Windows XP popups

[peahouse05]

Hi Mucks
The Bullguard was on the system when I got to it , with the firewall turned off. Have just got a copy of Spyware Doctor for daughter's laptop - will use it on that PC instead.
Thanks
peahouse05

 

[muckshifter]

.

 

[peahouse05]

Hi Mucks
Have installed Spyware Doctor on the offending PC. Lots of stuff came up, including ZEDO, a pain in the past.
Did a couple of scans and am still left with one popup, which I agree is due to an installed program, but I can't identify it.
However, my friend, aka my eldest daughter's mother-in-law, is beside herself in joy. Stuff arrived this morning and I installed 1GB of RAM and a 320GB external Maxtor HD. The PC goes like stink and the pop-up only occurs occasionally.
Have printed the thread and she thinks the forum is fantastic.
Thanks from peahouse05 and Kay

 

[muckshifter]

Great to hear ... get rid of McAfee and it will go like lightning.


Now, just get me a pic of the popup, and we'll catch the bugger.

 

[peahouse05]

Thanks Mucks
Just a question - without McAfee I don't have a software firewall, or will Spyware Doctor pick up all the rubbish, or do I turn on the Windows firewall?
Will go for the remaining popup tomorrow - it will be quiet over there tomorrow as they will all be at the Royal Cornwall Show at Wadebridge. I can watch the cricket and mess with the PC all day .
Cheers
peahouse05

 

[muckshifter]

Yes, you will loose all of McAfee's 'protection' but that isn't that good anyway, was it?


You can replace the firewall with Comodo, it is free ... you can replace the AV with Anti-Vir Personal ... or you could try out Kaspersky Internet Security for 30 days and see how you like it ... it will do both jobs and more.

KIS have a new version coming out, KIS7, I and a couple others here are already using it ... it is very good.

 

[peahouse05]

Right as usual.
The remaining popups come after a white screen with this at the top:

http:/url.cpvfeed.com/cpv.jsp?p = 110830&ip = 84.64.148.148 = htt%3A%

Might not be absolutely correct as it is not up for long.
This contains an IP address doesn't it. Is it re-directing to that site perhaps?
Usually followed by one, or at most two popups for loans, music, etc.
Just an idea - the internet connection hasn't dropped since the clean-up.
Could ten or twelve open IE windows have been causing this problem?

Thanks
peahouse05

 

[muckshifter]

Hmmm, I'm missing something ... OK ...

Download Combofix
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Doubleclick combofix.exe
Follow the prompts
Don't click on the window while the fix is running, it will cause the system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log for me together with a new hijackthislog.

Did you try SuperAntiSpyware?

You have SpywareBlaster installed ?

Don't forget, no one anti-nastie software is gonna protect/find all at 100%

 

[peahouse05]

Thanks for your patience Mucks - have run Spybot and Spyware Doctor, will try the two you mentioned and then Combofix.
Cheers
peahouse05

 

[muckshifter]

Thanks for your patience Mucks - have run Spybot and Spyware Doctor, will try the two you mentioned and then Combofix.
Cheers
peahouse05

I'll let you into a little secret ... I have a 2Gb USB thumb/key/pen drive ... on it I have every free anti-nastie piece of software I can find. I also have all Trial version of full blown anti-nastie software.

Be aware however, there are anti-spyware software out there that all their sole job is, to infect you with some nastie so they then can control your system. 10million infected systems is the figure being bantered around, with 500,000 - 700,000 getting hit by the Blaster Worm, when it was first released, within 3 days.

HJT is good, but, it can only "see" what is loaded ... if a process is marked safe, nothing much will find it.

I also, after isolating the PC from my network, go online and use the free online scanners, at least three of them.

Then there is one foolproof method ... Format.

 

[peahouse05]

Excellent idea!
Could the programs on a thumbdrive be used on other PCs? I ask because there is more work next week. Sister-in-law has been running a used laptop on broadband without security because a chap at the shop where she bought it in Tavistock wanted to charge her £85 for a 'security package' . When it stopped working due to virus he reinstalled the Millenium OS but she still has no security and no OS disks- Dartmoor prison is only a couple of miles away!
Cheers
peahouse05

 

[muckshifter]

No programs are "installed" on the thumb drive, I just use it 'cos it's a lot easier than a CD or DVD or ext HD to transport all my tools & toys.

You still need to install each program, update it & run it on the 'clients' system ... you can then leave the good freebies like SBS&D installed.

I don't surprise me one iota the amount of people who don't have even the basic anti-nastie programs installed. Not to mention, those that do, have never updated them.

If you can "teach" the 'client' some basics to securing there system and point them in the right direction to the 'paid-for-solutions', like KIS, all the better for them ... you'll get less "call-outs" and start to loose money for the paid-for jobs though.

The best programs are the ones that update themselves, do a good all-round job, and require no intervention by the user, until a 'problem' occurs ... leave your phone number and tell them to call you if that happens.

My sister calls me at least once a month, it don't seem to 'click' with her that yes, you can install that update from MS.

I must change it one day so it don't ask her.

 

[peahouse05]

Thanks Mucks
It also came to mind regarding the PC I've been working on - it had a download problem (your security settings are preventing this download). But HijackThis did copy to a CD and you're right, Spybot, for example, wouldn't. Will have to sort that tomoprrow.
Cheers
peahouse05

 

[muckshifter]

That could be IE itself, you need to check its security settings ... then again, judging from what was found on that system it could be a problem with the Host file.


HJT looks for entries in the Host file and would have told me of them ... however, it is worth knowing what should be in that file ... to find it, you will need to make sure "all files & folders" are unhidden... look that up as your homework for today if you don't know how.

Open the hosts file in Notepad .. It should look something like this when you open it:​

​

# Copyright (c) 1998 Microsoft Corp.

# This is a sample HOSTS file used by Microsoft TCP/IP stack for Windows98

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

# For example:

# 102.54.94.97 rhino.acme.com # source server

# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

there should be NOTHING else in there, if there is, post me a copy.


Lesson ends for today.

 

[peahouse05]

Just Brilliant! I taught thousands of physics lessons but I'm sure they weren't appreciated as much as these!
Thanks
peahouse05

Can remember setting IE security to maximum level last week in a panic - will start there.

 

[peahouse05]

Hi Mucks
Have had offending PC on a KVM switch with one of my crunching PCs in my shed since lunchtime. Was unable to download any antispyware programs due to 'security settings' so went through the Internet security settings on my PC and reset them in the faulty one. Then added the download sites to 'trusted sites' and watched popups and added them to 'blocked sites'.
Have been able to download SuperAntiSpyware but not SpywareBlaster. SAS is now running and picking up stuff I thought had gone.
Will retire to bedroom PC now - must work out how to do 'remote help' then I could see what's going on in the shed.
Cheers
peahouse05

 

[peahouse05]

Hi Mucks
Have the PC on my network now. Played with Internet Security and downloaded and run SuperAntiSpyware and SpywareBlaster. Still get this cpvfeed website. having trouble downloading ComboFix but will carry on.
cheers
peahouse05

 

[peahouse05]

Hi
Have tried to download Combofix to my PC - the page is no longer available but have printed off a fix for Smitfraud (which is still being found by Spybot) from the bleepingcomputer website. It uses SmitFraudFix.exe in Safe Mode and has a full set of instructions.
What do tou think?
Cheers
peahouse05

 

[peahouse05]

Hi Mucks
Threw everything at this (14 anti-virus, spyware, etc) but the three programs detecting Smitfraud could not get rid of it. Finally found a site which the PC would allow a download of ComboFix after I added to Trusted Sites. Did the trick - no popups, Microsoft update now works and have installed Zone Alarm firewall and a Spam blocker.
Here are the logsLogfile of HijackThis v1.99.1
Scan saved at 18:51:35, on 12/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Antivirus 2007\psimsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SPAMfighter\SFAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\notepad.exe
C:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\Arthur\LOCALS~1\Temp\{64C694BF-7A51-4AFF-9318-36DC55A1B189}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.bitdefender.co.uk
O15 - Trusted Zone: *.bitdefender.co.uk
O15 - Trusted Zone: download.bitdefender.com
O15 - Trusted Zone: *.download.bleepingcomputer.com
O15 - Trusted Zone: http://downloadd.bleepingcomputer.com
O15 - Trusted Zone: http://www.bleepingcomputer.com
O15 - Trusted Zone: http://www.coffeebreakarcade.com
O15 - Trusted Zone: *.combofix.exe
O15 - Trusted Zone: *.download.bitdefender
O15 - Trusted Zone: http://software-files.download.com
O15 - Trusted Zone: http://www.download.com
O15 - Trusted Zone: *.downloadzonelabs.com
O15 - Trusted Zone: siri.urz.free.fr
O15 - Trusted Zone: http://*.icrontic.com
O15 - Trusted Zone: http://forums.maddoktor2.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: *.pandasoftware.com
O15 - Trusted Zone: https://www.pcreview.co.uk
O15 - Trusted Zone: download.spamfighter.com
O15 - Trusted Zone: http://www.spamfighter.com
O15 - Trusted Zone: http://www.superantispyware.com
O15 - Trusted Zone: http://www.techsupportforum.com
O15 - Trusted Zone: *.techsupportforums.co.uk
O15 - Trusted Zone: http://be.trendmicro-europe.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: *.xlssetup_70_337_000_en.exe
O15 - Trusted Zone: http://www.zonealarm.com
O15 - Trusted Zone: *.download.zonelabs.com
O15 - Trusted Zone: download.zonelabs.com
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133630943906
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.gamehouse.com/games/mjolauncher.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u1-windows-i586-jc.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\psimsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
Logfile of HijackThis v1.99.1
Scan saved at 18:51:35, on 12/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Having trouble posting Combofix logs so will post them on another reply
Cheers
peahouse05
ComboFix 07-06-13
"Arthur" - 2007-06-12 18:29:55 - Service Pack 2 NTFS

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\Arthur\APPLIC~1\Dxccwrd.dll
C:\Program Files\Common Files\{347FE~1
C:\Program Files\Common Files\{A47FE~1
C:\Program Files\Common Files\{A47FE~2
C:\Program Files\Common Files\{A47FE~3
C:\Program Files\Common Files\cloader
C:\Program Files\Common Files\cloader\32vegas\logos\32vegas_Logo.ico
C:\Program Files\Common Files\cloader\32vegas\logos\Interop.IWshRuntimeLibrary.dll
C:\Program Files\Common Files\misc002

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_COM+_MESSAGES
-------\LEGACY_CORE
-------\core

((((((((((((((((((((((((( Files Created from 2007-05-12 to 2007-06-12 )))))))))))))))))))))))))))))))

2007-06-12 18:29 49,152 --a------ C:\WINDOWS\nircmd.exe


2007-06-12 17:39 d-------- C:\DOCUME~1\Arthur\APPLIC~1\SPAMfighter



2007-06-12 17:38 d-------- C:\Program Files\Common Files\Ankiro



2007-06-12 17:37 d-------- C:\Program Files\SPAMfighter



2007-06-12 17:37 d-------- C:\Program Files\Common Files\Application

2007-06-12 17:08 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-06-12 17:08 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-06-12 17:08 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll


2007-06-12 17:08 d-------- C:\WINDOWS\system32\ZoneLabs



2007-06-12 17:07 d-------- C:\WINDOWS\Internet Logs

2007-06-12 13:12 14 --a------ C:\DOCUME~1\Arthur\getfile.dat
2007-06-12 10:31 248 --a------ C:\WINDOWS\system32\PavCPL.dat


2007-06-11 21:46 d-------- C:\Program Files\Common Files\xing shared

2007-06-11 19:49 71,680 --------- C:\WINDOWS\system32\drivers\PAVDRV51.SYS
2007-06-11 19:44 45,056 --a------ C:\WINDOWS\system32\avldr.dll


2007-06-11 19:44 d-------- C:\WINDOWS\system32\PAV



2007-06-11 19:44 d-------- C:\Program Files\Panda Software



2007-06-11 16:49 d-------- C:\DOCUME~1\Arthur\.housecall6.6



2007-06-11 13:25 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft



2007-06-10 21:46 d-------- C:\Program Files\Universal

2007-06-10 19:32 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-06-10 19:32 1,736 --a------ C:\WINDOWS\system32\tmp.reg


2007-06-09 10:41 d-------- C:\Program Files\SpywareBlaster



2007-06-08 21:06 d-------- C:\Program Files\SUPERAntiSpyware



2007-06-08 21:06 d-------- C:\DOCUME~1\Arthur\APPLIC~1\SUPERAntiSpyware.com



2007-06-08 21:06 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com



2007-06-08 21:05 d-------- C:\Program Files\Common Files\Wise Installation Wizard



2007-06-06 12:00 d-------- C:\Program Files\Spyware Doctor

2007-06-05 17:30 35,840 --a------ C:\WINDOWS\system32\drivers\AFS2K.SYS
2007-06-05 17:27 7,765 --------- C:\WINDOWS\hpomdl01.dat
2007-06-05 17:27 27,875 --------- C:\WINDOWS\hpoins01.dat
2007-06-05 10:34 1,184,664 --a------ C:\WINDOWS\system32\FreeImage.dll
2007-06-04 15:18 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6,272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys


2007-06-04 11:27 d-------- C:\HijackThis



2007-05-30 17:40 d-------- C:\Program Files\BullGuard Software



2007-05-30 13:58 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee



2007-05-30 11:53 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater



2007-05-24 15:30 d-------- C:\DOCUME~1\ALLUSE~1\SonicStage

2007-05-24 13:56 36,679 --------- C:\WINDOWS\system32\drivers\NETMD052.sys
2007-05-24 13:56 27,255 --------- C:\WINDOWS\system32\drivers\NWWMUSB.sys
2007-05-24 13:56 11,510 --------- C:\WINDOWS\system32\drivers\VMCUSB.sys
2007-05-24 13:55 73,728 --a------ C:\WINDOWS\system32\CddbLinkSony.dll


2007-05-24 13:53 d-------- C:\DOCUME~1\Arthur\APPLIC~1\Sony Corporation



2007-05-21 18:54 d-------- C:\CNYSELPHYCP



2007-05-21 18:49 d-------- C:\Program Files\Canon


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-11 20:46:09 -------- d-----w C:\Program Files\Common Files\Real
2007-06-11 18:44:21 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-11 12:25:12 -------- d-----w C:\Program Files\Lavasoft
2007-06-06 10:26:10 -------- d-----w C:\Program Files\XAimer
2007-06-05 16:37:02 -------- d-----w C:\Program Files\ReadIris
2007-06-05 16:31:53 -------- d-----w C:\Program Files\Hewlett-Packard
2007-06-05 16:13:23 -------- d-----w C:\Program Files\EXEtender
2007-06-05 16:13:13 -------- d-----w C:\Program Files\Yahoo!
2007-06-05 16:12:10 -------- d-----w C:\Program Files\Common Files\Sony Shared
2007-06-05 14:26:53 -------- d-----w C:\Program Files\Sage Payroll
2007-06-05 12:51:47 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-06-05 12:49:28 -------- d-----w C:\Program Files\GameSpy Arcade
2007-05-31 15:24:29 -------- d-----w C:\Program Files\Ahead
2007-05-30 16:48:09 -------- d-----w C:\DOCUME~1\Arthur\APPLIC~1\Lavasoft
2007-05-30 15:41:56 -------- d-----w C:\Program Files\MSN Messenger
2007-05-30 11:00:01 -------- d-----w C:\Program Files\Google
2007-05-24 12:56:38 -------- d-----w C:\Program Files\Sony
2007-05-24 12:56:29 -------- d-----w C:\Program Files\Sony Corporation
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-18 15:28:12 -------- d-----w C:\Program Files\Common Files\Sage SBD
2007-04-13 14:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 16:39]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}=C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll [2007-06-06 12:42]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2007-05-30 11:59]
{B56A7D7D-6927-48C8-A975-17DF180C71AC}=C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll [2007-06-06 12:42]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-03 14:30]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 04:19]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"LanzarL2007"="C:\DOCUME~1\Arthur\LOCALS~1\Temp\{64C694BF-7A51-4AFF-9318-36DC55A1B189}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" []
"APVXDWIN"="C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.exe" [2007-01-25 18:50]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-06-11 21:45]
"BDMCon"="C:\Program Files\Softwin\BitDefender8\bdmcon.exe" [2005-06-20 12:10]
"BDNewsAgent"="C:\Program Files\Softwin\BitDefender8\bdnagent.exe" [2005-05-09 12:19]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]
"SPAMfighter Agent"="C:\Program Files\SPAMfighter\SFAgent.exe" [2007-06-05 10:34]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
"RealPlayer"="C:\Program Files\Real\RealPlayer\realplay.exe" [2007-06-11 21:45]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-30 11:53]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-09-05 05:18]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2005-05-13 13:05]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-23 10:12]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc

Contents of the 'Scheduled Tasks' folder
2007-06-05 16:46:05 C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1181061887.job
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-12 18:36:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-12 18:41:07 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-12 18:41
--- E O F ---

code
2005-03-25 00:26 49152 --a------ C:\Qoobox\Quarantine\C\Program Files\Common Files\cloader\32vegas\logos\Interop.IWshRuntimeLibrary.dll.vir
2006-07-25 16:46 26694 --a------ C:\Qoobox\Quarantine\C\Program Files\Common Files\cloader\32vegas\logos\32vegas_Logo.ico.vir
2007-04-21 08:39 390241 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\core.cache.dsk.vir
2007-06-05 10:51 29 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\Arthur\APPLIC~1\Dxccwrd.dll.vir
2007-06-12 18:32 1220 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_CORE.reg.cf
2007-06-12 18:32 846 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_COM+_MESSAGES.reg.cf
2007-06-12 18:32 994 --a------ C:\Qoobox\Quarantine\Registry_backups\services_core.reg.cf
2007-06-12 18:33 340 --a------ C:\Qoobox\Quarantine\catchme.log
2007-06-12 18:33 409956 --a------ C:\Qoobox\Quarantine\catchme2007-06-12_183616.46.zip

Folder PATH listing
Volume serial number is A47F-EA13
C:\QOOBOX
\---Quarantine
| catchme.log
| catchme2007-06-12_183616.46.zip
|
+---C
| +---DOCUME~1
| | \---Arthur
| | \---APPLIC~1
| | Dxccwrd.dll.vir
| |
| +---Program Files
| | \---Common Files
| | \---cloader
| | \---32vegas
| | \---logos
| | 32vegas_Logo.ico.vir
| | Interop.IWshRuntimeLibrary.dll.vir
| |
| \---WINDOWS
| \---system32
| \---drivers
| core.cache.dsk.vir
|
\---Registry_backups
LEGACY_COM+_MESSAGES.reg.cf
LEGACY_CORE.reg.cf
services_core.reg.cf

 

[muckshifter]

Belts-n-Braces ...


Sorry peahouse, no, you don't need all of them and you really do not want to add all those sites, except maybe your banking site, to the Trusted Zone. Take 'em out. Not via HJT, use the proper channel via IE security and delete them.

You have two AVs running, a big no no ... it will give you problems.

You do not need Ad-Aware, SBS&D or SuperAntiSpyware if you are going to use Spyware Doctor ... not all running at once anyway ... and actually, that version of Ad-Aware is a heap of junk, in my opinion it is still a Beta release. I have no idea why Ad-Aware is running as a service, what are they doing?


Oh, the log is clean of any nasties I can see.