Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by dwozz on Fri May 14, 2010 1:38 am

Problem No. 1 - Bad software named Antivirus Soft loaded on Drive preventing access to files or internet.

Next- Iran in Safe mode using Malwarebytes/Anti-Malware software, said it cleaned all infected files but still having same problem. Also, Resident Shield Alert gives the following --Access file is infected file name: c:\\windows\system32\msxsltsso.dll

Threat name: trojan horse downloader.agent.2.snu I am lost and confused after 7 hours of trying--please help. :sad: :sad:

QUESTION: The notepad info contains personal identified word files, do you need that info as well or can it be excluded thru copy and paste process?


Last edited by dwozz on Fri May 14, 2010 4:00 pm; edited 1 time in total (Reason for editing : Add OTL Info)

dwozz
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-05-13
OS OS : WindowsXP
Points Points : 24476
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by Belahzur on Fri May 14, 2010 9:31 am

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by dwozz on Fri May 14, 2010 5:02 pm

QUESTION: The notepad info contains personal identified word files, do you need that info as well or can it be excluded thru copy and paste process?

dwozz
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-05-13
OS OS : WindowsXP
Points Points : 24476
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by Belahzur on Sat May 15, 2010 12:15 am

Hello.
You can edit out any personal info, but OTL doesn't gather any personal info.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Shut Down by Trojan Horse Downloader.Agent2.SNU HELP

Post by dwozz on Sat May 15, 2010 1:34 am

Thanks, I will post shortly.

dwozz
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-05-13
OS OS : WindowsXP
Points Points : 24476
# Likes # Likes : 0

View user profile

Back to top Go down

Here's the OTL data--Part 1

Post by dwozz on Sat May 15, 2010 1:54 am

OTL logfile created on: 5/14/2010 11:36:21 AM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = H:\
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 290.00 Mb Available Physical Memory | 57.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 54.30 Gb Free Space | 72.87% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 1.86 Gb Total Space | 1.84 Gb Free Space | 98.64% Space Free | Partition Type: FAT
I: Drive not present or media not loaded

Computer Name: CUSTOMCOMPUTER
Current User Name: User1
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/14 11:21:04 | 000,570,880 | ---- | M] (OldTimer Tools) -- H:\OTL.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/06/05 17:23:28 | 000,561,152 | ---- | M] (Lavasoft AB) -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
PRC - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe


========== Modules (SafeList) ==========

MOD - [2010/05/14 11:21:04 | 000,570,880 | ---- | M] (OldTimer Tools) -- H:\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2009/08/17 09:35:45 | 000,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc)
SRV - [2009/08/17 09:34:54 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Stopped] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2007/08/09 14:56:26 | 000,388,936 | ---- | M] (Webroot Software, Inc.) [Auto | Stopped] -- C:\Program Files\Webroot\Washer\WasherSvc.exe -- (wwEngineSvc)
SRV - [2007/06/05 17:23:28 | 000,561,152 | ---- | M] (Lavasoft AB) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe -- (aawservice)
SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2002/09/20 16:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Stopped] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Driver Services (SafeList) ==========

DRV - [2010/05/12 22:26:25 | 000,002,304 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\isaxbox.sys -- (isaxbox)
DRV - [2009/08/17 09:36:08 | 000,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Stopped] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/08/17 09:36:08 | 000,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Stopped] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/05/10 20:58:49 | 000,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Stopped] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2008/04/13 14:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/07/19 15:10:28 | 000,127,768 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2007/03/22 13:57:14 | 000,028,672 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\elagopro.sys -- (elagopro)
DRV - [2007/03/22 13:57:14 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\elaunidr.sys -- (elaunidr)
DRV - [2006/02/21 20:46:26 | 001,505,792 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/09/19 08:41:00 | 000,241,280 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2005/01/11 08:25:10 | 000,923,826 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\smserial.sys -- (smserial)
DRV - [2003/10/31 11:22:38 | 000,077,312 | R--- | M] (VIA Technologies inc,.ltd) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\viasraid.sys -- (viasraid)
DRV - [2001/08/17 13:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\..\URLSearchHook: *{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - Reg Error: Key error. File not found
IE - HKCU\..\URLSearchHook: *{A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKCU\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found
IE - HKCU\..\URLSearchHook: *{E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - Reg Error: Key error. File not found
IE - HKCU\..\URLSearchHook: *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========


FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/03/15 09:05:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/05 23:59:27 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/08 19:14:04 | 000,000,000 | ---D | M]

[2009/12/29 17:00:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User1\Application Data\Mozilla\Extensions
[2009/07/01 19:21:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User1\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/05/12 22:29:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User1\Application Data\Mozilla\Firefox\Profiles\aqsjgtw3.default\extensions
[2009/08/22 22:09:59 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\User1\Application Data\Mozilla\Firefox\Profiles\aqsjgtw3.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/03/11 10:24:13 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\User1\Application Data\Mozilla\Firefox\Profiles\aqsjgtw3.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2008/05/17 17:12:31 | 000,000,000 | ---D | M] (Sothink Web Video Downloader for Firefox) -- C:\Documents and Settings\User1\Application Data\Mozilla\Firefox\Profiles\aqsjgtw3.default\extensions\{FCAB6FDD-5585-425b-95C1-5ED856F3FD08}
[2010/05/12 22:29:26 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/08 19:14:04 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\zoomext@starfield
[2008/06/18 02:43:04 | 000,086,016 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2009/11/20 13:34:44 | 000,218,624 | ---- | M] (Starfield Technology, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npwbe.dll

O1 HOSTS File: ([2004/08/03 21:07:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: () - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [AMTDeviceService] C:\Program Files\AMT Media Manager\AMTDeviceService.exe ()
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [jcxjcxim] C:\Documents and Settings\User1\Local Settings\Application Data\lrcldabqi\oaouumctssd.exe ()
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\bak\bak\bak\bak\bak\bak\bak\bak\bak\bak\bak\bak\bak\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SMSERIAL] C:\WINDOWS\sm56hlpr.exe (Motorola Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [apmanager.exe] C:\Documents and Settings\User1\Application Data\ATManager\apmanager.exe File not found
O4 - HKCU..\Run: [cdloader] C:\Documents and Settings\User1\Application Data\mjusbsp\cdloader2.exe (magicJack L.P.)
O4 - HKCU..\Run: [DW6] C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe File not found
O4 - HKCU..\Run: [jcxjcxim] C:\Documents and Settings\User1\Local Settings\Application Data\lrcldabqi\oaouumctssd.exe ()
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKCU..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CallWave.lnk = C:\Program Files\CallWave\IAM.exe (CallWave, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe (VIA Technologies)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: rf4qy = C:\DOCUME~1\User1\LOCALS~1\Temp\b8n8nse.exe File not found
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Show BookTemplate Toolbar! - {4444FF7E-2019-4df0-B7FD-B7F20FE02417} - Reg Error: Key error. File not found
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O15 - HKCU\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} [You must be registered and logged in to see this link.] (Shockwave ActiveX Control)
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} [You must be registered and logged in to see this link.] (FunGamesLoader Object)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} [You must be registered and logged in to see this link.] (Shockwave ActiveX Control)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} [You must be registered and logged in to see this link.] (DLM Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} [You must be registered and logged in to see this link.] (WUWebControl Class)
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} [You must be registered and logged in to see this link.] (HpProductDetection Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [You must be registered and logged in to see this link.] (MUWebControl Class)
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} [You must be registered and logged in to see this link.] (Wwlaunch Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_01)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} [You must be registered and logged in to see this link.] (HPSDDX Class)
O16 - DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} [You must be registered and logged in to see this link.] (Royal Control)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_01)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O16 - DPF: Web-Based Email Tools [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.68.166 68.87.74.166
O18 - Protocol\Handler\ic32pp {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - C:\WINDOWS\wc98pp.dll ()
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (C:\Documents and Settings\User1\Application Data\ATManager\apmanager.exe) - C:\Documents and Settings\User1\Application Data\ATManager\apmanager.exe File not found
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O21 - SSODL: GootkitSSO - {B748E36E-423E-4122-9A24-B0675B3BE0FE} - C:\WINDOWS\System32\msxsltsso.dll File not found
O21 - SSODL: msmdev - {F15258F6-39ED-43A9-8AD3-20E92335C8C1} - C:\WINDOWS\msmdev.dll File not found
O21 - SSODL: msmhost - {6640FFC7-8295-46E9-8177-4AE01B206A4D} - C:\WINDOWS\msmhost.dll File not found
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/06/08 23:03:50 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{3bacd542-6658-11de-b549-0011d8894b72}\Shell\AutoRun\command - "" = F:\rcaeasyrip_setup.exe -- File not found
O33 - MountPoints2\{3bacd542-6658-11de-b549-0011d8894b72}\Shell\install\command - "" = F:\rcaeasyrip_setup.exe -- File not found
O33 - MountPoints2\{3bacd542-6658-11de-b549-0011d8894b72}\Shell\usermanualEnglish\command - "" = F:\rcaeasyrip_setup.exe -- File not found
O33 - MountPoints2\{3bacd542-6658-11de-b549-0011d8894b72}\Shell\usermanualFrench\command - "" = F:\rcaeasyrip_setup.exe -- File not found
O33 - MountPoints2\{3bacd542-6658-11de-b549-0011d8894b72}\Shell\usermanualSpanish\command - "" = F:\rcaeasyrip_setup.exe -- File not found
O33 - MountPoints2\{9e6b7f2c-90ed-11de-b59e-0011d8894b72}\Shell - "" = AutoRun
O33 - MountPoints2\{9e6b7f2c-90ed-11de-b59e-0011d8894b72}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9e6b7f2c-90ed-11de-b59e-0011d8894b72}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (smrgdf C:\Documents and Settings\User1\Application Data\iolo\) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/13 07:54:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore
[2010/05/12 22:26:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User1\Local Settings\Application Data\lrcldabqi
[2010/05/12 22:26:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User1\Application Data\ATManager
[2010/05/11 11:56:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User1\My Documents\DCFS-Apps_Rules
[2010/05/08 19:14:01 | 000,000,000 | ---D | C] -- C:\Program Files\Starfield
[2010/04/30 22:31:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User1\My Documents\MGI
[2010/04/22 08:59:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User1\My Documents\IRS Response 2007 Taxes
[2010/04/18 17:37:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User1\My Documents\Sample Book Covers_SAT
[2010/04/16 11:38:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User1\My Documents\SATWeb_files
[2005/08/31 21:33:54 | 000,092,672 | ---- | C] ( ) -- C:\WINDOWS\System32\DVDRead.dll
[5 C:\Documents and Settings\User1\My Documents\*.tmp files -> C:\Documents and Settings\User1\My Documents\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/14 11:31:32 | 008,912,896 | ---- | M] () -- C:\Documents and Settings\User1\ntuser.dat
[2010/05/14 11:30:49 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/05/14 11:27:31 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/14 11:25:32 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/14 11:25:21 | 000,000,310 | -HS- | M] () -- C:\WINDOWS\tasks\WQKNOY.job
[2010/05/13 23:04:04 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\User1\ntuser.ini
[2010/05/13 23:04:02 | 004,768,656 | -H-- | M] () -- C:\Documents and Settings\User1\Local Settings\Application Data\IconCache.db
[2010/05/13 22:14:39 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2010/05/13 22:14:25 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-117609710-879983540-725345543-1003.job
[2010/05/13 22:14:21 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\PCConfidential.job
[2010/05/13 20:02:13 | 000,039,183 | ---- | M] () -- C:\Documents and Settings\User1\Desktop\
[2010/05/13 17:43:11 | 000,000,976 | ---- | M] () -- C:\Documents and Settings\User1\Desktop\ATManager.lnk
[2010/05/13 14:20:44 | 000,001,004 | ---- | M] () -- C:\Documents and Settings\User1\Desktop\magicJack.lnk
[2010/05/13 07:57:53 | 000,000,340 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2010/05/12 22:27:53 | 000,210,816 | ---- | M] () -- C:\WINDOWS\System32\dllcache\ndis.sys
[2010/05/12 22:27:02 | 001,882,240 | ---- | M] () -- C:\WINDOWS\System32\download.exe
[2010/05/12 22:26:25 | 000,002,304 | ---- | M] () -- C:\WINDOWS\System32\isaxbox.sys
[2010/05/12 20:09:36 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-117609710-879983540-725345543-1003.job
[2010/05/12 09:49:15 | 059,877,427 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/05/12 08:47:53 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/05/12 08:47:53 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2010/05/11 11:49:02 | 000,055,352 | ---- | M] () -- C:\Documents and Settings\User1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/05/11 08:21:33 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/09 19:25:33 | 000,044,032 | ---- | M] () -- C:\Documents and Settings\User1\My Documents\Zow_Group_990_Assistance.2009_J.Bowling.doc
[2010/05/06 10:36:38 | 000,221,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/04/30 22:24:24 | 000,236,760 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/04/19 22:35:41 | 000,013,028 | ---- | M] () -- C:\Documents and Settings\User1\My Documents\Final_Book Cover.docx
[2010/04/18 11:41:49 | 000,010,908 | ---- | M] () -- C:\Documents and Settings\User1\My Documents\The book encompasses roadmap leads utimately to a destination of fidelity.docx
[2010/04/16 11:38:33 | 000,122,945 | ---- | M] () -- C:\Documents and Settings\User1\My Documents\SATWeb.htm
[2010/04/15 13:22:31 | 000,012,034 | ---- | M] () -- C:\Documents and Settings\User1\Desktop\Product Description.docx
[5 C:\Documents and Settings\User1\My Documents\*.tmp files -> C:\Documents and Settings\User1\My Documents\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/13 20:02:12 | 000,039,183 | ---- | C] () -- C:\Documents and Settings\User1\Desktop
[2010/05/12 22:27:22 | 000,000,976 | ---- | C] () -- C:\Documents and Settings\User1\Desktop\ATManager.lnk
[2010/05/12 22:26:30 | 001,882,240 | ---- | C] () -- C:\WINDOWS\System32\download.exe
[2010/05/12 22:26:25 | 000,002,304 | ---- | C] () -- C:\WINDOWS\System32\isaxbox.sys
[2010/05/12 22:18:40 | 000,014,047 | ---- | C] () -- C:\Documents and Settings\User1\hs_err_pid2804.log
[2010/05/12 08:47:53 | 000,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2010/05/12 08:47:53 | 000,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2010/05/09 19:25:33 | 000,044,032 | ---- | C] () -- C:\Documents and Settings\User1\My Documents\htm
[2010/04/15 13:22:29 | 000,012,034 | ---- | C] () -- C:\Documents and Settings\User1\Desktop\Product Description.docx
[2010/04/13 09:18:54 | 000,051,712 | ---- | C] () -- C:\WINDOWS\wc98pp.dll
[2009/12/27 16:39:33 | 000,001,264 | ---- | C] () -- C:\WINDOWS\disney.ini
[2009/12/04 00:54:02 | 000,000,002 | ---- | C] () -- C:\WINDOWS\PhotoSuite.ini
[2009/12/04 00:53:53 | 000,458,752 | ---- | C] () -- C:\WINDOWS\System32\Fpl.dll
[2009/12/04 00:53:51 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\Jpeglib.dll
[2009/12/04 00:53:50 | 000,332,800 | ---- | C] () -- C:\WINDOWS\System32\Fpxlib.dll
[2009/12/04 00:53:49 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\Cpuinf32.dll
[2009/10/07 21:43:45 | 000,000,074 | ---- | C] () -- C:\WINDOWS\st_affiliate.ini
[2009/10/06 19:20:10 | 000,056,832 | RHS- | C] () -- C:\WINDOWS\System32\mfszwmz.dll
[2009/04/15 18:35:24 | 000,018,790 | ---- | C] () -- C:\WINDOWS\System32\ddmon.dll
[2008/05/27 18:04:07 | 000,000,100 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008/05/22 17:00:13 | 000,000,037 | ---- | C] () -- C:\WINDOWS\SWFConverter.INI
[2008/05/22 17:00:09 | 000,761,856 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008/05/22 17:00:09 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/05/12 09:33:55 | 000,000,390 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2008/05/09 22:18:19 | 000,000,000 | ---- | C] () -- C:\WINDOWS\HPMProp.INI
[2008/03/12 18:54:31 | 000,000,340 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2007/06/11 17:41:23 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/06/09 01:42:41 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2007/06/09 01:42:40 | 000,696,320 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2007/06/09 00:09:05 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[2004/11/11 02:16:10 | 000,045,056 | ---- | C] () -- C:\WINDOWS\sm56chs.dll
[2004/11/10 05:42:22 | 000,065,536 | ---- | C] () -- C:\WINDOWS\sm56eng.dll
[2004/11/10 05:42:22 | 000,049,152 | ---- | C] () -- C:\WINDOWS\sm56jpn.dll
[2004/11/10 05:42:20 | 000,045,056 | ---- | C] () -- C:\WINDOWS\sm56cht.dll
[2004/11/02 11:12:20 | 000,065,536 | ---- | C] () -- C:\WINDOWS\sm56spn.dll
[2004/11/02 11:12:20 | 000,065,536 | ---- | C] () -- C:\WINDOWS\sm56itl.dll
[2004/11/02 11:12:20 | 000,065,536 | ---- | C] () -- C:\WINDOWS\sm56ger.dll
[2004/11/02 11:12:20 | 000,065,536 | ---- | C] () -- C:\WINDOWS\sm56fra.dll
[2004/11/02 11:12:20 | 000,065,536 | ---- | C] () -- C:\WINDOWS\sm56brz.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 134 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E6F9610D
< End of report >

dwozz
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-05-13
OS OS : WindowsXP
Points Points : 24476
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by Belahzur on Sat May 15, 2010 10:29 pm

Hello.

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :OTL
    IE - HKCU\..\URLSearchHook: *{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - Reg Error: Key error. File not found
    IE - HKCU\..\URLSearchHook: *{A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
    IE - HKCU\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found
    IE - HKCU\..\URLSearchHook: *{E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - Reg Error: Key error. File not found
    IE - HKCU\..\URLSearchHook: *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
    O4 - HKLM..\Run: [jcxjcxim] C:\Documents and Settings\User1\Local Settings\Application Data\lrcldabqi\oaouumctssd.exe ()
    O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\bak\bak\bak\bak\bak\bak\bak\bak\bak\bak\bak\bak\bak\qttask.exe (Apple Inc.)
    O4 - HKCU..\Run: [jcxjcxim] C:\Documents and Settings\User1\Local Settings\Application Data\lrcldabqi\oaouumctssd.exe ()
    O21 - SSODL: msmdev - {F15258F6-39ED-43A9-8AD3-20E92335C8C1} - C:\WINDOWS\msmdev.dll File not found
    O21 - SSODL: msmhost - {6640FFC7-8295-46E9-8177-4AE01B206A4D} - C:\WINDOWS\msmhost.dll File not found
    [2010/05/12 22:26:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User1\Local Settings\Application Data\lrcldabqi



  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by dwozz on Mon May 17, 2010 4:21 am

Hello, here it is. Thanks!


========== OTL ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\*{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\*{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}\ not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\*{A3BC75A2-1F87-4686-AA43-5347D756017C} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\*{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\*{CFBFAE00-17A6-11D0-99CB-00C04FD64497} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\*{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\ not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\*{E38FA08E-F56A-4169-ABF5-5C71E3C153A1} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\*{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}\ not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\*{EF99BD32-C1FB-11D2-892F-0090271D4F88} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\*{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\jcxjcxim deleted successfully.
File C:\Documents and Settings\User1\Local Settings\Application Data\lrcldabqi\oaouumctssd.exe not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\QuickTime Task deleted successfully.
C:\Program Files\QuickTime\bak\bak\bak\bak\bak\bak\bak\bak\bak\bak\bak\bak\bak\qttask.exe moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\jcxjcxim not found.
File C:\Documents and Settings\User1\Local Settings\Application Data\lrcldabqi\oaouumctssd.exe not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\msmdev deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F15258F6-39ED-43A9-8AD3-20E92335C8C1}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\msmhost deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6640FFC7-8295-46E9-8177-4AE01B206A4D}\ deleted successfully.
Folder C:\Documents and Settings\User1\Local Settings\Application Data\lrcldabqi\ not found.

OTL by OldTimer - Version 3.2.4.1 log created on 05172010_001154

dwozz
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-05-13
OS OS : WindowsXP
Points Points : 24476
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by Belahzur on Mon May 17, 2010 9:32 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by dwozz on Tue May 18, 2010 12:59 am

FYI, I am unable to connect to the internet on my infected computer. Therefore, I downloaded the updated MBAM successfully to a flash drive from a laptop and then attempted to run it on the infected computer and it did not read the update and gave me this error:

MBAM_Error_UPDATING (12007,0,Win Http Send Request)

I continued to the scan mode as directed and it is scanning the old version that I previously ran a few days ago. I will post the results for you as soon as they are ready.

Thanks.

dwozz
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-05-13
OS OS : WindowsXP
Points Points : 24476
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP

Post by dwozz on Tue May 18, 2010 1:39 am

After disinfection, still can't access the internet or files. here's the MBAM log:

alwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

5/17/2010 9:25:22 PM
mbam-log-2010-05-17 (21-25-22).txt

Scan type: Quick scan
Objects scanned: 129804
Time elapsed: 33 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0cb66ba8-5e1f-4963-93d1-e1d6b78fe9a2} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d83a7b12-a4d4-4984-8f72-d41c6b4c1e6e} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\gootkitsso (Trojan.GootKit) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\download.exe (Trojan.FraudTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\986022JL\oriqbjdp[1].htm (Trojan.Ertfor) -> Quarantined and deleted successfully.
C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\986022JL\rvqxfn[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\DS2RWPXZ\hypwhc[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\L2H5M9PS\oriqbjdp[2].htm (Trojan.Ertfor) -> Quarantined and deleted successfully.
C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\REFRF01C\fjnvpk[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\REFRF01C\rvqxfn[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\REFRF01C\hypwhc[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.

dwozz
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-05-13
OS OS : WindowsXP
Points Points : 24476
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by Belahzur on Tue May 18, 2010 10:00 pm

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by dwozz on Tue May 18, 2010 10:41 pm

I am unable to update by re-running malware because the Trojan is preventing a connection to the internet for the update. have the malware on the infected computer from Oct. 09 but the virus won't allow an update due to no access to internet. I updated the malware from a laptop and saved on a flash drive but even the flash drive with the malware update won't run on the infected computer. Any options?

dwozz
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-05-13
OS OS : WindowsXP
Points Points : 24476
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by Belahzur on Wed May 19, 2010 10:44 pm

Hello.

Remove the Proxy setting in Internet Explorer and/or in FireFox.

    In Internet Explorer
  1. Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

    In Firefox
  1. Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection > Choose "No Proxy"
  2. Click the apply button and restart that computer in normal mode.

Try now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by dwozz on Fri May 21, 2010 12:20 am

Belahzur,

I have removed proxy settings as directed. However, I still can't access the internet. Here are the messages:

Mozilla: "Problem Loading Page" firefox can't find server of en-us, start 3 mozilla.com

Internet Explorer can't display the webpage.

Good news though the virus messages are not popping up! Cheesy Grin (sparkly I think we are almost there....

Thanks so much..

dwozz
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-05-13
OS OS : WindowsXP
Points Points : 24476
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by Belahzur on Fri May 21, 2010 1:46 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by dwozz on Fri May 21, 2010 10:35 pm

Belahzur,

I can only download Combofix to a laptop with internet connection on a flash drive because of no internet connection on the infected computer. . Will I be able to run combofix on the infected computer without internet connection from the flash drive?

Thanks so much!

dwozz
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-05-13
OS OS : WindowsXP
Points Points : 24476
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by Belahzur on Fri May 21, 2010 10:57 pm

Yes. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by dwozz on Sat May 22, 2010 1:00 am

You are the best! I'll report results soon.

dwozz
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-05-13
OS OS : WindowsXP
Points Points : 24476
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by dwozz on Sat May 22, 2010 2:09 am

Belahzur,

I ran Combo-fix from flash drive on infected computer and was informed that Microsoft Windows Recovery needed to be installed on infected computer and you know what it said next was the computer is "not connected to internet" and could not download. What now? I feel so close to victory!

Thanks...

dwozz
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-05-13
OS OS : WindowsXP
Points Points : 24476
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by Belahzur on Sat May 22, 2010 1:57 pm

Hello.
Select no the the prompt for that, the malware is blocking it, the RC isn't needed right now and once I get the log, I'll repair the internet connection too.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by dwozz on Sat May 22, 2010 11:49 pm

B.

I sense victory is near! here's the log:


ComboFix 10-05-21.04 - User1 05/22/2010 19:20:37.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.205 [GMT -4:00]
Running from: H:\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
PEV Error: AppFolder

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\User1\MYDOCU~1\GUARDI~1\101Ebo~1.exe
c:\documents and settings\User1\g2mdlhlpx.exe
c:\program files\AsesoftNet iToolbar
c:\program files\AsesoftNet iToolbar\BookTemplate\BookTemplate.xml
c:\program files\AsesoftNet iToolbar\BookTemplate\core.txt
c:\program files\AsesoftNet iToolbar\BookTemplate\favicon.ico
c:\program files\AsesoftNet iToolbar\BookTemplate\logo.bmp
c:\program files\AsesoftNet iToolbar\BookTemplate\nav.bmp
c:\program files\AsesoftNet iToolbar\BookTemplate\nav_hot.bmp
c:\program files\AsesoftNet iToolbar\BookTemplate\version.txt
C:\setup.exe
c:\windows\wc98pp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4


((((((((((((((((((((((((( Files Created from 2010-04-22 to 2010-05-22 )))))))))))))))))))))))))))))))
.

2010-05-21 01:54 . 2010-05-21 01:55 -------- d-----w- C:\Inetpub
2010-05-20 23:53 . 2010-05-20 23:53 -------- d-----w- c:\documents and settings\User2\Local Settings\Application Data\Yahoo
2010-05-20 23:53 . 2010-05-20 23:53 -------- d-----w- c:\documents and settings\User2\Local Settings\Application Data\Google
2010-05-20 23:53 . 2010-05-20 23:53 -------- d-----w- c:\documents and settings\User2\Application Data\Yahoo!
2010-05-18 01:07 . 2010-05-18 01:07 -------- d-----w- c:\documents and settings\User2\Local Settings\Application Data\PCHealth
2010-05-15 14:51 . 2010-05-15 14:51 -------- d-----w- c:\documents and settings\User2\Application Data\Malwarebytes
2010-05-15 14:25 . 2010-05-22 23:15 -------- d-----w- c:\program files\a-squared Free
2010-05-13 18:19 . 2010-02-26 23:51 6870864 ---ha-w- c:\documents and settings\User1\Application Data\mjusbsp\in00000\setup.exe
2010-05-13 18:19 . 2010-02-26 23:45 743872 ---ha-w- c:\documents and settings\User1\Application Data\mjusbsp\ar00000\install.exe
2010-05-13 11:54 . 2010-05-13 12:15 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-13 02:27 . 2010-05-13 02:27 210816 -c--a-w- c:\windows\system32\dllcache\ndis.sys
2010-05-13 02:27 . 2010-05-13 02:27 298994 ----a-w- c:\documents and settings\User1\Application Data\ATManager\uninstall.exe
2010-05-13 02:26 . 2010-05-21 01:27 -------- d-----w- c:\documents and settings\User1\Local Settings\Application Data\lrcldabqi
2010-05-13 02:26 . 2010-05-13 02:29 -------- d-----w- c:\documents and settings\User1\Application Data\ATManager
2010-05-08 23:14 . 2010-05-08 23:14 -------- d-----w- c:\program files\Starfield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-22 23:35 . 2009-02-05 16:41 -------- d-----w- c:\program files\CallWave
2010-05-22 23:15 . 2007-06-09 05:39 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-22 01:43 . 2007-06-09 05:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-22 01:39 . 2008-08-05 23:49 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-05-18 01:33 . 2009-10-15 01:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-13 18:20 . 2009-06-26 23:08 -------- d-----w- c:\documents and settings\User1\Application Data\mjusbsp
2010-05-13 11:51 . 2010-03-22 16:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-11 15:49 . 2007-06-09 05:40 55352 ----a-w- c:\documents and settings\User1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-09 23:00 . 2009-07-01 23:21 -------- d-----w- c:\documents and settings\User1\Application Data\LimeWire
2010-05-06 14:36 . 2009-10-03 15:57 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 12:20 . 2009-12-04 04:53 -------- d-----w- c:\documents and settings\User1\Application Data\MGI
2010-04-29 19:39 . 2009-10-15 01:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-10-15 01:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-14 03:53 . 2010-04-14 03:53 -------- d-----w- c:\program files\TrueSwitch
2010-04-04 19:06 . 2010-04-04 19:06 -------- d-----w- c:\program files\Microsoft Reference
2010-03-15 13:05 . 2010-03-15 13:05 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-15 13:05 . 2010-03-15 13:05 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-15 13:05 . 2010-03-15 13:05 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-15 13:05 . 2010-03-15 13:05 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-15 13:05 . 2010-03-15 13:05 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-15 13:05 . 2010-03-15 13:05 300616 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-15 13:05 . 2010-03-15 13:05 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-15 13:05 . 2010-03-15 13:05 329312 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-15 13:02 . 2007-06-09 05:38 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-03-15 13:02 . 2007-06-09 05:38 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-03-11 12:38 . 2004-08-04 01:07 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 01:07 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-04 01:07 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-04 01:07 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-07 20:58 . 2010-03-07 20:58 65823 ----a-w- c:\documents and settings\User1\Application Data\magicJackOutlookAddIn\magicJackOutlookAddInUninst.exe
2010-02-26 23:51 . 2010-02-26 23:51 138584 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\ug00000\magicJack.dll
2010-02-26 23:51 . 2010-03-02 13:41 6870864 ---ha-w- c:\documents and settings\User1\Application Data\mjusbsp\Upgrade\setup2.exe
2010-02-26 23:51 . 2010-02-26 23:51 6870864 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\ug00000\setup.exe
2010-02-26 23:51 . 2010-02-26 23:51 705936 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\magicJackLoader.exe
2010-02-26 23:51 . 2010-02-26 23:51 480608 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\octvqe1_apiw.dll
2010-02-26 23:51 . 2010-02-26 23:51 214360 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\TjVista.dll
2010-02-26 23:50 . 2010-02-26 23:50 324952 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\TjIpSys.dll
2010-02-26 23:50 . 2010-02-26 23:50 615792 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\SJHandsetMagicJack.dll
2010-02-26 23:50 . 2010-02-26 23:50 87384 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\st00000\mjsetup.exe
2010-02-26 23:50 . 2010-02-26 23:50 138584 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\st00000\magicJack.dll
2010-02-26 23:50 . 2010-02-26 23:50 138584 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\magicJack.dll
2010-02-26 23:46 . 2010-02-26 23:46 12526424 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\magicJack.exe
2010-02-26 23:45 . 2010-03-02 13:41 743872 ---ha-w- c:\documents and settings\User1\Application Data\mjusbsp\Upgrade\install2.exe
2010-02-26 23:45 . 2010-02-26 23:45 743872 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\ug00000\install.exe
2010-02-26 23:45 . 2010-02-26 23:45 87384 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\in00000\mjsetup.exe
2010-02-26 23:45 . 2010-02-26 23:45 138584 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\in00000\magicJack.dll
2010-02-26 23:44 . 2010-02-26 23:44 138584 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\lr00000\magicJack.dll
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\ug00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\st00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\in00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 50520 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\cdloader2.exe
2010-02-24 13:11 . 2004-08-04 01:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-10-06 23:20 . 2009-10-06 23:20 56832 --sha-r- c:\windows\system32\mfszwmz.dll
2008-04-02 12:59 . 2008-04-01 15:48 2159392 --sha-w- c:\windows\system32\drivers\fidbox.dat
.

------- Sigcheck -------

[-] 2010-05-13 02:27 . 09925C49086F2785C061418F7FCA406F . 210816 . . [------] . . c:\windows\system32\dllcache\ndis.sys
[7] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ndis.sys
[7] 2004-08-04 . 558635D3AF1C7546D26067D5D9B6959E . 182912 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ndis.sys

c:\windows\System32\drivers\ndis.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\User1\Application Data\mjusbsp\cdloader2.exe" [2010-02-26 50520]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-20 39408]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="sm56hlpr.exe" [2004-12-29 544768]
"AMTDeviceService"="c:\program files\AMT Media Manager\AMTDeviceService.exe" [2009-01-21 184320]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-15 202256]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
CallWave.lnk - c:\program files\CallWave\IAM.exe [2009-2-5 1940544]
VIA RAID TOOL.lnk - c:\program files\VIA\RAID\raid_tool.exe [2007-6-9 565248]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\documents and settings\User1\Application Data\iolo"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-06-01 20:51 257088 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\CallWave\\IAM.exe"=
"c:\\Documents and Settings\\User1\\Application Data\\mjusbsp\\magicJack.exe"=

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [6/9/2007 3:23 AM 77312]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [1/30/2008 9:34 AM 388936]
S3 isaxbox;isaxbox;\??\c:\windows\system32\isaxbox.sys --> c:\windows\system32\isaxbox.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-05-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2010-05-22 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-117609710-879983540-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-13 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-117609710-879983540-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-22 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-10 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {{4444FF7E-2019-4df0-B7FD-B7F20FE02417} - {ccdc304a-4095-46a4-8b66-2b5cb3dfca3c} -
Trusted Zone: turbotax.com
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} -
DPF: Web-Based Email Tools - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\User1\Application Data\Mozilla\Firefox\Profiles\aqsjgtw3.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwbe.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - (no file)
URLSearchHooks-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - (no file)
WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
WebBrowser-{8D8318EE-1E9B-4CA2-8654-BE0D8A2BD9F1} - (no file)
HKCU-Run-Weather - c:\program files\AWS\WeatherBug\Weather.exe
HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-05-22 19:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(272)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(332)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2996)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\CallWave\CWIdle.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\windows\sm56hlpr.exe
c:\progra~1\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-05-22 19:42:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-22 23:42

Pre-Run: 57,544,990,720 bytes free
Post-Run: 57,813,762,048 bytes free

- - End Of File - - B25FD31C8EF1AC7613EC14B1CA353AD7

dwozz
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-05-13
OS OS : WindowsXP
Points Points : 24476
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by Belahzur on Sat May 22, 2010 11:55 pm

Hello.
Okay, lets get this fixed.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    KILLALL::

    FCopy::
    c:\windows\ServicePackFiles\i386\ndis.sys | c:\windows\system32\dllcache\ndis.sys
    c:\windows\ServicePackFiles\i386\ndis.sys | c:\windows\System32\drivers\ndis.sys

    Driver::
    isaxbox

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride =
    IE: {{4444FF7E-2019-4df0-B7FD-B7F20FE02417} - {ccdc304a-4095-46a4-8b66-2b5cb3dfca3c} -

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by dwozz on Sun May 23, 2010 1:28 am

B.

I made a mistake and caused a problem:

I dragged the CFScript.txt over the combofix.exe icon but instead of waiting on the launch, I clicked on "open with" and it appeared to run combofix but as it rebooted it took me to an F1 prompt which then took me to a screen to select "windows to run normally", I clicked enter but it keeps looping back to the same screen after rebooting and I can't get back to the windows xp screen. I am sorry that i stumbled on this direction and hope you can me back on track.

dwozz
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-05-13
OS OS : WindowsXP
Points Points : 24476
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by Belahzur on Sun May 23, 2010 1:55 pm

Are you still able to boot normally?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by dwozz on Sun May 23, 2010 5:00 pm

No. It attempts to open windowXP and then restarts and will loop back to the same screen "We apologize for the inconvenience, but windows did not start successfully recent hardware or software change may have caused this"

Thanks.

dwozz
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-05-13
OS OS : WindowsXP
Points Points : 24476
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by Belahzur on Sun May 23, 2010 5:23 pm

Hello.
When booting, start tapping the F8 key to open the advanced boot menu.

Choose the option that says "Last Known Good Configuration" and see if you can boot now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by dwozz on Sun May 23, 2010 6:02 pm

B.

I selected the "Last known good configuration" but it continues the same loop back to the same page without opening Windows XP. I feel terrible about shooting myself in the foot after all of your outstanding and brilliant efforts to help me through this nightmare.

Any other options?

D.

dwozz
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-05-13
OS OS : WindowsXP
Points Points : 24476
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by Belahzur on Sun May 23, 2010 11:02 pm

Hello.
Do you have your XP disc?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by dwozz on Sun May 23, 2010 11:34 pm

yes, I have the XP disk (Re installation CD MXP Home Edition Service Pack 2) that came with my Dell laptop but will it work on my infected PC?

dwozz
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-05-13
OS OS : WindowsXP
Points Points : 24476
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by dwozz on Tue May 25, 2010 12:39 am

B.

Should I try to load the disk?

dwozz
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-05-13
OS OS : WindowsXP
Points Points : 24476
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by Belahzur on Tue May 25, 2010 9:00 pm

Yes please.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by dwozz on Wed May 26, 2010 12:25 am

I inserted the Windows XP CD in the PC and rebooted but the reinstallation does not start. It continues the same loop as before.

dwozz
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-05-13
OS OS : WindowsXP
Points Points : 24476
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by dwozz on Wed May 26, 2010 1:00 am

When I attempted to run setup, I got this message:

"Setup could not continue because the version on windows is newer than my CD. To erase the newer version and install the older version, restart the computer and boot from CD"

It won't start the installation because of the continual loop.

Thanks.

dwozz
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-05-13
OS OS : WindowsXP
Points Points : 24476
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by Belahzur on Wed May 26, 2010 9:48 pm

Hello.
When prompted, did you type R for repair install?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by dwozz on Thu May 27, 2010 3:39 am

Belahzur,

We're back in business, I was able to do a system restore point to May 21st and then tried the combofix as directed. However, the combofix did not produce a log, it started the same loop again even though I did it right this time. Can you fix the internet connection without the combofix step?

Thanks!

dwozz
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-05-13
OS OS : WindowsXP
Points Points : 24476
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by Belahzur on Thu May 27, 2010 8:48 pm

Re-Run OTL and post the new log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by dwozz on Fri May 28, 2010 12:17 am

Okay.

dwozz
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-05-13
OS OS : WindowsXP
Points Points : 24476
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by dwozz on Tue Jun 01, 2010 2:13 am

Belahzur,

Here's the OTL log:
OTL logfile created on: 5/31/2010 9:44:48 PM - Run 3
OTL by OldTimer - Version 3.2.4.1 Folder = H:\
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 204.00 Mb Available Physical Memory | 40.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 52.15 Gb Free Space | 69.98% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 1.86 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: FAT
I: Drive not present or media not loaded

Computer Name: CUSTOMCOMPUTER
Current User Name: User1
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/14 11:21:04 | 000,570,880 | ---- | M] (OldTimer Tools) -- H:\OTL.exe
PRC - [2010/04/15 08:25:20 | 001,872,320 | ---- | M] (Emsi Software GmbH) -- C:\Program Files\a-squared Free\a2service.exe
PRC - [2010/03/25 17:15:38 | 001,940,544 | ---- | M] (CallWave, Inc.) -- C:\Program Files\CallWave\IAM.exe
PRC - [2010/03/15 09:02:27 | 000,202,256 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2009/01/21 17:11:36 | 000,184,320 | ---- | M] () -- C:\Program Files\AMT Media Manager\AMTDeviceService.exe
PRC - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/08/09 14:56:26 | 000,388,936 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\Washer\WasherSvc.exe
PRC - [2007/06/05 17:23:28 | 000,561,152 | ---- | M] (Lavasoft AB) -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
PRC - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2004/12/29 07:01:56 | 000,544,768 | ---- | M] (Motorola Inc.) -- C:\WINDOWS\sm56hlpr.exe
PRC - [2003/11/18 14:11:04 | 000,565,248 | R--- | M] (VIA Technologies) -- C:\Program Files\VIA\RAID\raid_tool.exe
PRC - [2002/09/20 16:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


========== Modules (SafeList) ==========

MOD - [2010/05/31 21:28:23 | 000,163,840 | ---- | M] () -- C:\Program Files\CallWave\CWIdle.dll
MOD - [2010/05/14 11:21:04 | 000,570,880 | ---- | M] (OldTimer Tools) -- H:\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/04/15 08:25:20 | 001,872,320 | ---- | M] (Emsi Software GmbH) [Auto | Running] -- C:\Program Files\a-squared Free\a2service.exe -- (a2free)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2007/08/09 14:56:26 | 000,388,936 | ---- | M] (Webroot Software, Inc.) [Auto | Running] -- C:\Program Files\Webroot\Washer\WasherSvc.exe -- (wwEngineSvc)
SRV - [2007/06/05 17:23:28 | 000,561,152 | ---- | M] (Lavasoft AB) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe -- (aawservice)
SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2002/09/20 16:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Driver Services (SafeList) ==========

DRV - [2008/04/13 14:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/07/19 15:10:28 | 000,127,768 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2007/03/22 13:57:14 | 000,028,672 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\elagopro.sys -- (elagopro)
DRV - [2007/03/22 13:57:14 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\elaunidr.sys -- (elaunidr)
DRV - [2006/02/21 20:46:26 | 001,505,792 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/09/19 08:41:00 | 000,241,280 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2005/01/11 08:25:10 | 000,923,826 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smserial.sys -- (smserial)
DRV - [2003/10/31 11:22:38 | 000,077,312 | R--- | M] (VIA Technologies inc,.ltd) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\viasraid.sys -- (viasraid)
DRV - [2001/08/17 13:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\..\URLSearchHook: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - Reg Error: Key error. File not found
IE - HKCU\..\URLSearchHook: {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - Reg Error: Key error. File not found
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========


FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/03/15 09:05:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/05 23:59:27 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/08 19:14:04 | 000,000,000 | ---D | M]

[2009/12/29 17:00:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User1\Application Data\Mozilla\Extensions
[2009/07/01 19:21:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User1\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/05/12 22:29:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User1\Application Data\Mozilla\Firefox\Profiles\aqsjgtw3.default\extensions
[2009/08/22 22:09:59 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\User1\Application Data\Mozilla\Firefox\Profiles\aqsjgtw3.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/03/11 10:24:13 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\User1\Application Data\Mozilla\Firefox\Profiles\aqsjgtw3.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2008/05/17 17:12:31 | 000,000,000 | ---D | M] (Sothink Web Video Downloader for Firefox) -- C:\Documents and Settings\User1\Application Data\Mozilla\Firefox\Profiles\aqsjgtw3.default\extensions\{FCAB6FDD-5585-425b-95C1-5ED856F3FD08}
[2010/05/15 14:32:41 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/08 19:14:04 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\zoomext@starfield
[2008/06/18 02:43:04 | 000,086,016 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2009/11/20 13:34:44 | 000,218,624 | ---- | M] (Starfield Technology, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npwbe.dll

O1 HOSTS File: ([2010/05/22 19:35:03 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: () - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [AMTDeviceService] C:\Program Files\AMT Media Manager\AMTDeviceService.exe ()
O4 - HKLM..\Run: [SMSERIAL] C:\WINDOWS\sm56hlpr.exe (Motorola Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [cdloader] C:\Documents and Settings\User1\Application Data\mjusbsp\cdloader2.exe (magicJack L.P.)
O4 - HKCU..\Run: [DW6] C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe File not found
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKCU..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CallWave.lnk = C:\Program Files\CallWave\IAM.exe (CallWave, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe (VIA Technologies)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: rf4qy = C:\DOCUME~1\User1\LOCALS~1\Temp\b8n8nse.exe File not found
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Show BookTemplate Toolbar! - {4444FF7E-2019-4df0-B7FD-B7F20FE02417} - Reg Error: Key error. File not found
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O15 - HKCU\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} [You must be registered and logged in to see this link.] (Shockwave ActiveX Control)
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} [You must be registered and logged in to see this link.] (FunGamesLoader Object)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} [You must be registered and logged in to see this link.] (Shockwave ActiveX Control)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} [You must be registered and logged in to see this link.] (DLM Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} [You must be registered and logged in to see this link.] (WUWebControl Class)
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} [You must be registered and logged in to see this link.] (HpProductDetection Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [You must be registered and logged in to see this link.] (MUWebControl Class)
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} [You must be registered and logged in to see this link.] (Wwlaunch Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_01)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} [You must be registered and logged in to see this link.] (HPSDDX Class)
O16 - DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} [You must be registered and logged in to see this link.] (Royal Control)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_01)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O16 - DPF: Web-Based Email Tools [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.68.166 68.87.74.166
O18 - Protocol\Handler\ic32pp {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - C:\WINDOWS\wc98pp.dll ()
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/06/08 23:03:50 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{3bacd542-6658-11de-b549-0011d8894b72}\Shell\AutoRun\command - "" = F:\rcaeasyrip_setup.exe -- File not found
O33 - MountPoints2\{3bacd542-6658-11de-b549-0011d8894b72}\Shell\install\command - "" = F:\rcaeasyrip_setup.exe -- File not found
O33 - MountPoints2\{3bacd542-6658-11de-b549-0011d8894b72}\Shell\usermanualEnglish\command - "" = F:\rcaeasyrip_setup.exe -- File not found
O33 - MountPoints2\{3bacd542-6658-11de-b549-0011d8894b72}\Shell\usermanualFrench\command - "" = F:\rcaeasyrip_setup.exe -- File not found
O33 - MountPoints2\{3bacd542-6658-11de-b549-0011d8894b72}\Shell\usermanualSpanish\command - "" = F:\rcaeasyrip_setup.exe -- File not found
O33 - MountPoints2\{9e6b7f2c-90ed-11de-b59e-0011d8894b72}\Shell - "" = AutoRun
O33 - MountPoints2\{9e6b7f2c-90ed-11de-b59e-0011d8894b72}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9e6b7f2c-90ed-11de-b59e-0011d8894b72}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (smrgdf C:\Documents and Settings\User1\Application Data\iolo\) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/26 23:48:59 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/05/26 23:48:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\0E6AB9FC76C2431B9C066C1CFFFEA8EB.TMP
[2010/05/26 23:48:40 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/05/26 23:40:49 | 000,000,000 | ---D | C] -- C:\Program Files\AsesoftNet iToolbar
[2010/05/26 23:40:48 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/05/26 23:39:39 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/26 23:24:16 | 000,000,000 | ---D | C] -- C:\Combo-Fix(3)
[2010/05/26 22:39:50 | 000,000,000 | ---D | C] -- C:\RECYCLER(3)
[2010/05/22 21:08:49 | 000,000,000 | -HSD | C] -- C:\RECYCLER(2)
[2010/05/22 21:08:09 | 000,000,000 | --SD | C] -- C:\Combo-Fix(2)
[2010/05/22 19:42:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/05/21 21:52:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/21 21:52:02 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/20 21:54:43 | 000,000,000 | ---D | C] -- C:\Inetpub
[2010/05/15 10:25:49 | 000,000,000 | ---D | C] -- C:\Program Files\a-squared Free
[2010/05/13 07:54:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore
[2010/05/12 22:26:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User1\Local Settings\Application Data\lrcldabqi
[2010/05/12 22:26:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User1\Application Data\ATManager
[2010/05/11 11:56:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User1\My Documents\DCFS-Apps_Rules
[2010/05/08 19:14:01 | 000,000,000 | ---D | C] -- C:\Program Files\Starfield
[2005/08/31 21:33:54 | 000,092,672 | ---- | C] ( ) -- C:\WINDOWS\System32\DVDRead.dll
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[5 C:\Documents and Settings\User1\My Documents\*.tmp files -> C:\Documents and Settings\User1\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/31 21:30:45 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/05/31 21:30:36 | 000,000,235 | ---- | M] () -- C:\Documents and Settings\User1\Desktop\Shortcut to _OTL.lnk
[2010/05/31 21:28:15 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2010/05/31 21:28:12 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-117609710-879983540-725345543-1003.job
[2010/05/31 21:27:40 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/31 21:27:39 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/31 21:27:37 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/31 21:27:35 | 535,613,440 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/27 00:07:24 | 008,749,056 | ---- | M] () -- C:\Documents and Settings\User1\ntuser.dat
[2010/05/27 00:07:24 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\User1\ntuser.ini
[2010/05/27 00:07:18 | 004,314,720 | -H-- | M] () -- C:\Documents and Settings\User1\Local Settings\Application Data\IconCache.db
[2010/05/22 19:35:42 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/22 19:35:03 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/05/20 21:55:21 | 000,005,878 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/05/15 10:31:49 | 000,000,648 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\a-squared Free.lnk
[2010/05/13 19:53:50 | 000,096,477 | ---- | M] () -- C:\Documents and Settings\User1\Desktop\~$imalistic_Thinking_Manuscript_5.10.10.docx
[2010/05/13 17:43:11 | 000,000,976 | ---- | M] () -- C:\Documents and Settings\User1\Desktop\ATManager.lnk
[2010/05/13 14:20:44 | 000,001,004 | ---- | M] () -- C:\Documents and Settings\User1\Desktop\magicJack.lnk
[2010/05/13 07:57:53 | 000,000,340 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2010/05/12 22:27:53 | 000,210,816 | ---- | M] () -- C:\WINDOWS\System32\dllcache\ndis.sys
[2010/05/12 20:09:36 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-117609710-879983540-725345543-1003.job
[2010/05/12 08:47:53 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/05/12 08:47:53 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2010/05/11 11:49:02 | 000,055,352 | ---- | M] () -- C:\Documents and Settings\User1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/05/09 19:25:33 | 000,044,032 | ---- | M] () -- C:\Documents and Settings\User1\My Documents\Zow_Group_990_Assistance.2009_J.Bowling.doc
[2010/05/06 10:36:38 | 000,221,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[5 C:\Documents and Settings\User1\My Documents\*.tmp files -> C:\Documents and Settings\User1\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/31 21:30:36 | 000,000,235 | ---- | C] () -- C:\Documents and Settings\User1\Desktop\Shortcut to _OTL.lnk
[2010/05/26 23:51:57 | 535,613,440 | -HS- | C] () -- C:\hiberfil.sys
[2010/05/21 21:40:54 | 008,749,056 | ---- | C] () -- C:\Documents and Settings\User1\ntuser.dat
[2010/05/15 10:26:07 | 000,000,648 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\a-squared Free.lnk
[2010/05/13 19:53:50 | 000,096,477 | ---- | C] () -- C:\Documents and Settings\User1\Desktop\~$imalistic_Thinking_Manuscript_5.10.10.docx
[2010/05/13 16:04:11 | 000,005,074 | ---- | C] () -- C:\Documents and Settings\User1\avgrep.txt
[2010/05/12 22:27:53 | 000,210,816 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ndis.sys
[2010/05/12 22:27:22 | 000,000,976 | ---- | C] () -- C:\Documents and Settings\User1\Desktop\ATManager.lnk
[2010/05/12 22:18:40 | 000,014,047 | ---- | C] () -- C:\Documents and Settings\User1\hs_err_pid2804.log
[2010/05/12 08:47:53 | 000,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2010/05/12 08:47:53 | 000,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2010/05/09 19:25:33 | 000,044,032 | ---- | C] () -- C:\Documents and Settings\User1\My Documents\Zow_Group_990_Assistance.2009_J.Bowling.doc
[2010/04/13 09:18:54 | 000,051,712 | ---- | C] () -- C:\WINDOWS\wc98pp.dll
[2009/12/27 16:39:33 | 000,001,264 | ---- | C] () -- C:\WINDOWS\disney.ini
[2009/12/04 00:54:02 | 000,000,002 | ---- | C] () -- C:\WINDOWS\PhotoSuite.ini
[2009/12/04 00:53:53 | 000,458,752 | ---- | C] () -- C:\WINDOWS\System32\Fpl.dll
[2009/12/04 00:53:51 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\Jpeglib.dll
[2009/12/04 00:53:50 | 000,332,800 | ---- | C] () -- C:\WINDOWS\System32\Fpxlib.dll
[2009/12/04 00:53:49 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\Cpuinf32.dll
[2009/10/07 21:43:45 | 000,000,074 | ---- | C] () -- C:\WINDOWS\st_affiliate.ini
[2009/10/06 19:20:10 | 000,056,832 | RHS- | C] () -- C:\WINDOWS\System32\mfszwmz.dll
[2009/04/15 18:35:24 | 000,018,790 | ---- | C] () -- C:\WINDOWS\System32\ddmon.dll
[2008/05/27 18:04:07 | 000,000,100 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008/05/22 17:00:13 | 000,000,037 | ---- | C] () -- C:\WINDOWS\SWFConverter.INI
[2008/05/22 17:00:09 | 000,761,856 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008/05/22 17:00:09 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/05/12 09:33:55 | 000,000,390 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2008/05/09 22:18:19 | 000,000,000 | ---- | C] () -- C:\WINDOWS\HPMProp.INI
[2008/03/12 18:54:31 | 000,000,340 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2007/06/11 17:41:23 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/06/09 01:42:41 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2007/06/09 01:42:40 | 000,696,320 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2007/06/09 00:09:05 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[2004/11/11 02:16:10 | 000,045,056 | ---- | C] () -- C:\WINDOWS\sm56chs.dll
[2004/11/10 05:42:22 | 000,065,536 | ---- | C] () -- C:\WINDOWS\sm56eng.dll
[2004/11/10 05:42:22 | 000,049,152 | ---- | C] () -- C:\WINDOWS\sm56jpn.dll
[2004/11/10 05:42:20 | 000,045,056 | ---- | C] () -- C:\WINDOWS\sm56cht.dll
[2004/11/02 11:12:20 | 000,065,536 | ---- | C] () -- C:\WINDOWS\sm56spn.dll
[2004/11/02 11:12:20 | 000,065,536 | ---- | C] () -- C:\WINDOWS\sm56itl.dll
[2004/11/02 11:12:20 | 000,065,536 | ---- | C] () -- C:\WINDOWS\sm56ger.dll
[2004/11/02 11:12:20 | 000,065,536 | ---- | C] () -- C:\WINDOWS\sm56fra.dll
[2004/11/02 11:12:20 | 000,065,536 | ---- | C] () -- C:\WINDOWS\sm56brz.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 134 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E6F9610D
< End of report >

dwozz
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-05-13
OS OS : WindowsXP
Points Points : 24476
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by Belahzur on Tue Jun 01, 2010 8:47 pm

Hello.

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :OTL
    IE - HKCU\..\URLSearchHook: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - Reg Error: Key error. File not found
    IE - HKCU\..\URLSearchHook: {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - Reg Error: Key error. File not found
    O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.



  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by dwozz on Wed Jun 02, 2010 3:18 am

Here it is:

========== OTL ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}\ not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.

OTL by OldTimer - Version 3.2.4.1 log created on 06012010_231428

dwozz
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-05-13
OS OS : WindowsXP
Points Points : 24476
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by Belahzur on Wed Jun 02, 2010 8:27 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by dwozz on Thu Jun 03, 2010 12:27 am

Belahzur,

Please see Post 10 & 11 and let me know if you want me to repeat it. Remember, I can't update the MBAM due to lack of internet connection.

Thanks.

dwozz
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-05-13
OS OS : WindowsXP
Points Points : 24476
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by Belahzur on Thu Jun 03, 2010 9:18 pm

Damn proxy is annoying as hell aint it? Goofy

Remove the Proxy setting in Internet Explorer and/or in FireFox.

    In Internet Explorer
  1. Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

    In Firefox
  1. Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection > Choose "No Proxy"
  2. Click the apply button and restart that computer in normal mode.


Do you have a net connection now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by dwozz on Thu Jun 03, 2010 10:47 pm

Unfortunately--No. Those "low-life criminal virus pirates" really did a job on my PC. I am confident that you will beat them!

I await your your next direction.

dwozz
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-05-13
OS OS : WindowsXP
Points Points : 24476
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by Belahzur on Fri Jun 04, 2010 9:17 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by dwozz on Sat Jun 05, 2010 2:49 pm

B.

Please see Post 16-22, I already ran the combofix and ran into a roadblock. I realize our dialogue has been going on for over three weeks and I appreciate your patience.

Thanks.

dwozz
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-05-13
OS OS : WindowsXP
Points Points : 24476
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by Belahzur on Sat Jun 05, 2010 10:10 pm

I know, but try again please.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by dwozz on Wed Jun 09, 2010 4:59 am

B.

Here's the log:
ComboFix 10-06-08.02 - User1 06/09/2010 0:33.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.198 [GMT -4:00]
Running from: H:Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2010-05-09 to 2010-06-09 )))))))))))))))))))))))))))))))
.

2010-05-27 03:49 . 2010-05-27 03:49 -------- d-----w- c:windowssystem32wbemRepository
2010-05-27 03:48 . 2010-05-27 03:48 -------- d-----w- c:program filesLavasoft
2010-05-27 03:48 . 2010-05-27 03:48 -------- d-----w- c:windowsE6AB9FC76C2431B9C066C1CFFFEA8EB.TMP
2010-05-27 03:48 . 2010-05-27 03:48 -------- d-----w- c:program filesCommon FilesWise Installation Wizard
2010-05-27 03:39 . 2010-05-27 03:39 -------- d-----w- c:program filesMalwarebytes' Anti-Malware
2010-05-27 03:24 . 2010-05-27 03:39 -------- d-----w- C:Combo-Fix(3)
2010-05-27 02:39 . 2010-05-27 03:40 -------- d-----w- C:RECYCLER(3)
2010-05-23 01:08 . 2010-05-27 03:40 -------- d-----w- C:RECYCLER(2)
2010-05-23 01:08 . 2010-05-27 03:40 -------- d-----w- C:Combo-Fix(2)
2010-05-21 01:54 . 2010-05-21 01:55 -------- d-----w- C:Inetpub
2010-05-20 23:53 . 2010-05-20 23:53 -------- d-----w- c:documents and settingsUser2Local SettingsApplication DataYahoo
2010-05-20 23:53 . 2010-05-20 23:53 -------- d-----w- c:documents and settingsUser2Local SettingsApplication DataGoogle
2010-05-20 23:53 . 2010-05-20 23:53 -------- d-----w- c:documents and settingsUser2Application DataYahoo!
2010-05-18 01:07 . 2010-05-18 01:07 -------- d-----w- c:documents and settingsUser2Local SettingsApplication DataPCHealth
2010-05-15 14:51 . 2010-05-15 14:51 -------- d-----w- c:documents and settingsUser2Application DataMalwarebytes
2010-05-15 14:25 . 2010-05-27 03:47 -------- d-----w- c:program filesa-squared Free
2010-05-13 18:19 . 2010-02-26 23:51 6870864 ---ha-w- c:documents and settingsUser1Application Datamjusbspin00000setup.exe
2010-05-13 18:19 . 2010-02-26 23:45 743872 ---ha-w- c:documents and settingsUser1Application Datamjusbspar00000install.exe
2010-05-13 11:54 . 2010-05-13 12:15 -------- d-----w- c:windowssystem32MpEngineStore
2010-05-13 02:27 . 2010-05-13 02:27 210816 -c--a-w- c:windowssystem32dllcachendis.sys
2010-05-13 02:26 . 2010-05-21 01:27 -------- d-----w- c:documents and settingsUser1Local SettingsApplication Datalrcldabqi

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-27 03:47 . 2007-06-09 05:39 -------- d-----w- c:program filesSpybot - Search & Destroy
2010-05-27 03:39 . 2007-06-09 05:39 -------- d-----w- c:documents and settingsAll UsersApplication DataSpybot - Search & Destroy
2010-05-22 23:35 . 2009-02-05 16:41 -------- d-----w- c:program filesCallWave
2010-05-22 01:39 . 2008-08-05 23:49 -------- d-----w- c:documents and settingsAll UsersApplication Dataavg8
2010-05-13 18:20 . 2009-06-26 23:08 -------- d-----w- c:documents and settingsUser1Application Datamjusbsp
2010-05-13 11:51 . 2010-03-22 16:28 -------- d-----w- c:documents and settingsAll UsersApplication DataMicrosoft Help
2010-05-11 15:49 . 2007-06-09 05:40 55352 ----a-w- c:documents and settingsUser1Local SettingsApplication DataGDIPFONTCACHEV1.DAT
2010-05-09 23:00 . 2009-07-01 23:21 -------- d-----w- c:documents and settingsUser1Application DataLimeWire
2010-05-08 23:14 . 2010-05-08 23:14 -------- d-----w- c:program filesStarfield
2010-05-06 14:36 . 2009-10-03 15:57 221568 ------w- c:windowssystem32MpSigStub.exe
2010-05-04 12:20 . 2009-12-04 04:53 -------- d-----w- c:documents and settingsUser1Application DataMGI
2010-04-29 19:39 . 2009-10-15 01:58 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2010-04-29 19:39 . 2009-10-15 01:58 20952 ----a-w- c:windowssystem32driversmbam.sys
2010-04-14 03:53 . 2010-04-14 03:53 -------- d-----w- c:program filesTrueSwitch
2010-03-15 13:05 . 2010-03-15 13:05 118784 ----a-w- c:documents and settingsAll UsersApplication DataRealRealPlayerBrowserRecordPluginThinShimsrpnpshimwmp.dll
2010-03-15 13:05 . 2010-03-15 13:05 118784 ----a-w- c:documents and settingsAll UsersApplication DataRealRealPlayerBrowserRecordPluginThinShimsrpnpshimswf.dll
2010-03-15 13:05 . 2010-03-15 13:05 118784 ----a-w- c:documents and settingsAll UsersApplication DataRealRealPlayerBrowserRecordPluginThinShimsrpnpshimrp.dll
2010-03-15 13:05 . 2010-03-15 13:05 118784 ----a-w- c:documents and settingsAll UsersApplication DataRealRealPlayerBrowserRecordPluginThinShimsrpnpshimqt.dll
2010-03-15 13:05 . 2010-03-15 13:05 118784 ----a-w- c:documents and settingsAll UsersApplication DataRealRealPlayerBrowserRecordPluginFirefoxExtComponentsnprpffbrowserrecordext.dll
2010-03-15 13:05 . 2010-03-15 13:05 300616 ----a-w- c:documents and settingsAll UsersApplication DataRealRealPlayerBrowserRecordPluginCommonrpmainbrowserrecordplugin.dll
2010-03-15 13:05 . 2010-03-15 13:05 118784 ----a-w- c:documents and settingsAll UsersApplication DataRealRealPlayerBrowserRecordPluginChromeHookrpchromebrowserrecordhelper.dll
2010-03-15 13:05 . 2010-03-15 13:05 329312 ----a-w- c:documents and settingsAll UsersApplication DataRealRealPlayerBrowserRecordPluginIErpbrowserrecordplugin.dll
2010-03-15 13:02 . 2007-06-09 05:38 499712 ----a-w- c:windowssystem32msvcp71.dll
2010-03-15 13:02 . 2007-06-09 05:38 348160 ----a-w- c:windowssystem32msvcr71.dll
2010-03-11 12:38 . 2004-08-04 01:07 832512 ----a-w- c:windowssystem32wininet.dll
2010-03-11 12:38 . 2004-08-04 01:07 78336 ----a-w- c:windowssystem32ieencode.dll
2010-03-11 12:38 . 2004-08-04 01:07 17408 ------w- c:windowssystem32corpol.dll
2009-10-06 23:20 . 2009-10-06 23:20 56832 --sha-r- c:windowssystem32mfszwmz.dll
2008-04-02 12:59 . 2008-04-01 15:48 2159392 --sha-w- c:windowssystem32driversfidbox.dat
.

------- Sigcheck -------

[-] 2010-05-13 02:27 . 09925C49086F2785C061418F7FCA406F . 210816 . . [------] . . c:windowssystem32dllcachendis.sys
[7] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:windowsServicePackFilesi386ndis.sys
[7] 2004-08-04 . 558635D3AF1C7546D26067D5D9B6959E . 182912 . . [5.1.2600.2180] . . c:windows$NtServicePackUninstall$ndis.sys

c:windowsSystem32driversndis.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"cdloader"="c:documents and settingsUser1Application Datamjusbspcdloader2.exe" [2010-02-26 50520]
"Weather"="c:program filesAWSWeatherBugWeather.exe" [BU]
"DW6"="c:program filesThe Weather Channel FWDesktopDesktopWeather.exe" [BU]
"swg"="c:program filesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe" [2009-12-20 39408]
"Messenger (Yahoo!)"="c:progra~1Yahoo!MessengerYahooMessenger.exe" [2009-11-10 5244216]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"SMSERIAL"="sm56hlpr.exe" [2004-12-29 544768]
"AMTDeviceService"="c:program filesAMT Media ManagerAMTDeviceService.exe" [2009-01-21 184320]
"Adobe Reader Speed Launcher"="c:program filesAdobeReader 9.0ReaderReader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:program filesCommon FilesAdobeARM1.0AdobeARM.exe" [2010-03-24 952768]
"TkBellExe"="c:program filesCommon FilesRealUpdate_OBrealsched.exe" [2010-03-15 202256]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
"DWQueuedReporting"="c:progra~1COMMON~1MICROS~1DWdwtrig20.exe" [2008-11-04 435096]

c:documents and settingsAll UsersStart MenuProgramsStartup
CallWave.lnk - c:program filesCallWaveIAM.exe [2009-2-5 1940544]
VIA RAID TOOL.lnk - c:program filesVIARAIDraid_tool.exe [2007-6-9 565248]

[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetcontrolsession manager]
BootExecute REG_MULTI_SZ autocheck autochk *smrgdf c:documents and settingsUser1Application Dataiolo\0lsdelete

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalaawservice]
@="Service"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWinDefend]
@="Service"

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregiTunesHelper]
2007-06-01 20:51 257088 ----a-w- c:program filesiTunesiTunesHelper.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigservices]
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
"c:\Program Files\iTunes\iTunes.exe"=
"%windir%\Network Diagnostic\xpnetdiag.exe"=
"%windir%\system32\sessmgr.exe"=
"c:\Program Files\QuickTime\QuickTimePlayer.exe"=
"c:\Program Files\Skype\Phone\Skype.exe"=
"c:\Program Files\LimeWire\LimeWire.exe"=
"c:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"=
"c:\WINDOWS\system32\dpvsetup.exe"=
"c:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"=
"c:\Program Files\Mozilla Firefox\firefox.exe"=
"c:\Program Files\CallWave\IAM.exe"=
"c:\Documents and Settings\User1\Application Data\mjusbsp\magicJack.exe"=

R0 viasraid;viasraid;c:windowssystem32driversviasraid.sys [6/9/2007 3:23 AM 77312]
R2 a2free;a-squared Free Service;c:program filesa-squared Freea2service.exe [5/15/2010 10:25 AM 1872320]
R2 WinDefend;Windows Defender;c:program filesWindows DefenderMsMpEng.exe [11/3/2006 7:19 PM 13592]
R2 wwEngineSvc;Window Washer Engine;c:program filesWebrootWasherWasherSvc.exe [1/30/2008 9:34 AM 388936]
S3 isaxbox;isaxbox;??c:windowssystem32isaxbox.sys --> c:windowssystem32isaxbox.sys [?]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-06-09 c:windowsTasksMP Scheduled Scan.job
- c:program filesWindows DefenderMpCmdRun.exe [2006-11-03 23:20]

2010-06-09 c:windowsTasksRealUpgradeLogonTaskS-1-5-21-117609710-879983540-725345543-1003.job
- c:program filesRealRealUpgraderealupgrade.exe [2010-02-25 02:09]

2010-05-13 c:windowsTasksRealUpgradeScheduledTaskS-1-5-21-117609710-879983540-725345543-1003.job
- c:program filesRealRealUpgraderealupgrade.exe [2010-02-25 02:09]

2010-06-09 c:windowsTasksWGASetup.job
- c:windowssystem32KB905474wgasetup.exe [2009-04-10 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:progra~1MICROS~2Office12EXCEL.EXE/3000
IE: Google Sidewiki... - c:program filesGoogleGoogle ToolbarComponentGoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {{4444FF7E-2019-4df0-B7FD-B7F20FE02417} - {ccdc304a-4095-46a4-8b66-2b5cb3dfca3c} -
Trusted Zone: turbotax.com
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} -
DPF: Web-Based Email Tools - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:documents and settingsUser1Application DataMozillaFirefoxProfilesaqsjgtw3.default
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:documents and settingsAll UsersApplication DataRealRealPlayerBrowserRecordPluginFirefoxExtcomponentsnprpffbrowserrecordext.dll
FF - plugin: c:program filesMozilla FirefoxpluginsnpCouponPrinter.dll
FF - plugin: c:program filesMozilla Firefoxpluginsnpwbe.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-06-09 00:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(276)
c:windowssystem32WININET.dll
c:windowssystem32Ati2evxx.dll

- - - - - - - > 'lsass.exe'(344)
c:windowssystem32WININET.dll

- - - - - - - > 'explorer.exe'(3204)
c:windowssystem32WININET.dll
c:program filesCallWaveCWIdle.dll
c:windowssystem32ieframe.dll
c:windowssystem32WPDShServiceObj.dll
c:windowssystem32PortableDeviceTypes.dll
c:windowssystem32PortableDeviceApi.dll
.
Completion time: 2010-06-09 00:49:16
ComboFix-quarantined-files.txt 2010-06-09 04:49
ComboFix2.txt 2010-06-09 03:06
ComboFix3.txt 2010-05-22 23:42

Pre-Run: 55,854,080,000 bytes free
Post-Run: 55,817,322,496 bytes free

- - End Of File - - E33EB7DE76941C05FC65E80D8AF173F9

dwozz
Novice
Novice

Posts Posts : 33
Joined Joined : 2010-05-13
OS OS : WindowsXP
Points Points : 24476
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

Post by Belahzur on Wed Jun 09, 2010 10:50 pm

Hello.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    Folder::
    c:\documents and settings\User1\Local Settings\Application Dat\alrcldabqi

    Driver::
    isaxbox

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride =

    FCopy::
    c:\windows\system32\dllcache\ndis.sys | c:\windows\System32\drivers\ndis.sys
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum