Heavy amount of malware and adware!

Computing.Net > Forums > Security and Virus > Heavy amount of malware and adware!

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Heavy amount of malware and adware!

Name: Mattdim805
Date: September 16, 2007 at 13:50:14 Pacific
OS: Windows XP 2002 Home SP2
CPU/Ram: HP AMD Turion64/1.00 GB
Product: HP Pavilion/dv5000

Comment:

Lately, I have been searching online for computer games I used to play when I was younger (ex. Quest for Glory, The Oregon Trail). I download a program called uTorrent to find some of these games, and to extract the files. I also went to http://www.xtcabandonware.com and found a lot of games in DOS format. So of course, I downloaded my favorites and opened them. Well, about since I downloaded uTorrent, Avast has been finding a lot of Trojans and Adware on my computer, usually about three at a time. Win32: Tiny-IF [Trj] is just one of them. How can I get down to the root of the problem and get rid of the current problem, and prevent it from occurring in the future? Any help is appreciated. Thank you very much.

Sponsored Link

Ads by Google

Response Number 1

Name: jabuck
Date: September 16, 2007 at 14:17:34 Pacific

Reply:

Please download and install the latest version of HijackThis v2.0.2:
Download the HijackThis Installer from this link: HijackThis
1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Response Number 2

Name: Mattdim805
Date: September 18, 2007 at 15:17:13 Pacific

Reply:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:13:33 PM, on 9/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?T...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?T...
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe /IMEName
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Admin\Desktop\Our Pictures\Matthew And I\matthew and I 2.jpg
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Admin\Desktop\Our Pictures\Matthew And I\matthew and I 5.jpg
O24 - Desktop Component 2: (no name) - C:\Documents and Settings\Admin\Desktop\Our Pictures\Chelsea\me 12.jpg
O24 - Desktop Component 3: (no name) - C:\Documents and Settings\Admin\Desktop\Our Pictures\Matthew\matthew1.jpg
O24 - Desktop Component 4: (no name) - C:\Documents and Settings\Admin\Desktop\Our Pictures\Matthew And I\matthew and I 3.jpg
O24 - Desktop Component 5: (no name) - C:\Documents and Settings\Admin\Desktop\Our Pictures\Matthew And I\matthew and I 7.jpg
O24 - Desktop Component 6: (no name) - C:\Documents and Settings\Admin\Desktop\Our Pictures\Matthew And I\matthew and I 6.jpg
O24 - Desktop Component 7: (no name) - C:\Documents and Settings\Admin\Desktop\Our Pictures\Matthew And I\matthew and I 4.jpg
O24 - Desktop Component 8: (no name) - C:\Documents and Settings\Admin\Desktop\Our Pictures\Matthew And I\matthew and I 8.jpg
O24 - Desktop Component 9: (no name) - C:\Documents and Settings\Admin\Desktop\Our Pictures\Misc\livelaughlove.jpg
--
End of file - 7860 bytes

Response Number 3

Name: jabuck
Date: September 18, 2007 at 17:48:17 Pacific

Reply:

Not much showing in the Hijack This log.
Please download SmitFraudFix from this link http://siri.urz.free.fr/Fix/Smitfra... Then extract the contents to your desktop.
!!!! Only run option #1 as runing the other options on an uninfected computer will damage the desktop.!!!!

Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd"
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
Please download ComboFix to the desktop from this link:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.
Please download SDFix by AndyManchesta and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following:
Restart your computer.
After hearing your computer beep once during startup, but just before the Windows icon appears, tap the F8 key continually.
Instead of Windows loading as normal, a menu with options should appear.
Select the first option, to run Windows in "Safe Mode", then press "Enter".
Choose your usual account.

Once in Safe Mode, please do the following:
In Safe Mode, right-click the SDFix.zip folder and choose Extract All.
Open the extracted folder and double-click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt

Response Number 4

Name: Mattdim805
Date: September 20, 2007 at 15:12:07 Pacific

Reply:

It is saying it has not found any viruses or trojan's, but avast keeps catching them in the act. Hasn't happened since I've run the final catcheme executable, but they were showing up whil the other programs were running. Where do I go from here, or is it complete?

SmitFraudFix v2.226
Scan done at 13:44:59.58, Thu 09/20/2007
Run from C:\Documents and Settings\Admin\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.exe
C:\WINDOWS\system32\WISPTIS.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Admin

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Admin\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Admin\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Documents and Settings\\Admin\\Desktop\\Our Pictures\\Matthew And I\\matthew and I 2.jpg"
"SubscribedURL"="C:\\Documents and Settings\\Admin\\Desktop\\Our Pictures\\Matthew And I\\matthew and I 2.jpg"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Documents and Settings\\Admin\\Desktop\\Our Pictures\\Matthew And I\\matthew and I 5.jpg"
"SubscribedURL"="C:\\Documents and Settings\\Admin\\Desktop\\Our Pictures\\Matthew And I\\matthew and I 5.jpg"
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="C:\\Documents and Settings\\Admin\\Desktop\\Our Pictures\\Chelsea\\me 12.jpg"
"SubscribedURL"="C:\\Documents and Settings\\Admin\\Desktop\\Our Pictures\\Chelsea\\me 12.jpg"
"FriendlyName"=""
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 38.98.1.5
DNS Server Search Order: 38.98.10.132
HKLM\SYSTEM\CCS\Services\Tcpip\..\{735BE5CF-F08F-46F8-8618-D4D42ADEAD51}: DhcpNameServer=38.98.1.5 38.98.10.132
HKLM\SYSTEM\CS1\Services\Tcpip\..\{735BE5CF-F08F-46F8-8618-D4D42ADEAD51}: DhcpNameServer=38.98.1.5 38.98.10.132
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=38.98.1.5 38.98.10.132
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=38.98.1.5 38.98.10.132

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End
ComboFix 07-09-20.1 - "Admin" 2007-09-20 13:50:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.516 [GMT -7:00]
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\awvtr.dll
C:\WINDOWS\system32\fccccbb.dll
C:\WINDOWS\system32\gebcayx.dll
C:\WINDOWS\system32\rtvwa.bak1
C:\WINDOWS\system32\rtvwa.bak2
C:\WINDOWS\system32\rtvwa.ini
C:\WINDOWS\system32\rtvwa.ini2
C:\WINDOWS\system32\rtvwa.tmp
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2007-08-20 to 2007-09-20 )))))))))))))))))))))))))))))))
.
2007-09-20 13:48 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-20 13:45 2,936 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-20 13:44 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-20 13:44 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-20 13:44 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-09-20 13:44 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-19 12:21 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-09-19 07:53 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Windows Desktop Search
2007-09-18 23:41 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-09-18 23:41 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-09-18 23:31 <DIR> d-------- C:\Program Files\Windows Desktop Search
2007-09-18 22:59 <DIR> d-------- C:\Program Files\Microsoft Small Business
2007-09-18 22:11 30,512 --a------ C:\WINDOWS\system32\mdimon.dll
2007-09-18 21:52 <DIR> d-------- C:\Program Files\Microsoft Works
2007-09-18 20:56 <DIR> dr-h----- C:\MSOCache
2007-09-18 19:47 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2007-09-18 19:40 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-09-18 15:11 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-18 13:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-09-18 11:18 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Help
2007-09-17 00:52 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Emulators
2007-09-17 00:51 3,664 --a------ C:\WINDOWS\system32\drivers\GEM98.SYS
2007-09-16 21:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SMSI
2007-09-16 21:39 59,904 --a------ C:\WINDOWS\system32\MSCC2FR.dll
2007-09-16 21:39 40,960 --a------ C:\WINDOWS\system32\FLXGDFR.dll
2007-09-16 21:39 141,312 --a------ C:\WINDOWS\system32\MSCMCFR.dll
2007-09-16 21:39 119,568 --a------ C:\WINDOWS\system32\VB6FR.DLL
2007-09-16 21:39 <DIR> d-------- C:\Program Files\MacNames
2007-09-13 17:37 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\WinRAR
2007-09-12 11:27 110 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\MostFunGameId.bin
2007-09-11 20:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sandlot Games
2007-09-11 20:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
2007-09-11 19:32 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\BitTorrent
2007-09-10 19:45 1,156 --a------ C:\WINDOWS\mozver.dat
2007-09-10 19:10 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Talkback
2007-09-10 18:06 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Viewpoint
2007-09-08 12:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-09-08 12:47 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Yahoo!
2007-09-08 12:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-09-08 12:45 <DIR> d-------- C:\Program Files\Yahoo!
2007-09-06 13:25 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\AdobeUM
2007-09-03 17:35 <DIR> d-------- C:\Program Files\Netflix
2007-09-03 10:56 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\acccore
2007-09-03 10:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-09-03 10:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-09-03 10:54 335 --a------ C:\WINDOWS\nsreg.dat
2007-09-03 10:54 <DIR> d-------- C:\Program Files\Viewpoint
2007-09-03 10:54 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-09-03 10:54 <DIR> d-------- C:\Program Files\AIM6
2007-09-03 10:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-09-03 10:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-09-02 10:42 <DIR> d-------- C:\WINDOWS\ShellNew
2007-09-02 10:40 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Microsoft Web Folders
2007-09-01 16:23 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-09-01 16:23 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-01 16:23 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-01 16:23 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-09-01 16:23 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-01 16:23 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-01 16:23 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-01 16:23 <DIR> d-------- C:\Program Files\Alwil Software
2007-09-01 16:14 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\HP
2007-09-01 09:11 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-01 08:57 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-08-31 11:03 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-08-31 11:01 <DIR> d--hs---- C:\DOCUME~1\Admin\UserData
2007-08-31 11:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Gtek
2007-08-31 11:01 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\GTek
2007-08-31 09:51 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-08-31 09:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield
2007-08-31 09:47 <DIR> d-------- C:\Program Files\Common Files\TiVo Shared
2007-08-31 09:46 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2007-08-31 09:45 <DIR> d-------- C:\Program Files\Sonic
2007-08-31 09:44 <DIR> d-------- C:\Program Files\Quickensetup
2007-08-31 09:44 <DIR> d-------- C:\Program Files\Quicken
2007-08-31 09:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Intuit
2007-08-31 09:43 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2007-08-31 09:43 1,324 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-08-31 09:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\HP
2007-08-31 09:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
2007-08-31 09:42 73,728 --a------ C:\WINDOWS\system32\hpqactn.dll
2007-08-31 09:42 458,752 --a------ C:\WINDOWS\system32\hpqPres.dll
2007-08-31 09:42 32,768 --a------ C:\WINDOWS\system32\eabhbrn8.dll
2007-08-31 09:42 282,624 --a------ C:\WINDOWS\system32\cpqinfo.dll
2007-08-31 09:41 7,936 --a------ C:\WINDOWS\system32\drivers\eabfiltr.sys
2007-08-31 09:41 5,760 --a------ C:\WINDOWS\system32\drivers\EabUsb.sys
2007-08-31 09:40 109,568 --a------ C:\WINDOWS\system32\pxinsi64.exe
2007-08-31 09:40 108,544 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2007-08-31 09:40 <DIR> d-------- C:\Program Files\muvee Technologies
2007-08-31 09:40 <DIR> d-------- C:\Program Files\Common Files\muvee Technologies
2007-08-31 09:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\muvee Technologies
2007-08-31 09:36 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2007-08-31 09:30 <DIR> d-------- C:\WINDOWS\Hewlett-Packard
2007-08-31 09:27 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2007-08-31 09:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sonic
2007-08-31 09:26 <DIR> d-------- C:\Program Files\HP
2007-08-31 09:26 <DIR> d-------- C:\Program Files\Common Files\HP
2007-08-31 09:25 87,275 --a------ C:\WINDOWS\hpqins69.dat
2007-08-31 09:20 32,356 --a------ C:\WINDOWS\system32\pusbfd1.sys
2007-08-31 09:20 <DIR> d-a------ C:\WINDOWS\system32\pcintro
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-02 1rogram Files\microsoft frontpage
2007-08-31 09:20 1588 -rahs---- C:\WINDOWS\system32\drivers\103C_HP_NTBK_Pavilion dv5000 (ET805UA#ABA)_YN_0Pavi_QCND61400RS_EU_46_I30A4_SHP_V49.38_BF.33_T060224_WXH2_L409_M1023_J100_7AMD_8Turion 64 Technology ML-32_91.79_#070831_N10EC8139_(ET805UA#ABA)_XMOBILE_CN10.MRK
2005-09-24 00:49 12288 --a------ C:\WINDOWS\Fonts\RandFont.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-08 00:47]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-10 21:05]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-08-01 14:26]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-22 08:57]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2005-12-12 11:39]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 16:45]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 03:06]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 14:17]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 01:39:30]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.exe [1999-02-17 13:05:56]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Documents and Settings\Admin\Desktop\Our Pictures\Matthew And I\matthew and I 2.jpg
FriendlyName=
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= C:\Documents and Settings\Admin\Desktop\Our Pictures\Matthew And I\matthew and I 5.jpg
FriendlyName=
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= C:\Documents and Settings\Admin\Desktop\Our Pictures\Chelsea\me 12.jpg
FriendlyName=
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]
Source= C:\Documents and Settings\Admin\Desktop\Our Pictures\Matthew\matthew1.jpg
FriendlyName=
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\4]
Source= C:\Documents and Settings\Admin\Desktop\Our Pictures\Matthew And I\matthew and I 3.jpg
FriendlyName=
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\5]
Source= C:\Documents and Settings\Admin\Desktop\Our Pictures\Matthew And I\matthew and I 7.jpg
FriendlyName=
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\6]
Source= C:\Documents and Settings\Admin\Desktop\Our Pictures\Matthew And I\matthew and I 6.jpg
FriendlyName=
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\7]
Source= C:\Documents and Settings\Admin\Desktop\Our Pictures\Matthew And I\matthew and I 4.jpg
FriendlyName=
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\8]
Source= C:\Documents and Settings\Admin\Desktop\Our Pictures\Matthew And I\matthew and I 8.jpg
FriendlyName=
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\9]
Source= C:\Documents and Settings\Admin\Desktop\Our Pictures\Misc\livelaughlove.jpg
FriendlyName=
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]
R2 Gem98;Gem98;C:\WINDOWS\system32\drivers\Gem98.sys
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-20 13:58:32
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe???????????????|?????? ???B?????????????hLC? ??????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-09-20 14:00:40 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-20 14:00
.
--- E O F ---

SDFix: Version 1.106
Run by Admin on Thu 09/20/2007 at 14:22
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Admin\Desktop\SDFix
Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...

Normal Mode:
Checking Files:
No Trojan Files Found

Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:
Remaining Services:
------------------

Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
Remaining Files:
---------------

Files with Hidden Attributes:
C:\Documents and Settings\Admin\Application Data\Microsoft\Word\~WRL0004.tmp
C:\WINDOWS\SoftwareDistribution\Download\cc642f40169f98e3642fab98abc47d75\BIT61.tmp
Finished!

Response Number 5

Name: jabuck
Date: September 20, 2007 at 18:47:55 Pacific

Reply:

Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
While still in safe mode navigate to and delete the folders if found:
C:\Documents and Settings\Allusers\Application Data\Trymedia
C:\Documents and Settings\Administrator\Applicatioin Data\BitTorrent
Run this free online scan from Kaspersky http://kaspersky.com/kos/english/kavwebscan.html
Click Accept
When the updates are finished downloading, click Next, Scan Settings
Under Scan using the following antivirus database:, select extended
Make sure the Scan Archives and Scan Mail Bases options are selected as well. Click OK
Click My Computer and wait for the scan to finish
Click Save Report As. Under Save as type:, select Text file. Save this log to your Desktop and post a copy of it here.

realtek rtl8139 family pci fast ethernet nic download surething shared muvee technologies virus	eabfiltr.sys sql server vss writer will formating harddrive get rid of spyware and adware?
See More

Sponsored Link

Ads by Google

Too many PopUps! Help!

Non Removal of Virus (Nor...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Heavy amount of malware and adware!

Myspace.com and Malware. Beware!

Summary

www.computing.net/answers/security/myspacecom-and-malware-beware/17498.html

Trojan virus and adware

Summary

www.computing.net/answers/security/trojan-virus-and-adware/23723.html

Help get rid of Malware!

Summary

www.computing.net/answers/security/help-get-rid-of-malware/13343.html

From the Geek Dictionary
1080p - The super mega deluxe HD (High Definition) That apperantly only sony TVs ac...

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 5 Days.
Discuss in The Lounge
Poll History

Recent Posts
XP stuck in a loop will not boot to desktop

disc disappeared inside Sony Vaio

Linux os

internet connection

Hard drive

All Awaiting Reply

Tom's News
Woman Tracks Down Club Attacker on Facebook

Geolocation Functions Come to Twitter

New Craigslist Trend: Trade Sex for Rent?

Law Firm Investigates MS Over Xbox Live Bans

Amazon Charges $25 for Palm Pixi and $80 for Pre

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE