless text files, even logging into sites like hotmail will add third party cookies and they will then be detected by Antispy scanners as they are added by the companies hosting the banner ads like fastclick, doubleclick etc.. rather than hotmail itself, just use CCleaner to remove them when you finish browsing each day. SpySweeper has detected afew other problems though so lets run a couple more tools to make sure there's nothing remaining.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
  
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  
• Press any Key and it will restart the PC.
  
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  
• Paste the contents of the Report.txt back on the forum

Download this file - combofix.exe and save it to your desktop.
Double click combofix.exe & follow the prompts.
When it's finished, it will produce a log of what it found. Please post the contents of that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running as it may cause it to stall

Please then post back the SDFix log (Report.txt), Combofix log and a new HijackThis log (use the button at the bottom of the page when you post as that doesn't quote my reply)

Let us know if you have any problems

Andy

[tonyluo]

Thank you for your quick reply! I'll post them once get my new logs.

[tonyluo]

Here are 3 log files:

SDFix: Version 1.98

Run by tony luo on 07-08-17 at 00:50

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Java\\jdk1.5.0_04\\bin\\java.exe"="C:\\Program Files\\Java\\jdk1.5.0_04\\bin\\java.exe:*:Disabled:Java™ 2 Platform Standard Edition binary"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\Toshiba\\ConfigFree\\CFXFER.exe"="C:\\Program Files\\Toshiba\\ConfigFree\\CFXFER.exe:*:Disabled:ConfigFree SUMMIT Engine"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Disabled:RealPlayer"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Disabled:BitComet - a BitTorrent Client"
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"="C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe:*:Disabled:NIE - Toshiba Software Upgrade Engine"
"C:\\TOSHIBA\\IVP\\ISM\\pinger.exe"="C:\\TOSHIBA\\IVP\\ISM\\pinger.exe:*:Disabled:Toshiba Software Upgrades Pinger"
"C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"="C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe:*:Disabled:Yahoo! Music Engine"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Disabled:AOLTsMon"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Disabled:Windows Media Player"
"C:\\Program Files\\Java\\jdk1.5.0_04\\jre\\bin\\javaw.exe"="C:\\Program Files\\Java\\jdk1.5.0_04\\jre\\bin\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\apache\\Apache.exe"="C:\\apache\\Apache.exe:*:Enabled:Apache"
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"="C:\\Program Files\\TVUPlayer\\TVUPlayer.exe:*:Disabled:TVU Player Component"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"D:\\AOLSETUP.EXE"="D:\\AOLSETUP.EXE:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\1149979328\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1149979328\\EE\\AOLServiceHost.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\1136762199\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1136762199\\EE\\AOLServiceHost.exe:*:Disabled:AOL"
"C:\\Program Files\\America Online 9.0a\\waol.exe"="C:\\Program Files\\America Online 9.0a\\waol.exe:*:Disabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Disabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Disabled:AOLTopSpeed"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\WS_FTP\\WS_FTP95.exe"="C:\\Program Files\\WS_FTP\\WS_FTP95.exe:*:Disabled:WS_FTP 95"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Disabled:Yahoo! FT Server"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Disabled:Yahoo! Messenger"
"C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"="C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe:*:Enabled:Kaspersky AV Scanner"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"D:\\AOLSETUP.EXE"="D:\\AOLSETUP.EXE:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Program Files\Internet Explorer\wininet.dll
C:\WINDOWS\CdaC14BA.DLL
C:\Program Files\Internet Explorer\iexplore.exe.local
C:\WINDOWS\CdaC13BA.EXE
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS00391727-0F1E-4491-951F-C4461726B963.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS004C8D41-2FE2-454C-A1B9-ED54A3C89CA9.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS086D83FE-B2D1-4E7F-870C-2DC181FA20CE.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS09C07E75-811B-47F0-A785-02A37327655A.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS1167771C-9B0C-4378-9E23-A45B4FE9EADD.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS11A8D5EA-920C-4233-92DF-17BCAF196B97.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS12127EC2-42A7-4C5E-B926-A480A8F93C1C.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS1221A20B-C5F6-4908-9E6C-0444C16478F7.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS13D315B1-80CE-42D8-855D-50649B1D2645.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS144972B0-A073-408A-9928-F5137B6A9C97.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS15AAD966-7132-437E-B786-DCB0B75FC832.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS1614A12E-8456-47AB-A093-6EC70016BCDE.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS1A184E8A-C225-4BB2-AF73-F0FCE994F887.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS1C9BF01A-FAD5-4169-8398-A32D0AFD2666.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS20FED532-BD7E-4E21-8244-64E1AD6F85E3.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS2DB92338-64FE-4831-BE2D-80F41A385DFD.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS2E702E97-7E7E-48EA-BB12-0E8D4D816380.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS305453A1-43D6-4C3F-A80F-399E79B79038.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS30819326-95AC-44EC-8C8B-441B376CE436.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS38A2A33F-4E4A-413F-8749-FFBECD90744F.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3A86B412-0A73-49A9-88AB-64912FFC7181.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3B21F6A8-24FF-46CF-8B0F-BF6E85971795.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3DE48EDF-CB5B-43D3-AA70-82DBEF3FE09A.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3F35B80F-60B1-4638-921A-0C5AEBF65FA8.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS454A7771-5AF8-4A72-969E-1AB380B341EC.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS47B06DE3-38A6-4F73-B25D-77FF81EE5985.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS4C63063B-C0CC-4C07-A358-E983CFEFEAF2.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS4E28974E-C6C1-4B7B-858E-AB83A9CB9EA8.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS5156507B-5220-46FA-976A-49241F9D8FFF.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS5782F7BF-E62F-4AE4-A08C-78DDE80F0446.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS5A72A407-87B4-47E0-A744-1533D319DE86.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS5D816A2E-B7AE-473A-851B-FFE6B0D65249.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS5D8AFE50-E5E2-46EE-A7A0-8630BB35C8DE.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS607A9E4C-E708-4DFF-B7F7-073B1FC310BE.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS6099D8FD-4CA6-4BEC-8B2C-0988F517C4D1.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS6196F886-F4A6-4D77-B76D-E74FFC6777CC.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS6381078F-6DD4-4800-B903-0D0BF0EF8409.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS67D135E3-1356-4546-B3C4-8DE3032A92FC.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS69E8093F-8EFD-47AA-AFC3-C5B06B00D90C.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS6E9F13C7-34B6-4AA3-8BB4-27AE9F047484.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS6F8BC9C6-8863-4CB0-A646-609752994B53.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS73E53D3A-D213-4882-82BC-3C679A1BAFF2.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS778890B8-D579-4DDA-A5FB-EAAA99CE5AD4.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS781B4865-123B-4D2B-AEF0-F26D85B418C2.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS7D4427F7-1C70-4FEC-8960-C84DACCF0E2C.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS80A68327-7C28-4F18-83B5-EC58583F6E08.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS83CC3DE5-9F96-4D5A-8A9E-3C2F9A247266.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS85B04718-4305-4F8B-8513-91903DE2CF92.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS8998364B-B2CE-4AF0-8548-D6F0FEE979EC.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS8B3DF25D-7188-45D4-AC6D-1F33A0FB6D93.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS8F133235-1AE1-44DB-A23D-ECCD4F8DB162.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS91D6CB58-DB4D-4DDA-9E1C-89C3839E01EF.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS96404899-3BEC-472F-9A63-B9ECFB370749.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS98947242-EAF4-480D-BF47-BD26FAECAF25.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS9930C9F7-85C4-4E15-A0B8-FC05E8699BDC.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS9968148A-9868-4EE0-A766-F9B4752B50E7.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS9E5D5291-6CF7-4200-844C-E2C6DF9E010E.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS9FABF5AF-CA22-4015-BCAE-1F459F79C053.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA6692636-F712-46DF-8455-5C5F5A022DBA.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA7EC7F45-8350-4C3F-9B5C-ED47153F4D36.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA8CE9578-4DBF-49A3-A3A0-88ED7753B973.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSABB32C94-A061-4B13-BC4A-3B4FF0D9C2BC.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSADC2FAD2-031E-480D-858D-919B9B093A49.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSB3C253A4-E198-48A0-95A5-1108B60616A7.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSB8F0AB3C-A2DE-4E41-BB4B-58274019BEB4.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSB98C366A-D497-49C4-B0F8-87AE3D90B248.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBBD9C7FC-19CD-4757-B6AC-6B403E521D52.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBEE1E73A-FEED-4381-A729-E0F34BE3570A.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBF8FA213-4E1D-4F03-AF16-70B8FAE36E53.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSC6968ADF-A54B-4B4D-80E7-4EDB6D4CFD5B.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSC88C108A-82E7-4556-A08F-F663C7393094.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSCB130DF6-E7E1-4DD0-9C19-988A5CC471E5.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSCEC490FD-F125-48A4-91E7-0E9DCB2F65A3.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD4FA991D-AF76-41B2-AA57-4990A74BF529.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD7A617EC-A7B6-4AF8-A7ED-3561560FE89F.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD8DE5FF2-9FFE-49E9-AB36-276D6BF023ED.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSDBB65785-D586-45D6-9379-DEF25E1780A5.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSDC0AF8DD-03DC-4023-9FB7-69074186E2AE.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSDC160BA7-A44E-4DCC-848B-015C4B9B0DF4.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSE146102F-884D-4DD8-8D44-FF6D7AB557F3.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSE6753051-DBD9-4B1D-88DB-7821526FCA1B.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSE81F53C0-FE8D-4586-81B6-2DAC9C9B1DD6.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSEBB1557A-64D9-4BA0-A76A-1E2A616BF4FC.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSEE3FED45-16E8-4B28-B777-DFE15C9DF0DA.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF57A2F09-BCAF-4764-8381-EB90FA6211B6.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF8D20DAB-B08D-4CF9-919B-D6CFB95CF95E.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSFB2322AA-DCA7-4891-9CEF-445ED256B879.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSFB4EBF2F-6132-400C-9133-7C36B94106A4.tmp
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSFF59C2DF-6AD0-49AF-90D4-FD87CB4AA3EA.tmp
C:\Documents and Settings\tony luo\Application Data\Microsoft\Word\~WRL0003.tmp
C:\Documents and Settings\tony luo\Application Data\Microsoft\Word\~WRL3707.tmp
C:\Documents and Settings\tony luo\My Documents\~WRL0005.tmp
C:\Documents and Settings\tony luo\My Documents\~WRL0051.tmp
C:\Documents and Settings\tony luo\My Documents\~WRL0129.tmp
C:\Documents and Settings\tony luo\My Documents\~WRL1844.tmp
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

Finished
--------------------------------------
ComboFix 07-08-14.4 - "tony luo" 2007-08-17 1:19:38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.19 [GMT -4:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\temp\tn3
C:\WINDOWS\retadpu.exe.bin
C:\WINDOWS\sks~1


((((((((((((((((((((((((( Files Created from 2007-07-17 to 2007-08-17 )))))))))))))))))))))))))))))))


2007-08-17 01:17 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-17 00:48 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-15 22:43 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-08-14 18:02 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-08-14 18:01 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-08-14 18:01 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-08-14 18:01 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-08-14 18:01 163,128 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-08-14 18:01 1,521,464 --a------ C:\WINDOWS\WRSetup.dll
2007-08-14 18:01 <DIR> d-------- C:\Program Files\Webroot
2007-08-14 18:01 <DIR> d-------- C:\DOCUME~1\TONYLU~1\APPLIC~1\Webroot
2007-08-14 18:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-07-31 22:19 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-07-27 16:27 75,932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-07-27 16:27 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-07-27 16:27 74,396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-07-27 16:27 3,061,792 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-27 16:26 110,360 --a------ C:\WINDOWS\system32\drivers\kl1.sys
2007-07-27 16:25 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-07-27 16:25 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-07-27 16:24 <DIR> d-------- C:\WINDOWS\Internet Logs


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-17 00:40 31340 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-08-16 22:48 --------- d-------- C:\Program Files\SUPERAntiSpyware
2007-08-04 16:11 --------- d-------- C:\Program Files\SpywareBlaster
2007-07-07 14:00 --------- d-------- C:\Program Files\SpywareGuard
2007-07-01 21:58 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-01 21:57 --------- d-------- C:\Program Files\eBay
2007-06-26 04:27 363520 --a--c--- C:\WINDOWS\system32\dllcache\w3svc.dll
2007-06-06 18:03 49152 -ra------ C:\WINDOWS\system32\inetwh32.dll
2007-06-06 18:03 1044480 -ra------ C:\WINDOWS\system32\roboex32.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 08:33]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-29 00:05]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 17:44]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 17:43]
"NDSTray.exe"="NDSTray.exe" []
"CFSServ.exe"="CFSServ.exe" []
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 08:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 08:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-02-28 08:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-02-28 08:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-08-09 18:47]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-06-14 18:32]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-08-09 17:54:50]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^tony luo^Start Menu^Programs^Startup^SpywareGuard.lnk]
path=C:\Documents and Settings\tony luo\Start Menu\Programs\Startup\SpywareGuard.lnk
backup=C:\WINDOWS\pss\SpywareGuard.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
"C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bantool]
C:\WINDOWS\system32\micro1\b9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeluxeCommunications]
C:\Program Files\DeluxeCommunications\Dxc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1149979328\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IVPServiceMgr]
C:\toshiba\ivp\ism\ivpsvmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]
C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
c:\toshiba\ivp\ism\pinger.exe /run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrintDrive]
rundll32.exe "C:\WINDOWS\system32\xctmcogg.dll",setvm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toshiba Hotkey Utility]
"c:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
"C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
"McTskshd.exe"=2 (0x2)
"McDetect.exe"=2 (0x2)
"Avg7Alrt"=2 (0x2)

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS
R2 PHPGeekUtil;PHPGeekUtil;"c:\apache\APACHE.EXE" --ntservice
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
R3 BoiHwsetup;Access 32bits INT15 routine;C:\WINDOWS\system32\drivers\BoiHwSetup.sys
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys
S3 DC21x4;DC21x4 Based Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\dc21x4.sys
S3 NaiFiltr;NaiFiltr;C:\WINDOWS\system32\DRIVERS\NaiFiltr.sys
S3 qkbfiltr;Quanta HotKey Keyboard Filter Driver;C:\WINDOWS\system32\drivers\qkbfiltr.sys
S3 qmofiltr;Quanta HotKey Mouse Filter Driver;C:\WINDOWS\system32\drivers\qmofiltr.sys
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80
S4 SQLBrowser;SQL Server Browser;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe"


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-17 01:27:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-17 1:29:15
C:\ComboFix-quarantined-files.txt ... 2007-08-17 01:29

--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 8:32:04 AM, on 8/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\apache\APACHE.EXE
c:\apache\APACHE.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://pictures.aolcdn.com/ap/Resources/1....ns.10.1.0.0.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1178233001421
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A995501-276A-45B1-BCD1-7DE6D7FD88E3}: NameServer = 72.21.36.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA777ED9-DA27-49F5-A522-E766B4CEB726}: NameServer = 72.21.36.74
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: PHPGeekUtil - Unknown owner - c:\apache\APACHE.EXE" --ntservice (file missing)
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

[AndyManchesta]

Thanks Tony,

Just a couple of entries to clean up

Open notepad (Start Menu > Run > type notepad and press ok) then copy and paste the contents of the code box into Notepad making REGEDIT4 the top line.

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bantool]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeluxeCommunications]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrintDrive]

Goto File on the top bar of Notepad and choose Save As, on the Save As Type area change it to all files then name it fix.reg and save it to your desktop, double click fix.reg (or right click and choose Merge) and allow it to be merged into the registry which will remove the entries.

There's alot of Security programs being prevented from starting with Windows by Msconfig, to make sure the system stays protected you should make sure at least one of the AV's are running all the time on the system, if you need to check that you can test the real time protection using the Eicar test file from here

http://www.eicar.org...s_test_file.htm

Even though the files on there are harmless, all AV's are aware of the test file so they should block it as soon as you attempt to save it to your system and show an alert for the Eicar test string or something similar,

You also have Zone Alarm blocked in msconfig but its doesnt appear to be still on your system so let me know if its been uninstalled and its entry can be removed

Delete SDFix.exe and Combofix.exe as they are updated every few days so its not worth keeping them on the system

Also delete these files and folders

C:\SDFix
C:\ComboFix-quarantined-files.txt
C:\ComboFix
C:\Qoobox

Delete these below if they are still on the system, set Windows to show hidden files and folders first though to make sure they do not exist

Click Start. Goto MyComputer then C:\drive
Select the Tools menu from the top bar and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
UnCheck the "Hide protected operating system files (recommended)" option.

Click Yes to confirm then OK

Set this back once you have checked for the files by opening the same page and pressing the Restore Defaults button then click Apply and OK.

Delete if found:

C:\WINDOWS\system32\micro1 <-- Folder
C:\Program Files\DeluxeCommunications <-- Folder
C:\WINDOWS\system32\xctmcogg.dll <-- File


Can you then upload your Internet Explorer folder to my upload channel at Bleeping Computer as it contains a couple of files that Id like to take a closer look at. Open C:\Program Files then locate the Internet Explorer folder, right click it and choose Send To > Compressed (Zipped) Folder which will then make a copy in the same area named Internet Explorer.zip

Please then visit the below link

http://www.bleepingcomputer.com/submit-mal....php?channel=27

When the upload page opens click Browse and locate the C:\Program Files\Internet Explorer.zip folder then click Send File and it will show this message

Quote

Your file was successfully submitted. Please let the user helping you know that you have submitted the file.

The files inside it are probably all fine but I'd like to confirm that, I'll let you know either way once I've checked them.

Thanks

[tonyluo]

While I'm still looking, may be you can answer some questions first:

--You also have Zone Alarm blocked in msconfig but its doesnt appear to be still on your system so let me know if its ---been uninstalled and its entry can be removed

I did uninstall ZoneAlarm then reinstall it, it's running. but I disable zlclient at startup, is that the question you asking?

I was wondering why ZoneAlarm run by itself if I disable zlclient at startup? is it better enable it at startup?

Thanks!

[AndyManchesta]

Hi Tony,

Thats fine, I just wanted to make sure Zone Alarm was still on the system with it being disabled in msconfig but I can see now its service is still running (vsmon) in your log, Im not sure if it will still provide the same protection though or allow you to choose what can and cannot access the net if part of it isn't running so it's probably better to either uninstall it if you didnt want it running or allow all of its components to load by enabling the msconfig entry if you did want it to provide protection.

Please also read Tony Klein's excellent article below as it contains lots of useful links and tips to help keep the PC secure

So how did I get Infected in the First Place?

Let us know when you upload the file at BC or if there's any remaining problems

Thanks

[tonyluo]

Hi,Andy

File of IE has uplaoded to BC.

I'll enable ZoneAlarm and one of AV's at startup. Thanks!

[AndyManchesta]

Cheers Tony,

Thanks for uploading the file at BC, I checked it earlier and there's no problems, with SDFix showing a couple of files in that folder with hidden attributes I just wanted to take a look at them as there is a couple of nasties that can modify iexplore.exe to load trojan files, yours is fine though which is always nice to see

Let us know if you have more problems anytime

Happy Surfing

Andy

[tonyluo]

HI,I don't have popup window for a week since working with you, I try update and scan with AVG Anti-Virus just now, result a Trojan horse BackDoor.Generic6.ECS, is this a normal thing we should expected while online? or something I need pay attention?

[AndyManchesta]

Hi Tony

No its not a normal thing you should expect online, the name Backdoor.Generic doesnt really tell us much as its not identified the trojan so can you see if its created an alert log to show where the trojan was detected on the system and what the filename is.

Cheers