Help to remove FOTOMOTO.A Trojan

Viruses and worms
1

I have the fotomoto trojan on my pc. Avast does not find it, but Windows Defender does. Everytime it catches it, Win-defender gives me the option to remove, and afterwards tells me the computer is clean. But after every reeboot, Fotomoto is still running wild on my pc. Does anyone have a solution? Thanks in advance.

2

Hi Maze,

Fotomoto is possibly a variant of Begin2Search/B2Search/eZula.

First go to Start>Control Panel>Add/Remove Programs and remove this program if found under any of the above names. (It may not be there.)

Then try the usual free adware/spyware scanners.

AVG Anti-Spyware Free (Requires Win2k/XP)
Ad-Aware Free
Spybot Search & Destroy
SUPERAntiSpyware Free
a-Squared Free

Download, install and update all the programs. Disconnect from the internet (pull the plug) before running scans in Safe Mode if possible.

If still having problems, post a HijackThis! log.

3

Before dealing with it, if you know the file name and location, send the sample to virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

4

Thanks both of you. I will perform the recommendations above, you both mentioned, one by one and then post a reply later today.
Avast also detects “Win32:Agent-ISI[Trj]” and “Win32:VBStat-C[Trj]”. I was going to search the threads and start a new one if these haven’t been discussed already. Just mentioning in case these will also be solved by the above process or are related. I have been moving the files to chest, but these keep coming back.

5

You must uncheck system restore.

6

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.

This is likely to be of more help to us than the malware name alone.

7

If a virus is replicant (coming and coming again), you could follow the general cleaning procedure:

  1. Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3).

  2. Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

  3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

  4. It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
    If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

  5. If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG, Panda and/or F-Secure BlackLight.

  6. Also, if you still detecting strange behaviors or you want to be sure you’re clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.

  7. After you’re clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

  8. Finally, when you’re clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.

8

Hi guys,
Unfortunately I wasn’t aware of unchecking System Restore, and ran scans for the last two days in safe mode with internet plugged off, just logged back in normal with internet on, and I am back to square one. Would you suggest I redo everything with System Restore turned off. (I just turned it off).

Question: I currently have Avast, Windows Defender and Spybot Search and Destroy installed. Would it conflict if I install more spyware like “AVG Antispyware” that you guys have recommended. If so should all the programs run scans simultaneously or one by one. Is there any particular order that is most effective. Also in safe mode Avast senstivity was disabled (even though I tried changing it to high), is that normal or is avast infected?

I have noted down results of the scans and the file names and locations (pasted below). It was 3 pages in Word, so its long. Hopefully the information you all will need is in here. I will wait for a reply and then install more spyware and redo the scans with system restore turned off.

=====================================

Below steps were performed in Safe mode with the internet connection turned off but after updating Spybot Search and Destroy, Windows Defender and Avast to the latest version.
Step1: Spybot scan results
Step2: Windows Defender scan results
Step3: Avast Thorough scan results
Step4: Avast activity after first normal boot.

Step I. Ran “Spybot Search and Destroy 1.2”
Results:
1)Mediaplex: Tracking cookie or cookie of tracking site
File: Mediaplex[1].txt in documents and settings
2,3,4) Windows Media Player (WMP) Registry change

I tried fixing the Mediaplex and left the WMP registry change as it is. A warning message came up saying
“Some problems couldn’t be fixed; the reason could be that the associated files are still in use (in memory). This could be fixed after a restart. May SpyBot-S&D run on your next system startup?” - I clicked “Yes”.
I have been through this process before with Mediaplex and Spybot, but it keeps coming back every time.

Note: Spybot did not find Fotomoto

Step II. Full System scan with “Windows Defender”
Results:
Trojan: Win32/Fotomoto.A (Alert Level: Severe)
Category:
Trojan

Description:
This program is dangerous and can hide programs or bypass security.

Advice:
Review the alert details to see why the software was detected. If you do not like how the software operates or if you do not recognize and trust the publisher, consider blocking or removing the software.

Resources:
file:
C:\System Volume Information_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1382\A0234026.exe

file:
C:\System Volume Information_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1379\A0233839.exe

file:
C:\System Volume Information_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1379\A0233798.exe

file:
C:\System Volume Information_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1378\A0233710.exe

file:
C:\System Volume Information_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1376\A0233657.exe

file:
C:\System Volume Information_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1375\A0233549.exe

file:
C:\System Volume Information_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1373\A0233439.exe

file:
C:\System Volume Information_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1372\A0233336.exe

file:
C:\System Volume Information_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1371\A0233244.exe

file:
C:\System Volume Information_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1369\A0233166.exe

file:
C:\System Volume Information_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1368\A0233087.exe

file:
C:\System Volume Information_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1367\A0233067.exe

file:
C:\System Volume Information_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1366\A0232958.exe

file:
C:\System Volume Information_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1364\A0232853.exe

I am not sure how to find these files and send them to you. I tried opening avast to try and save them to chest, but the chest did not open in safe mode. Hence I quarantined fotomoto using Windows Defender. Again, I have done this before. It keeps coming back.

Upon checking with Software Explorer that comes with Windows Defender, I found a program “jusched.exe” running. The following is the information that was available. Should this be disabled?
File Name: jusched.exe
Display Name: jusched.exe
Description: Not Available
Publisher: Not Available
Digitally Signed By: NOT SIGNED
File Type: Application
Startup Value: C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
File Path: C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
File Size: 32881
File Version: Not Available
Date Installed: 2/22/2068 11:44:46 PM
Startup Type: Registry: Local Machine
Location: Software\Microsoft\Windows\CurrentVersion\Run
Classification: Permitted
Ships with Operating System: No

Step III: Avast Version 4.7 Home Edition Thorough Scan
Note: Resident sensitivity for avast keeps resetting from high to disabled??

Scan results:

  1. File name: c:\System Volume Information_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1373\A0233532.dll
    Malware name: Win32:BHO-ES[Trj] (deleted by avast)
  2. File name: c:\System Volume Information_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1373\A0233533.exe
    Malware name: Win32:Agent-HZS [Trj] (deleted by avast)
  3. File name: c:\System Volume Information_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1373\A0233534.exe[Embedded#0eb0]
    Malware name: Win32:Zlob-ZL [Trj] (deleted by avast)
  4. File name: c:\System Volume Information_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1373\A0233535.exe
    Malware name: Win32:Agent-HZS [Trj] (deleted by avast)
  5. File name: c:\System Volume Information_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1373\A0233536.dll
    Malware name: Win32:BHO-EP [Trj] (deleted by avast)
  6. File name: c:\System Volume Information_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1373\A0233537.exe
    Malware name: Win32:Agent-HZS [Trj] (deleted by avast)
  7. File name: c:\System Volume Information_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1373\A0233538.exe
    Malware name: Win32:Agent-HZS [Trj] (deleted by avast)
  8. File name: c:\WINDOWS\Temp\0lebapmc.TMP\WEDDINGC.AVI
    Avast Result: Unable to scan: the file is a decompression bomb
  9. File name: c:\WINDOWS\Temp\9bb1ut1z.TMP\WEDDING.AVI
    Avast Result: Unable to scan: the file is a decompression bomb
    Malware Type: Trojan Horse
    VPS version: 000754-3, 07/06/2007
  10. whole bunch of user@servedby.advertising[1].txt & user@advertising[1].txt

Action Taken: Permanently deleted the above files since chest was not working in safe mode.

Step IV:
Logged back into Windows XP Pro – Normal boot (internet connected)
Avast detected the following Trojans

File name: DOCUME~1\Family\LOCALS~1\Temp\kfquukys.exe[PECompact]
Malware name: Win32:Agent-ISI [Trj]
Malware type: Trojan Horse
VPS Version: 000754-4, 07/06/2007
Action taken: File moved to chest

File name: C:\WINDOWS\SYSTEM32\DKXSKSOR.DLL
File name: C:\DOCUME~1\Family\LOCALS~1\Temp\seokwdqy.dll
Malware name: Win32:Virtumonde-BA [Adw]
Malware type: Adware
VPS Version: 000754-4, 07/06/2007
Action taken: 000754-4, 07/06/2007

File name: C:\DOCUME~1\Family\LOCALS~1\Temp\yxygbfdk.dll
Malware name: Win32:VBStat-C [Trj]
Malware type: Trojan Horse
VPS Version: 000754-4, 07/06/2007
Action taken: File moved to chest

Thanks for the help.

9

You can install for on demmand scan AVG antispyware free and SuperAntispyware. You’ll have no problems.
You’d may redo all with system restore unchecked

10

If those don’t solve the problem try this:

Download ATF Cleaner from here

http://www.atribune.org/content/view/25/2/

It does not need to be installed - just download it to your desktop and double click to run it. The directions are on the page I linked to but, instead of leaving all options checked I would un-check the Prefetch option.

After running ATF Cleaner download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

When Combofix has finished run HijackThis and post the log.

Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

11

Hi everyone,
Thanks for all the help and I have done everything or almost everything you all recommended.

  1. Checked for unknown problems in Add/Remove Programs - did not find any
  2. Disabled system restore
  3. Updated all antivirus programs and plugged off the internet
  4. Restarted in Safe Mode
  5. Ran and cleaned Temporary Files using both Windows Advanced Care and ATF Cleaner
  6. Ran Avast (hung after 3 hours of scanning, so though the scan was over, action could not be taken)
  7. Ran AVG Anti-Spyware simultaneosly and fixed/quarantined problems
  8. Ran SuperAntiSpyware simultaneously and fixed/quarantined problems
  9. Ran Anti-rootkit applications AVG and Panda (panda shut down without working)
  10. Ran Spybot Search and Destroy - found 3 Windows Media Player registry change-I assumed they are OK? (Multiplex[1].txt did not show up this time)
  11. Immunized using Spybot, did not find an “immunization option in Windows Advanced Care”
  12. Ran Combofix and saved log (will paste below)
  13. Tried running Secunia Software Inspector from the site, but Java did not load.
  14. Ran HijackThis and saved log (will post below)
  15. Ran Runscanner and saved log (will post below)

I have been online for 30min, till now nothing has popped up.
Since there are 3 logs and they are long, I will post them as 3 separate posts in the following order:
HijackThis log
RunScanner log
Combofix log

Thanks for all the help, do recommend any fixes that need to made according to hijackthis, runscanner and combofix logs.

12

HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:10:13 PM, on 7/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Installed Utilities\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Anti Virus\Avast\aswUpdSv.exe
E:\Program Files\Anti Virus\Avast\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Anti Virus\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Anti Virus\Avast\ashMaiSv.exe
E:\Program Files\Anti Virus\Avast\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
E:\Program Files\Internet\Logitech WebCam\LogiTray.exe
C:\Program Files\Common Files\AOL\1141834038\ee\AOLSoftware.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Utilities\iTunes&Quicktime\iTunesHelper.exe
E:\PROGRA~1\ANTIVI~1\Avast\ashDisp.exe
E:\Program Files\Utilities\Quicktime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Internet\Mozilla\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Anti Virus\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.bbc.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://officeupdate.microsoft.com/outlook
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [LogitechVideoTray] E:\Program Files\Internet\Logitech WebCam\LogiTray.exe
O4 - HKLM..\Run: [LogitechVideoRepair] E:\Program Files\Internet\Logitech WebCam\ISStart.exe
O4 - HKLM..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141834038\ee\AOLSoftware.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [iTunesHelper] “E:\Program Files\Utilities\iTunes&Quicktime\iTunesHelper.exe”
O4 - HKLM..\Run: [avast!] E:\PROGRA~1\ANTIVI~1\Avast\ashDisp.exe
O4 - HKLM..\Run: [QuickTime Task] “E:\Program Files\Utilities\Quicktime\qttask.exe” -atboottime
O4 - HKLM..\Run: [HP Software Update] “C:\Program Files\HP\HP Software Update\HPWuSchd2.exe”
O4 - HKCU..\Run: [FolderShare] “E:\Program Files\Utilities\FolderShare\FolderShare.exe” /background
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18..\RunOnce: [RunNarrator] Narrator.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\RunOnce: [RunNarrator] Narrator.exe (User ‘Default user’)
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - E:\Program Files\Utilities\PDFill\DownloadPDF.exe
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/14.21/uploader2.cab
O16 - DPF: {4CCA4E6B-9259-11D9-AC6E-444553544200} - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01.cab
O16 - DPF: {611627F1-D9A5-4235-958E-618E483BF8E7} (AutoUploader Class) - http://www.splashbulb.com/uploader/lib/uploader.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\Anti Virus\SuperAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Anti Virus\Avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Anti Virus\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Anti Virus\Avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Anti Virus\Avast\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - E:\Program Files\Anti Virus\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe


End of file - 7798 bytes

Next post: Runscanner log

13

Runscanner log

Runscanner logfile http://www.runscanner.net

000 General info

Computer name : HOMEUSER
Type of scan : Full scan
RunScanner Version : 0.9.0.0
Creation time : 7/8/2007 3:27:21 PM
OS : Microsoft Windows XP
OS Build : 2600
OS SP : Service Pack 2
User Language : English (United States)
IE version : 7.0.5730.11
Windows folder : C:\WINDOWS

001 Running processes

  • e:\program files\anti virus\avast\aswupdsv.exe (ALWIL Software)
  • e:\program files\anti virus\avast\ashserv.exe (ALWIL Software)
  • e:\program files\anti virus\avg anti-spyware 7.5\guard.exe (GRISOFT s.r.o.)
    c:\windows\system32\nvsvc32.exe (NVIDIA Corporation)
  • c:\program files\siteadvisor\6066\saservice.exe (McAfee, Inc.)
  • e:\program files\anti virus\avast\ashmaisv.exe (ALWIL Software)
  • e:\program files\anti virus\avast\ashwebsv.exe (ALWIL Software)
    c:\program files\java\j2re1.4.2_04\bin\jusched.exe
    e:\program files\internet\logitech webcam\logitray.exe (Logitech Inc.)
  • c:\program files\common files\aol\1141834038\ee\aolsoftware.exe (America Online, Inc.)
    c:\program files\common files\real\update_ob\realsched.exe (RealNetworks, Inc.)
    e:\program files\utilities\itunes&quicktime\ituneshelper.exe (Apple Computer, Inc.)
  • e:\progra~1\antivi~1\avast\ashdisp.exe (ALWIL Software)
    e:\program files\utilities\quicktime\qttask.exe (Apple Computer, Inc.)
    c:\program files\hp\hp software update\hpwuschd2.exe (Hewlett-Packard Company)
    c:\program files\ipod\bin\ipodservice.exe (Apple Computer, Inc.)
    c:\program files\olympus\devicedetector\devdtct2.exe (OLYMPUS Corporation.)
    c:\program files\palmone\hotsync.exe (PalmSource, Inc)
    c:\windows\system32\lvcoms.exe (Logitech Inc.)
    c:\program files\hp\digital imaging\bin\hpqgalry.exe (Hewlett-Packard Co.)
  • e:\program files\internet\mozilla\firefox.exe (Mozilla Corporation)
  • c:\program files\siteadvisor\6066\siteadv.exe (McAfee, Inc.)
  • e:\program files\anti virus\hijackthis\hijackthis.exe (Trend Micro Inc.)
    e:\program files\anti virus\runscanner.exe (Runscanner.net)

002 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)

c:\program files\java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\system32\nwiz.exe (NVIDIA Corporation)
e:\program files\internet\logitech webcam\logitray.exe (Logitech Inc.)
e:\program files\internet\logitech webcam\isstart.exe (Logitech Inc.)

  • c:\program files\common files\aol\1141834038\ee\aolsoftware.exe (America Online, Inc.)
    c:\program files\common files\real\update_ob\realsched.exe (RealNetworks, Inc.)
    e:\program files\utilities\itunes&quicktime\ituneshelper.exe (Apple Computer, Inc.)
  • e:\progra~1\antivi~1\avast\ashdisp.exe (ALWIL Software)
    e:\program files\utilities\quicktime\qttask.exe (Apple Computer, Inc.)
    c:\program files\hp\hp software update\hpwuschd2.exe (Hewlett-Packard Company)

003 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)

  • e:\program files\utilities\foldershare\foldershare.exe

005 C:\Documents and Settings\All Users\Start Menu\Programs\Startup

c:\progra~1\common~1\adobe\calibr~1\adobeg~1.exe (Adobe Systems, Inc.)
c:\progra~1\olympus\device~1\devdtct2.exe (OLYMPUS Corporation.)
c:\progra~1\palmone\hotsync.exe (PalmSource, Inc)
c:\progra~1\hp\digita~1\bin\hpqthb08.exe (Hewlett-Packard Co.)

010 HKLM\SYSTEM\CurrentControlSet\Services (Services)

  • e:\program files\anti virus\avast\aswupdsv.exe (avast! iAVS4 Control Service)
  • e:\program files\anti virus\avast\ashserv.exe (avast! Antivirus)
  • e:\program files\anti virus\avast\ashmaisv.exe (avast! Mail Scanner)
  • e:\program files\anti virus\avast\ashwebsv.exe (avast! Web Scanner)
  • e:\program files\anti virus\avg anti-spyware 7.5\guard.exe (AVG Anti-Spyware Guard)
    c:\program files\common files\installshield\driver\11\intel 32\idrivert.exe (InstallDriver Table Manager)
    c:\program files\ipod\bin\ipodservice.exe (iPodService)
    C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Driver Helper Service)
    c:\windows\system32\hpzipm12.exe (Pml Driver HPZ12)
  • c:\program files\siteadvisor\6066\saservice.exe (SiteAdvisor Service)

011 HKLM\SYSTEM\CurrentControlSet\Services (drivers)

  • C:\WINDOWS\system32\drivers\aeaudio.sys (Andrea Audio Noise Cancellation Driver)
    C:\WINDOWS\system32\drivers\avgarkt.sys (AVG Anti-Rootkit)
  • e:\program files\anti virus\avg anti-spyware 7.5\guard.sys (AVG Anti-Spyware Driver)
    C:\WINDOWS\system32\drivers\avgarcln.sys (Avg Anti-Rootkit Clean Driver)
  • C:\WINDOWS\system32\drivers\avgascln.sys (AVG Anti-Spyware Clean Driver)
  • c:\docume~1\family\locals~1\temp\catchme.sys (Base)
    C:\WINDOWS\system32\drivers\sqcaptur.sys (Dual-Mode DSC(2770))
    C:\WINDOWS\system32\drivers\dvdriver.sys (DVdriver)
    C:\WINDOWS\system32\drivers\el2k_xp.sys (3Com 3C2000x EtherLink XL Adapter)
  • C:\WINDOWS\system32\drivers\gearaspiwdm.sys (GEARAspiWDM)
  • C:\WINDOWS\system32\drivers\hpzid412.sys (IEEE-1284.4 Driver HPZid412)
  • C:\WINDOWS\system32\drivers\hpzipr12.sys (Print Class Driver for IEEE-1284.4 HPZipr12)
  • C:\WINDOWS\system32\drivers\hpzius12.sys (USB to IEEE-1284.4 Translation Driver HPZius12)
  • C:\WINDOWS\system32\drivers\icrecusb.sys (IC Recorder Driver)
    C:\WINDOWS\system32\drivers\intelc51.sys (Driver executs DSP proccessing)
    C:\WINDOWS\system32\drivers\intelc52.sys (Intel(R) 537 Data Fax Voice V.92 Modem)
    C:\WINDOWS\system32\drivers\intelc53.sys (Driver executs AFE proccessing)
  • c:\docume~1\family\locals~1\temp\jgameenp.sys (jgameenp)
  • c:\windows\system32\drivers\fw220.sys (McAfee Firewall Network Filter Miniport)
    C:\WINDOWS\system32\drivers\nv4_mini.sys (Video)
  • C:\WINDOWS\system32\drivers\palmusbd.sys (USB Driver for Palm OS Handheld Devices)
    C:\WINDOWS\system32\drivers\camdrl21.sys (Logitech QuickCam Pro 3000(PID_08B0))
  • C:\WINDOWS\system32\drivers\ptilink.sys (Direct Parallel Link Driver)
    C:\WINDOWS\system32\drivers\pxhelp20.sys (PxHelp20)
    e:\program files\anti virus\superantispyware\sasdifsv.sys (SASDIFSV)
    e:\program files\anti virus\superantispyware\sasenum.sys (SASENUM)
    e:\program files\anti virus\superantispyware\saskutil.sys (SASKUTIL)
    C:\WINDOWS\system32\drivers\secdrv.sys (Secdrv)
  • C:\WINDOWS\system32\drivers\silvrlnk.sys (Texas Instruments SilverLink (USB GraphLink) Cable)
  • C:\WINDOWS\system32\drivers\smwdm.sys (SoundMAX Integrated Digital Audio)
    C:\WINDOWS\system32\drivers\sscdbus.sys (SAMSUNG USB Composite Device driver (WDM))
    C:\WINDOWS\system32\drivers\viaraid.sys (SCSI Miniport)
    C:\WINDOWS\system32\drivers\vnusb.sys (VN Series Device)
  • c:\windows\system32\drivers\wanatw4.sys (WAN Miniport (ATW))
  • f:\winio.sys (WINIO)

030 HKLM\SOFTWARE\Classes\PROTOCOLS\Filter

C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}

031 HKLM\SOFTWARE\Classes\PROTOCOLS\Handler

c:\program files\hp\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company) {CF184AD3-CDCB-4168-A3F7-8E447D129300}
c:\program files\common files\microsoft shared\information retrieval\msitss.dll (Microsoft Corporation) {0A9007C0-4076-11D3-8789-0000F8105754}

  • c:\program files\siteadvisor\6066\siteadv.dll (McAfee, Inc.) {3A5DC592-7723-4EAA-9EE6-AF4222BCF879}

ComboFix Log will continue in next post since it exceeds max char limit

14

Sorry - I meant Runscanner log continues here:

035 HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components

c:\windows\system32\mscories.dll (Microsoft Corporation) {89B4C1CD-B018-4511-B0A1-5476DBF70820}

036 HKCU\Software\Microsoft\Internet Explorer\Desktop\Components

About:Home

041 HKLM-HKCU\Software\Microsoft\Internet Explorer\Toolbar

  • c:\program files\siteadvisor\6066\siteadv.dll (McAfee, Inc.) {0BF43445-2F28-4351-9252-17FE6E806AA0}

042 HKLM\Software\Microsoft\Internet Explorer\Extensions

e:\program files\utilities\pdfill\downloadpdf.exe (PlotSoft LLC) {FB858B22-55E2-413f-87F5-30ADC5552151}

050 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

  • e:\program files\anti virus\avg anti-spyware 7.5\shellexecutehook.dll (GRISOFT s.r.o.) {57B86673-276A-48B2-BAE7-C6DBB3020EB8}
    e:\program files\anti virus\superantispyware\sasseh.dll (SuperAdBlocker.com) {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}

052 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

  • c:\program files\common files\adobe\acrobat\activex\acroiehelper.dll (Adobe Systems Incorporated) {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
  • c:\program files\siteadvisor\6066\siteadv.dll (McAfee, Inc.) {089FD14D-132B-48FC-8861-0048AE113215}

061 HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

  • deskpan.dll {42071714-76d4-11d1-8b24-00a0c9068ff3}
  • c:\windows\system32\hticons.dll (Hilgraeve, Inc.) {88895560-9AA2-1069-930E-00AA0030EBC8}
    c:\windows\system32\nvshell.dll (NVIDIA Corporation) {1CDB2949-8F65-4355-8456-263E7C208A5D}
    c:\windows\system32\nvshell.dll (NVIDIA Corporation) {1E9B04FB-F9E5-4718-997B-B8DA88302A47}
    c:\windows\system32\mscoree.dll (Microsoft Corporation) {1D2680C9-0E2A-469d-B787-065558BC7D43}
    e:\program files\internet\logitech webcam\namespc2.dll (Logitech Inc.) {400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}
    c:\program files\real\realplayer\rpshell.dll (RealNetworks, Inc.) {F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}
  • c:\program files\microsoft office\visio11\visshe.dll {506F4668-F13E-4AA1-BB04-B43203AB3CC0}
  • c:\program files\microsoft office\visio11\visshe.dll {D66DC78C-4F61-447F-942B-3FB6980118CF}
    c:\windows\system32\dfshim.dll (Microsoft Corporation) {e82a2d71-5b2f-43a0-97b8-81be15854de8}
    c:\windows\system32\dfshim.dll (Microsoft Corporation) {E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}
    e:\program files\utilities\itunes&quicktime\itunesminiplayer.dll (Apple Computer, Inc.) {B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}
  • e:\program files\anti virus\avast\ashshell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}

062 HKLM\Software\Classes\Folder\Shellex\ColumnHandlers

c:\program files\common files\adobe\acrobat\activex\pdfshell.dll (Adobe Systems, Inc.) {F9DB5320-233E-11D1-9F84-707F02C10627}

063 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute

autocheck autochk *

067 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

e:\program files\anti virus\superantispyware\saswinlo.dll (SUPERAntiSpyware.com)

069 HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors

C:\WINDOWS\system32\custmon2k.dll

  • C:\WINDOWS\system32\hpzlnt10.dll (HP)

073 %windir%\Tasks

c:\windows\tasks\mp scheduled scan.job

100 Internet Explorer settings

Start Page HKCU : www.bbc.co.uk
Start Page HKLM : about:blank
Search Page HKCU : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Search Page HKLM : http://go.microsoft.com/fwlink/?LinkId=54896
Default_Page_URL HKLM : http://go.microsoft.com/fwlink/?LinkId=69157
Default_Search_URL HKLM : http://go.microsoft.com/fwlink/?LinkId=54896
SearchAssistant HKLM : http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
CustomizeSearch HKLM : http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
ShellNext HKCU : http://officeupdate.microsoft.com/outlook

104 HKLM\Software\Microsoft\Code Store Database\Distribution Units

c:\windows\downloaded program files\yinsthelper.dll (Yahoo! Inc.) {30528230-99F7-4BB4-88D8-FA1D4F56A2AB}

  • c:\windows\downloaded program files\uploaderx.dll {474F00F5-3853-492C-AC3A-476512BBC336}
    c:\windows\downloaded program files\uploader.dll {611627F1-D9A5-4235-958E-618E483BF8E7}
    c:\program files\java\j2re1.4.2_04\bin\npjpi142_04.dll (JavaSoft / Sun Microsystems, Inc.) {8AD9C840-044E-11D1-B3E9-00805F499D93}
    c:\program files\java\j2re1.4.2_04\bin\npjpi142_04.dll (JavaSoft / Sun Microsystems, Inc.) {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA}
  • c:\windows\system32\macromed\flash\flash9b.ocx (Adobe Systems, Inc.) {D27CDB6E-AE6D-11CF-96B8-444553540000}

106 HKLM\Software\Microsoft\Windows\CurrentVersion\URL

Default : http://
ftp : ftp://
gopher : gopher://
home : http://
mosaic : http://
www : http://

147 HKLM\System\CurrentControlSet\Control\SecurityProviders\SecurityProviders

C:\WINDOWS\system32\zwebauth.dll

161 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System

dontdisplaylastusername : 0
shutdownwithoutlogon : 1
undockwithoutlogon : 1

173 HKCR*\shellex\ContextMenuHandlers

  • e:\program files\anti virus\avast\ashshell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}
  • e:\program files\anti virus\avg anti-spyware 7.5\context.dll (GRISOFT s.r.o.) {8934FCEF-F5B8-468f-951F-78A921CD3920}

180 FileType Hijacking

HKEY_CLASSES_ROOT batfile : “%1” %*
HKEY_CLASSES_ROOT cmdfile : “%1” %*
HKEY_CLASSES_ROOT comfile : “%1” %*
HKEY_CLASSES_ROOT exefile : “%1” %*
HKEY_CLASSES_ROOT htafile : C:\WINDOWS\system32\mshta.exe “%1” %*
HKEY_CLASSES_ROOT piffile : “%1” %*
HKEY_CLASSES_ROOT scrfile : “%1” /S

Next post: ComboFix log

15

ComboFix Log

“Mr.C!” - 2007-07-08 14:45:21 - ComboFix 07-07-07.3 - Service Pack 2

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\Family\APPLIC~1.\macromedia\Flash Player#SharedObjects\8FSAHFWA\www.broadcaster.com
C:\DOCUME~1\Family\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys#www.broadcaster.com
C:\DOCUME~1\Family\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys#www.broadcaster.com\settings.sol
C:\DOCUME~1\Family\Desktop.\internet explorer.lnk
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\zxdnt3d.cfg

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_DOMAINSERVICE
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-06-08 to 2007-07-08 )))))))))))))))))))))))))))))))

2007-07-08 14:44 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-08 14:30 8,704 --a------ C:\WINDOWS\system32\drivers\njyoxcnhlwus.sys
2007-07-08 11:18 d-------- C:\DOCUME~1\Family\Pavark
2007-07-07 17:59 d-------- C:\HijackThis
2007-07-07 17:51 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-07-07 17:42 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-07 17:41 d-------- C:\DOCUME~1\Family\APPLIC~1\SUPERAntiSpyware.com
2007-07-07 17:40 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-07 17:30 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-19 22:43 d-------- C:\DOCUME~1\Jiggy\APPLIC~1\SiteAdvisor
2007-06-11 12:20 d-------- C:\DOCUME~1\User\APPLIC~1\SiteAdvisor
2007-06-11 09:49 73,216 --a------ C:\WINDOWS\system32\avwav.dll
2007-06-11 09:49 56,832 --a------ C:\WINDOWS\system32\sol.exe
2007-06-11 09:49 55,296 --a------ C:\WINDOWS\system32\freecell.exe
2007-06-11 09:49 5,632 --a------ C:\WINDOWS\system32\write.exe
2007-06-11 09:49 44,544 --a------ C:\WINDOWS\system32\hticons.dll
2007-06-11 09:49 35,328 --a------ C:\WINDOWS\system32\winchat.exe
2007-06-11 09:49 31,744 --a------ C:\WINDOWS\system32\fxsroute.dll
2007-06-11 09:49 227,840 --a------ C:\WINDOWS\system32\avtapi.dll
2007-06-11 09:49 16,384 --a------ C:\WINDOWS\system32\avmeter.dll
2007-06-11 09:49 138,752 --a------ C:\WINDOWS\system32\sndvol32.exe
2007-06-11 09:49 132,608 --a------ C:\WINDOWS\system32\fxsclntR.dll
2007-06-11 09:49 126,976 --a------ C:\WINDOWS\system32\mshearts.exe
2007-06-11 09:49 119,808 --a------ C:\WINDOWS\system32\winmine.exe
2007-06-11 09:49 114,688 --a------ C:\WINDOWS\system32\calc.exe
2007-06-11 09:49 111,104 --a------ C:\WINDOWS\system32\fxscfgwz.dll
2007-06-11 09:49 11,264 --a------ C:\WINDOWS\system32\fxssend.exe
2007-06-11 09:49 d-------- C:\WINDOWS\system32\FxsTmp
2007-06-08 18:23 d-------- C:\Program Files\Hewlett-Packard
2007-06-08 18:23 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Hewlett-Packard
2007-06-08 18:13 17,176 --------- C:\WINDOWS\hpomdl04.dat
2007-06-08 18:13 104,549 --a------ C:\WINDOWS\hpoins04.dat
2007-06-08 15:50 d-------- C:\WINDOWS\SxsCaPendDel
2007-06-08 14:41 d-------- C:\Program Files\Common Files\HP
2007-06-08 14:26 d-------- C:\temp\HP_WebRelease

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-07 19:00:11 1,844,926 --sh–w C:\WINDOWS\system32\rqtss.bak2
2007-06-16 19:31:56 -------- d-----w C:\Program Files\PERRLA
2007-06-11 13:49:21 -------- d-----w C:\Program Files\Windows NT
2007-06-08 22:23:35 -------- d-----w C:\Program Files\HP
2007-06-07 11:17:14 -------- d-----w C:\Program Files\HighMAT CD Writing Wizard
2007-06-04 02:56:24 -------- d-----w C:\DOCUME~1\Family\APPLIC~1\SiteAdvisor
2007-06-04 02:49:53 -------- d-----w C:\Program Files\SiteAdvisor
2007-06-04 01:52:39 -------- d-----w C:\Program Files\Installed Utilities
2007-06-03 16:26:56 -------- d-----w C:\Program Files\Real
2007-06-02 20:05:47 -------- d–h–w C:\Program Files\InstallShield Installation Information
2007-06-02 20:02:21 -------- d-----w C:\DOCUME~1\Family\APPLIC~1\Symantec
2007-06-02 18:07:42 1,583,854 --sh–w C:\WINDOWS\system32\rqtss.bak1
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-25 16:53:49 11,029 ----a-w C:\WINDOWS\mozver.dat
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{089FD14D-132B-48FC-8861-0048AE113215}]
2007-03-30 11:41 1099304 --a------ C:\Program Files\SiteAdvisor\6066\SiteAdv.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{AA58ED58-01DD-4d91-8333-CF10577473F7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SunJavaUpdateSched”=“C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe” [2004-02-22 23:44]
“nwiz”=“nwiz.exe” [2003-06-18 01:31 C:\WINDOWS\system32\nwiz.exe]
“LogitechVideoTray”=“E:\Program Files\Internet\Logitech WebCam\LogiTray.exe” [2003-08-29 15:20]
“LogitechVideoRepair”=“E:\Program Files\Internet\Logitech WebCam\ISStart.exe” [2003-08-29 15:17]
“HostManager”=“C:\Program Files\Common Files\AOL\1141834038\ee\AOLSoftware.exe” [2005-11-02 23:01]
“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2006-04-25 20:53]
“iTunesHelper”=“E:\Program Files\Utilities\iTunes&Quicktime\iTunesHelper.exe” [2006-06-14 16:24]
“avast!”=“E:\PROGRA~1\ANTIVI~1\Avast\ashDisp.exe” [2007-04-30 11:42]
“QuickTime Task”=“E:\Program Files\Utilities\Quicktime\qttask.exe” [2007-02-16 10:54]
“HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2004-02-12 13:38]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Aim6”=“”
“FolderShare”=“E:\Program Files\Utilities\FolderShare\FolderShare.exe”
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 03:56]

[HKEY_USERS.default\software\microsoft\windows\currentversion\runonce]
“RunNarrator”=Narrator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
“AllowLegacyWebView”=1 (0x1)
“AllowUnhashedWebView”=1 (0x1)
“LinkResolveIgnoreLinkInfo”=0 (0x0)
“NoResolveSearch”=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“LinkResolveIgnoreLinkInfo”=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“E:\Program Files\Anti Virus\AVG Anti-Spyware 7.5\shellexecutehook.dll” [2007-05-30 08:29]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”=“E:\Program Files\Anti Virus\SuperAntiSpyware\SASSEH.DLL” [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
E:\Program Files\Anti Virus\SuperAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages scecli scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

Contents of the ‘Scheduled Tasks’ folder
2007-07-08 18:29:47 C:\WINDOWS\tasks\MP Scheduled Scan.job

disk not found C:\

scanning hidden processes …

scanning hidden autostart entries …

Completion time: 2007-07-08 14:51:52 - machine was rebooted
C:\ComboFix-quarantined-files.txt … 2007-07-08 14:51

--- E O F ---

Thanks Again.

16

One more - ComboFix Quarantined Files:


2003-08-13 12:08      135168    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\wpcap.dll.vir
2003-08-13 12:08      36864    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\packet.dll.vir
2006-06-27 10:39      767    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\Family\Desktop\Internet Explorer.lnk.vir
2007-04-01 14:05      89    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\Family\APPLIC~1\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol.vir
2007-06-02 16:00      21    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\zxdnt3d.cfg.vir
2007-07-08 14:47      2956    --a------    C:\Qoobox\Quarantine\Registry_backups\services_DomainService.reg.cf
2007-07-08 14:47      846    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_DOMAINSERVICE.reg.cf


Folder PATH listing
Volume serial number is 70BA-881B
C:\QOOBOX
\---Quarantine
    +---C
    |   +---DOCUME~1
    |   |   \---Family
    |   |       +---APPLIC~1
    |   |       |   \---Macromedia
    |   |       |       \---Flash Player
    |   |       |           \---macromedia.com
    |   |       |               \---support
    |   |       |                   \---flashplayer
    |   |       |                       \---sys
    |   |       |                           \---#www.broadcaster.com
    |   |       |                                   settings.sol.vir
    |   |       |                                   
    |   |       \---Desktop
    |   |               Internet Explorer.lnk.vir
    |   |               
    |   \---WINDOWS
    |       \---system32
    |               packet.dll.vir
    |               wpcap.dll.vir
    |               zxdnt3d.cfg.vir
    |               
    \---Registry_backups
            LEGACY_DOMAINSERVICE.reg.cf
            services_DomainService.reg.cf
17

You have some very old, exploitable Java on this computer.

There is an uninstaller for Microsoft Java here

http://www.softpedia.com/get/System/System-Miscellaneous/MSJVM-Removal-Tool.shtml

You will see all sorts of warnings that once uninstalled you can’t go back. It’s best disposed of and replaced by the current Sun Java which you can download from

http://filehippo.com/download_java_runtime/

Once you’ve installed this open Add/Remove Programs in the Control Panel and uninstall any older versions of Java you find (particularly 1.4.2). You will need this step because neither the MS uninstaller nor the Sun update will remove these versions.

After your finished with that upload this file to Virus Total and post the analysis results.

C:\WINDOWS\system32\drivers\njyoxcnhlwus.sys

Now open HJT again and click to do a System Scan Only. Place a check mark next to these lines

[b]O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)

O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)[/b]

Close all other windows, including your browser, and click Fix Checked. Close HJT when that’s complete.

You seem to either be in the middle of installing a program called Narrator or the installation hung. Are you aware of the program? Has the installation completed successfully?

18

Hi Mauserme,
The only Narrator I am aware of is the MS text to speech program, I probably did check it out when I first installed XP, but never after that. Is there a way to stop it if its still installing?

Also one other recent pop up that came up was that of a program called “Magic Folders”. Its basically a program that hides folders. I tried the program during the trial period. I have been trying to uninstall it but it gives me a error saying “try after disabling Spyagent monitoring”. Upon googling Spyagent and reading up on their site its a software that actually saves keystrokes, and remote monitoring option. That is even worse than Viruses and trojans. Are there any processes that can be stopped through Hijackthis to prevent spyagent or disable it. I have searched high and low on my computer but been unable to track it down.

As per your suggestion, posting report from Virus Total: (thanks)
C:\WINDOWS\system32\drivers\njyoxcnhlwus.sys

Complete scanning result of “njyoxcnhlwus.sys”, received in VirusTotal at 07.09.2007, 01:02:13 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.7.7.0 07.06.2007 no virus found
AntiVir 7.4.0.39 07.08.2007 no virus found
Authentium 4.93.8 07.07.2007 no virus found
Avast 4.7.997.0 07.08.2007 no virus found
AVG 7.5.0.476 07.08.2007 no virus found
BitDefender 7.2 07.09.2007 no virus found
CAT-QuickHeal 9.00 07.07.2007 no virus found
ClamAV devel-20070416 07.08.2007 no virus found
DrWeb 4.33 07.08.2007 no virus found
eSafe 7.0.15.0 07.08.2007 no virus found
eTrust-Vet 30.8.3769 07.07.2007 no virus found
Ewido 4.0 07.08.2007 no virus found
FileAdvisor 1 07.09.2007 no virus found
Fortinet 2.91.0.0 07.09.2007 no virus found
F-Prot 4.3.2.48 07.06.2007 no virus found
Ikarus T3.1.1.8 07.08.2007 no virus found
Kaspersky 4.0.2.24 07.08.2007 no virus found
McAfee 5069 07.06.2007 no virus found
Microsoft 1.2704 07.09.2007 no virus found
NOD32v2 2384 07.08.2007 no virus found
Norman 5.80.02 07.06.2007 no virus found
Panda 9.0.0.4 07.08.2007 no virus found
Sophos 4.19.0 07.06.2007 no virus found
Sunbelt 2.2.907.0 07.07.2007 no virus found
Symantec 10 07.08.2007 no virus found
TheHacker 6.1.6.143 07.05.2007 no virus found
VBA32 3.12.0.2 07.08.2007 no virus found
VirusBuster 4.3.23:9 07.08.2007 no virus found
Webwasher-Gateway 6.0.1 07.08.2007 no virus found
Aditional Information
File size: 8704 bytes
MD5: 34d44edd829476e085f5c22ac9dfe315
SHA1: 409f8e1239c67925b4f7d137af35a30ddb40235a

===============

19

Click Start and open Control Panel>Administrative Tools>Services. Scroll down the list to Narrator and double click it. In the window that opens click the Stop button. Then, just above the the Stop button drop down the Start Up Type and choose Disabled. Click OK and close the Services, Administrative Tools, and Control Panel windows.

Now open HJT, place a check next to these lines, and fix them after closing all other windows

O4 - HKUS\S-1-5-18..\RunOnce: [RunNarrator] Narrator.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\RunOnce: [RunNarrator] Narrator.exe (User ‘Default user’)

I don’t see Spyagent on the HJT log so lets try something different.

Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
[*]Under Additional Scans click the checkboxes in front of the following items to select them:

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

I would also like you to download OTMoveIt by OldTimer. Save it to your desktop but don’t do anything with it just yet.

Do you recall how long ago you installed Magic Folders/Spyagent?

20

Narrator is not in the “Services” List within Administrative Tools. Could I still go ahead and use HJT to fix the Narrator service or does something else have to be done before?

Magic Folders Uninstallation/Spyagent Error
As of July 9, 2007 I have exceeded the “Magic Folders” evaluation period by 227 days. So a total of 257 days. I installed it, checked it out, but then completely forgot about it, until all this came up.
This is my personal computer, but I do a lot of work-related stuff on it too. So I would never install something like Spyagent on this. I became aware of it when I tried uninstalling Magic Folders and Magic Folders uninstallation conflicted with SpyAgent. So I contacted Spytech technical support and in report to my query they emailed the following:
“If you do not see the program installed in either of folders , it is likely that the program magic folders, gives false positive & spyagent is not actually there.
SpyAgent Stealth Install Directory: c:/program files/sysconfig
Default non-stealth Install Directory:
c:/program files/spytech software/spytech spyagent”
These folders were not in the computer, unless they are masked in some way. Hence I searched MagicFolders FAQs and as per their instruction re-installed mfx.exe and retried without effect. I have sent an email out to their helpdesk, but no reply yet. Also I do not know how to deal with false positives if it is one. But I am really concerned about a keystroke capturing program like SpyAgent being installed on my computer. That could be quite disastrous.

Winpfind3u log will follow in the next few posts. Its big, so am dividing it up as you suggested.