bonuspromooffer.com or VirusRemover2009

View previous topic View next topic Go down

bonuspromooffer.com or VirusRemover2009

Post by waynerw on 15th April 2009, 5:11 pm

I have used Malwarebytes' and spybot as well as ownanti-virus but I still have it. Here is log file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:04:11 AM, on 4/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
C:\Program Files\Shaw Secure\FSPC\fspc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsus.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Shaw Secure\FSGUI\scanwizard.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Documents and Settings\Wayne\Local Settings\Temporary Internet Files\Content.IE5\4QKS1757\hijackgpthis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MRT] "C:\WINDOWS\system32\MRT.exe" /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - [You must be registered and logged in to see this link.]
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - [You must be registered and logged in to see this link.]
O16 - DPF: {E001C731-5E37-4538-A5CB-8168736A2360} (Confirmation) - [You must be registered and logged in to see this link.]
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\Shaw Secure\ORSP Client\fsorsp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 10551 bytes

I'm new here so I hope I have done this correctly.

Thanks
Waynerw

waynerw
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-04-15
OS OS : XP - sp3
Points Points : 27939
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bonuspromooffer.com or VirusRemover2009

Post by Belahzur on 15th April 2009, 5:15 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: bonuspromooffer.com or VirusRemover2009

Post by waynerw on 15th April 2009, 5:56 pm

I have tried three times to send the DDS to you but I keep getting message too big

waynerw
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-04-15
OS OS : XP - sp3
Points Points : 27939
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bonuspromooffer.com or VirusRemover2009

Post by Belahzur on 15th April 2009, 5:57 pm

Split it up, use more than one post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: bonuspromooffer.com or VirusRemover2009

Post by waynerw on 15th April 2009, 6:16 pm

1 of 2


DDS (Ver_09-03-16.01) - NTFSx86
Run by Wayne at 11:06:07.39 on Wed 04/15/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.716 [GMT -7:00]

AV: Shaw Secure 8.00 *On-access scanning enabled* (Updated)
FW: Shaw Secure 8.00 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\userinit.exe
svchost.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
C:\Program Files\Shaw Secure\FSPC\fspc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsus.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Shaw Secure\FSGUI\scanwizard.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Documents and Settings\Wayne\Local Settings\Temporary Internet Files\Content.IE5\4QKS1757\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe" startup
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [F-Secure Manager] "c:\program files\shaw secure\common\FSM32.EXE" /splash
mRun: [F-Secure TNB] "c:\program files\shaw secure\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
mRun: [nwiz] nwiz.exe /install
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MRT] "c:\windows\system32\MRT.exe" /R
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
mPolicies-explorer: =
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {200DB664-75B5-47c0-8B45-A44ACCF73C00} - {D68926FD-18FD-4B0E-A1C7-917D13FAB760} - c:\program files\shaw secure\fspc\fspcmsie.dll
IE: {200DB664-75B5-47c0-8B45-A44ACCF73F01} - {D68926FD-18FD-4B0E-A1C7-917D13FAB760} - c:\program files\shaw secure\fspc\fspcmsie.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - [You must be registered and logged in to see this link.]
DPF: {56393399-041A-4650-94C7-13DFCB1F4665} - [You must be registered and logged in to see this link.]
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - [You must be registered and logged in to see this link.]
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - [You must be registered and logged in to see this link.]
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
DPF: {E001C731-5E37-4538-A5CB-8168736A2360} - [You must be registered and logged in to see this link.]

============= SERVICES / DRIVERS ===============

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2009-2-25 33408]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2009-2-25 79904]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\shaw secure\hips\drivers\fshs.sys [2009-2-25 66720]
R2 F-Secure Gatekeeper Handler Starter;FSGKHS;c:\program files\shaw secure\anti-virus\fsgk32st.exe [2009-2-25 215648]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\shaw secure\anti-virus\minifilter\fsgk.sys [2009-2-25 84608]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\shaw secure\orsp client\fsorsp.exe [2009-2-25 55904]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\shaw secure\anti-virus\win2k\fsfilter.sys [2009-2-25 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\shaw secure\anti-virus\win2k\fsrec.sys [2009-2-25 25184]

waynerw
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-04-15
OS OS : XP - sp3
Points Points : 27939
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bonuspromooffer.com or VirusRemover2009

Post by waynerw on 15th April 2009, 6:17 pm

2 of 2

=============== Created Last 30 ================

2009-04-15 09:55 --d----- c:\documents and settings\wayne\.SunDownloadManager
2009-04-14 19:03 --d----- c:\program files\Enigma Software Group
2009-04-14 14:39 --d----- c:\docume~1\wayne\applic~1\Malwarebytes
2009-04-14 14:39 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-14 14:39 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-14 14:39 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-14 14:39 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-14 13:30 --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-04-14 13:30 --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-04-14 13:30 --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-04-14 13:29 --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-04-14 13:25 --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-14 13:25 --d----- c:\program files\Spybot - Search & Destroy
2009-04-14 13:16 --d----- c:\windows\SxsCaPendDel
2009-04-14 12:32 --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-04-14 12:31 --d----- c:\program files\common files\iS3
2009-04-14 12:31 --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-04-14 12:08 --d----- C:\1604c549e29e18132d839c94be9a0e
2009-04-14 11:59 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-14 11:59 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-14 11:59 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-14 11:59 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-14 11:59 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 11:59 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-14 11:59 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 11:59 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 11:59 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-14 11:58 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-14 11:58 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 11:58 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-01 21:08 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-04-01 11:18 --d----- c:\windows\system32\XPSViewer
2009-04-01 11:16 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-01 11:16 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-01 11:16 117,760 -------- c:\windows\system32\prntvpt.dll
2009-04-01 11:16 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-04-01 11:16 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-01 11:16 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-04-01 11:16 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-04-01 11:16 --d----- C:\4b126057f141ae20ab8fcb31
2009-03-31 22:49 --d----- c:\docume~1\wayne\applic~1\QuickScan
2009-03-30 13:04 --d-h--- c:\windows\PIF
2009-03-21 07:06 989,696 -c------ c:\windows\system32\dllcache\kernel32.dll
2009-03-18 14:55 8,704 ac------ c:\windows\system32\dllcache\kbdjpn.dll
2009-03-18 14:55 8,192 ac------ c:\windows\system32\dllcache\kbdkor.dll
2009-03-18 14:55 6,144 ac------ c:\windows\system32\dllcache\kbd101c.dll
2009-03-18 14:55 6,144 ac------ c:\windows\system32\dllcache\kbd101b.dll
2009-03-18 14:55 5,632 ac------ c:\windows\system32\dllcache\kbd103.dll
2009-03-18 14:55 8,704 a------- c:\windows\system32\kbdjpn.dll
2009-03-18 14:55 8,192 a------- c:\windows\system32\kbdkor.dll
2009-03-18 14:55 6,144 a------- c:\windows\system32\kbd101c.dll
2009-03-18 14:55 6,144 a------- c:\windows\system32\kbd101b.dll
2009-03-18 14:55 5,632 a------- c:\windows\system32\kbd103.dll
2009-03-18 14:55 6,144 ac------ c:\windows\system32\dllcache\kbd106.dll
2009-03-18 14:55 6,144 a------- c:\windows\system32\kbd106.dll

==================== Find3M ====================

2009-04-14 11:03 75,264 a------- c:\windows\system32\userinit.exe
2009-03-12 09:15 166,358 a------- c:\windows\hpoins30.dat
2009-03-10 10:54 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-01 12:33 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-25 18:27 8,074 a------- c:\windows\extend.dat
2009-02-25 14:43 33,408 a------- c:\windows\system32\drivers\fsbts.sys
2009-02-25 14:25 102,452 a------- c:\windows\system32\msvcrt2.dll
2009-02-25 14:03 59,440 a------- c:\windows\system32\drivers\cdr4_xp.sys
2009-02-25 14:03 53,248 a------- c:\windows\uneng.exe
2009-02-25 14:03 45,056 a------- c:\windows\system32\cdrtc.dll
2009-02-25 14:03 45,056 a------- c:\windows\system32\cdral.dll
2009-02-25 14:03 23,724 a------- c:\windows\system32\drivers\cdralw2k.sys
2009-02-25 12:28 2,678 a------- c:\windows\java\packages\data\QTB9JR3P.DAT
2009-02-25 12:28 558,142 a------- c:\windows\java\packages\CBBF33VV.ZIP
2009-02-25 12:28 2,678 a------- c:\windows\java\packages\data\GIZF9BVV.DAT
2009-02-25 12:28 155,995 a------- c:\windows\java\packages\E7JTZJP3.ZIP
2009-02-25 12:28 2,678 a------- c:\windows\java\packages\data\GMB9B9FL.DAT
2009-02-25 12:28 2,678 a------- c:\windows\java\packages\data\CIFZ7RZZ.DAT
2009-02-25 12:28 2,678 a------- c:\windows\java\packages\data\OZ97FH3N.DAT
2009-02-25 12:26 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-02-20 11:09 78,336 -------- c:\windows\system32\ieencode.dll
2009-02-09 05:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 05:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 05:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 05:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 04:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 04:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 03:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-03 12:59 56,832 a------- c:\windows\system32\secur32.dll

============= FINISH: 11:06:57.46 ===============

waynerw
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-04-15
OS OS : XP - sp3
Points Points : 27939
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bonuspromooffer.com or VirusRemover2009

Post by Belahzur on 15th April 2009, 6:26 pm

Hello.
DDS shows userinit is patched, that explains why you can't get rid of it, AV's won't touch legit files.


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (F-Secure)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: bonuspromooffer.com or VirusRemover2009

Post by waynerw on 15th April 2009, 7:05 pm

1 of 2

ComboFix 09-04-15.08 - Wayne 04/15/2009 11:40.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.874 [GMT -7:00]
Running from: c:\documents and settings\Wayne\Desktop\ComboFix.exe
AV: Shaw Secure 8.00 *On-access scanning disabled* (Updated)
FW: Shaw Secure 8.00 *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe


.
((((((((((((((((((((((((( Files Created from 2009-03-15 to 2009-04-15 )))))))))))))))))))))))))))))))
.

2009-04-15 16:55 . 2009-04-15 16:58 -------- d-----w c:\documents and settings\Wayne\.SunDownloadManager
2009-04-15 01:12 . 2009-04-15 01:12 -------- d-----w c:\documents and settings\Yvonne\Application Data\Malwarebytes
2009-04-14 21:39 . 2009-04-14 21:39 -------- d-----w c:\documents and settings\Wayne\Application Data\Malwarebytes
2009-04-14 21:39 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-14 21:39 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-14 21:39 . 2009-04-14 21:39 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-14 20:25 . 2009-04-14 21:15 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-14 20:16 . 2009-04-14 20:36 -------- d-----w c:\windows\SxsCaPendDel
2009-04-14 19:32 . 2009-04-14 19:39 -------- d-----w c:\documents and settings\All Users\Application Data\SITEguard
2009-04-14 19:31 . 2009-04-14 20:16 -------- d-----w c:\documents and settings\All Users\Application Data\STOPzilla!
2009-04-14 19:08 . 2009-04-14 19:08 -------- d-----w C:\1604c549e29e18132d839c94be9a0e
2009-04-14 18:59 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-14 18:59 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-14 18:59 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-14 18:59 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-14 18:59 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 18:59 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-14 18:59 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 18:59 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 18:59 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 18:58 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-14 18:58 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 18:58 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-02 04:08 . 2009-01-09 19:19 1089593 -c----w c:\windows\system32\dllcache\ntprint.cat
2009-04-01 18:18 . 2009-04-01 18:18 -------- d-----w c:\windows\system32\XPSViewer
2009-04-01 18:16 . 2008-07-06 12:06 89088 -c----w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-01 18:16 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-04-01 18:16 . 2008-07-06 10:50 597504 -c----w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-01 18:16 . 2008-07-06 12:06 575488 -c----w c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-01 18:16 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-04-01 18:16 . 2008-07-06 12:06 1676288 -c----w c:\windows\system32\dllcache\xpssvcs.dll
2009-04-01 18:16 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-04-01 18:16 . 2009-04-01 18:17 -------- d-----w C:\4b126057f141ae20ab8fcb31
2009-04-01 05:49 . 2009-04-01 05:50 -------- d-----w c:\documents and settings\Wayne\Application Data\QuickScan
2009-03-30 20:04 . 2009-03-30 20:04 -------- d--h--w c:\windows\PIF
2009-03-21 14:06 . 2009-03-21 14:06 989696 -c----w c:\windows\system32\dllcache\kernel32.dll
2009-03-18 21:55 . 2001-08-18 05:36 8704 -c--a-w c:\windows\system32\dllcache\kbdjpn.dll
2009-03-18 21:55 . 2001-08-18 05:36 8704 ----a-w c:\windows\system32\kbdjpn.dll
2009-03-18 21:55 . 2001-08-18 05:36 8192 -c--a-w c:\windows\system32\dllcache\kbdkor.dll
2009-03-18 21:55 . 2001-08-18 05:36 8192 ----a-w c:\windows\system32\kbdkor.dll
2009-03-18 21:55 . 2001-08-17 21:55 6144 -c--a-w c:\windows\system32\dllcache\kbd101c.dll
2009-03-18 21:55 . 2001-08-17 21:55 6144 -c--a-w c:\windows\system32\dllcache\kbd101b.dll
2009-03-18 21:55 . 2001-08-17 21:55 6144 ----a-w c:\windows\system32\kbd101c.dll
2009-03-18 21:55 . 2001-08-17 21:55 6144 ----a-w c:\windows\system32\kbd101b.dll
2009-03-18 21:55 . 2001-08-17 21:55 5632 -c--a-w c:\windows\system32\dllcache\kbd103.dll
2009-03-18 21:55 . 2001-08-17 21:55 5632 ----a-w c:\windows\system32\kbd103.dll
2009-03-18 21:55 . 2008-04-13 23:09 6144 -c--a-w c:\windows\system32\dllcache\kbd106.dll
2009-03-18 21:55 . 2008-04-13 23:09 6144 ----a-w c:\windows\system32\kbd106.dll
2009-03-17 05:24 . 2009-03-17 05:24 -------- d-----w c:\documents and settings\Yvonne\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-15 18:16 . 2009-02-26 04:53 -------- d-----w c:\documents and settings\Wayne\Application Data\HPAppData
2009-04-15 16:41 . 2009-02-25 21:25 -------- d-----w c:\program files\Shaw Secure
2009-04-15 02:03 . 2009-04-15 02:03 -------- d-----w c:\program files\Enigma Software Group
2009-04-15 01:25 . 2009-02-28 18:44 -------- d-----w c:\documents and settings\Yvonne\Application Data\HPAppData
2009-04-14 21:51 . 2009-04-14 21:39 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-14 20:46 . 2009-04-14 20:25 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-14 20:30 . 2009-04-14 20:30 -------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-04-14 20:30 . 2009-04-14 20:30 -------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-04-14 20:30 . 2009-04-14 20:30 -------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2009-04-14 20:29 . 2009-04-14 20:29 -------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-04-14 19:31 . 2009-04-14 19:31 -------- d-----w c:\program files\Common Files\iS3
2009-04-14 17:57 . 2009-04-14 17:57 0 ----a-w c:\documents and settings\Wayne\Application Data\~eu37.tmp
2009-04-14 17:56 . 2009-02-25 23:26 17448 ----a-w c:\documents and settings\Wayne\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-10 20:19 . 2009-04-10 20:19 -------- d-----w c:\program files\QuickTime
2009-04-01 18:18 . 2009-04-01 18:18 -------- d-----w c:\program files\MSBuild
2009-04-01 18:17 . 2009-04-01 18:17 -------- d-----w c:\program files\Reference Assemblies
2009-03-31 21:04 . 2009-03-01 20:43 -------- d-----w c:\documents and settings\Wayne\Application Data\ZoomBrowser EX
2009-03-31 21:03 . 2009-03-01 20:27 -------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-03-27 02:43 . 2009-03-27 02:43 674 ----a-w C:\updatedatfix.log
2009-03-17 20:36 . 2009-03-01 22:39 -------- d-----w c:\program files\Common Files\Adobe
2009-03-15 01:46 . 2009-02-26 01:16 -------- d-----w c:\documents and settings\Yvonne\Application Data\HP
2009-03-12 22:12 . 2009-03-12 22:12 -------- d-----w c:\documents and settings\All Users\Application Data\HPSSUPPLY
2009-03-12 16:51 . 2009-03-12 16:51 -------- d-----w c:\documents and settings\Wayne\Application Data\Yahoo!
2009-03-12 16:15 . 2009-03-11 20:43 166358 ----a-w c:\windows\hpoins30.dat
2009-03-12 16:11 . 2009-02-26 00:52 -------- d-----w c:\program files\HP
2009-03-12 16:10 . 2009-03-11 21:11 -------- d-----w c:\documents and settings\Wayne\Application Data\HP
2009-03-11 23:58 . 2009-03-11 23:58 -------- d-----w c:\documents and settings\Yvonne\Application Data\Yahoo!
2009-03-11 23:58 . 2009-03-11 23:58 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-03-11 20:51 . 2009-02-26 01:09 -------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-03-11 20:51 . 2009-03-11 20:51 -------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-03-11 20:51 . 2009-03-11 20:51 -------- d-----w c:\program files\Hewlett-Packard
2009-03-11 20:50 . 2009-03-11 20:50 -------- d-----w c:\program files\Common Files\HP
2009-03-11 20:16 . 2009-03-11 20:16 -------- d-----w c:\program files\Yahoo!
2009-03-10 17:54 . 2009-03-10 17:54 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-10 17:54 . 2009-03-10 17:54 -------- d-----w c:\program files\Java
2009-03-08 20:22 . 2009-03-01 22:37 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-03-08 20:22 . 2009-03-01 22:37 -------- d-----w c:\program files\NOS
2009-03-08 01:35 . 2009-03-08 01:35 278528 ----a-w C:\ffastunT.ffl
2009-03-07 23:35 . 2009-02-26 01:27 4827 ---ha-w C:\ffastun.ffa
2009-03-07 23:35 . 2009-02-26 01:27 327680 ---ha-w C:\ffastun.ffo
2009-03-07 23:35 . 2009-02-26 01:27 503808 ---ha-w C:\ffastun0.ffx
2009-03-07 23:35 . 2009-02-26 01:25 278528 ---ha-w C:\ffastun.ffl
2009-03-07 03:34 . 2009-02-26 00:01 17448 ----a-w c:\documents and settings\Yvonne\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-06 14:22 . 2002-09-03 16:51 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 22:58 . 2009-03-01 22:38 -------- d-----w c:\program files\Google
2009-03-03 00:18 . 2002-09-03 17:12 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-01 23:09 . 2009-03-01 23:09 -------- d-----w c:\documents and settings\Yvonne\Application Data\ZoomBrowser EX
2009-03-01 22:40 . 2009-03-01 22:40 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-03-01 20:29 . 2009-03-01 20:27 -------- d-----w c:\program files\Canon
2009-03-01 20:25 . 2009-03-01 20:25 -------- d-----w c:\program files\Common Files\Canon
2009-03-01 20:03 . 2009-03-01 20:03 -------- d-----w c:\program files\MSXML 4.0
2009-03-01 19:33 . 2009-02-25 19:28 77423 ----a-w c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-03-01 19:27 . 2002-09-03 16:50 250048 --sha-r C:\ntldr
2009-02-27 19:12 . 2009-02-27 19:12 -------- d-----w c:\program files\Dell
2009-02-27 19:12 . 2009-02-25 19:33 -------- d--h--w c:\program files\InstallShield Installation Information
2009-02-26 01:27 . 2009-02-26 01:27 8074 ----a-w c:\windows\extend.dat
2009-02-26 01:23 . 2009-02-26 01:23 -------- d-----w c:\program files\Windows Messaging
2009-02-26 01:17 . 2009-02-26 01:17 -------- d-----w c:\documents and settings\All Users\Application Data\WEBREG
2009-02-26 01:09 . 2009-02-26 01:09 -------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-02-25 21:43 . 2009-02-25 21:43 33408 ----a-w c:\windows\system32\drivers\fsbts.sys
2009-02-25 21:30 . 2009-02-25 21:30 -------- d-----w c:\documents and settings\Wayne\Application Data\F-Secure
2009-02-25 21:26 . 2009-02-25 21:09 -------- d-----w c:\documents and settings\All Users\Application Data\f-secure
2009-02-25 21:25 . 2009-02-25 21:24 -------- d-----w c:\documents and settings\All Users\Application Data\fssg
2009-02-25 21:25 . 2009-02-25 21:25 102452 ----a-w c:\windows\system32\msvcrt2.dll
2009-02-25 21:06 . 2009-02-25 21:06 -------- d-----w c:\documents and settings\All Users\Application Data\Creative
2009-02-25 21:06 . 2009-02-25 21:05 -------- d-----w c:\program files\Creative
2009-02-25 21:04 . 2009-02-25 21:04 -------- d-----w c:\program files\CyberLink
2009-02-25 21:03 . 2009-02-25 21:03 53248 ----a-w c:\windows\uneng.exe
2009-02-25 21:03 . 2009-02-25 21:02 -------- d-----w c:\program files\Common Files\Adaptec Shared
2009-02-25 21:03 . 2002-04-11 01:15 59440 ----a-w c:\windows\system32\drivers\cdr4_xp.sys
2009-02-25 21:03 . 2002-04-11 01:15 45056 ----a-w c:\windows\system32\cdrtc.dll
2009-02-25 21:03 . 2002-04-11 01:14 23724 ----a-w c:\windows\system32\drivers\cdralw2k.sys
2009-02-25 21:03 . 2002-04-11 01:14 45056 ----a-w c:\windows\system32\cdral.dll
2009-02-25 21:02 . 2009-02-25 21:02 -------- d-----w c:\program files\Roxio
2009-02-25 19:45 . 2009-02-25 19:45 -------- d-----w c:\program files\Intel
2009-02-25 19:33 . 2009-02-25 19:33 -------- d-----w c:\program files\Common Files\InstallShield
2009-02-25 19:29 . 2009-02-25 19:29 -------- d-----w c:\program files\microsoft frontpage
2009-02-25 19:28 . 2009-02-25 19:28 2678 ----a-w c:\windows\java\Packages\Data\QTB9JR3P.DAT
2009-02-25 19:28 . 2009-02-25 19:28 558142 ----a-w c:\windows\java\Packages\CBBF33VV.ZIP
2009-02-25 19:28 . 2009-02-25 19:28 2678 ----a-w c:\windows\java\Packages\Data\GIZF9BVV.DAT
2009-02-25 19:28 . 2009-02-25 19:28 2678 ----a-w c:\windows\java\Packages\Data\GMB9B9FL.DAT
2009-02-25 19:28 . 2009-02-25 19:28 2678 ----a-w c:\windows\java\Packages\Data\CIFZ7RZZ.DAT
2009-02-25 19:28 . 2009-02-25 19:28 155995 ----a-w c:\windows\java\Packages\E7JTZJP3.ZIP
2009-02-25 19:28 . 2009-02-25 19:28 2678 ----a-w c:\windows\java\Packages\Data\OZ97FH3N.DAT
2009-02-25 19:26 . 2009-02-25 19:26 21640 ----a-w c:\windows\system32\emptyregdb.dat
2009-02-20 18:09 . 2004-08-04 07:56 78336 ------w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2002-09-03 16:39 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2002-09-03 16:56 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2002-09-03 16:49 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2002-09-03 16:27 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2002-09-03 17:11 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 02:02 . 2002-08-29 01:04 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2002-09-03 16:59 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2002-09-03 16:50 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2002-09-03 16:58 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2002-09-03 16:58 56832 ----a-w c:\windows\system32\secur32.dl

waynerw
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-04-15
OS OS : XP - sp3
Points Points : 27939
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bonuspromooffer.com or VirusRemover2009

Post by waynerw on 15th April 2009, 7:06 pm

2 of 2

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-10-06 49152]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-03 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-11 679936]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"F-Secure Manager"="c:\program files\Shaw Secure\Common\FSM32.EXE" [2008-09-23 182936]
"F-Secure TNB"="c:\program files\Shaw Secure\FSGUI\TNBUtil.exe" [2008-09-23 957024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-10 148888]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-03-26 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-04-10 413696]
"MRT"="c:\windows\system32\MRT.exe" [2009-04-06 24921544]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-10-06 741376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-8-1 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-8-1 51984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= c:\windows\System32\ctmp3.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"427:UDP"= 427:UDP:SLP_Port(427)

R4 F-Secure Filter;F-Secure File System Filter;c:\program files\Shaw Secure\Anti-Virus\Win2K\FSfilter.sys [2008-09-23 39776]
R4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\Shaw Secure\Anti-Virus\Win2K\FSrec.sys [2008-09-23 25184]
S0 fsbts;fsbts;c:\windows\system32\Drivers\fsbts.sys [2009-02-25 33408]
S0 FSFW;F-Secure Firewall Driver;c:\windows\System32\drivers\fsdfw.sys [2008-09-23 79904]
S1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\Shaw Secure\HIPS\drivers\fshs.sys [2008-09-23 66720]
S3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\Shaw Secure\Anti-Virus\minifilter\fsgk.sys [2009-03-23 84608]
S3 FSORSPClient;F-Secure ORSP Client;c:\program files\Shaw Secure\ORSP Client\fsorsp.exe [2008-09-23 55904]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-04-15 c:\windows\Tasks\Scheduled scanning task.job
- c:\progra~1\SHAWSE~1\ANTI-V~1\fsav.exe [2009-02-25 13:35]

2009-04-15 c:\windows\Tasks\User_Feed_Synchronization-{017EB5D6-5C3F-4B03-8CA0-CB709571FC64}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 02:36]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
SafeBoot-WindowsTelephony


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {E001C731-5E37-4538-A5CB-8168736A2360} - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-04-15 11:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-448539723-1177238915-682003330-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(420)
c:\program files\Shaw Secure\Spam Control\fsscoepl.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Shaw Secure\Anti-Virus\fsgk32st.exe
c:\program files\Shaw Secure\Common\FSMA32.EXE
c:\program files\Shaw Secure\Anti-Virus\fsgk32.exe
c:\program files\Shaw Secure\Common\FSMB32.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\program files\Shaw Secure\Common\FCH32.EXE
c:\windows\system32\MsPMSPSv.exe
c:\program files\Shaw Secure\Common\FAMEH32.EXE
c:\program files\Shaw Secure\Anti-Virus\fsqh.exe
c:\program files\Shaw Secure\FSPC\fspc.exe
c:\progra~1\SHAWSE~1\FSGUI\fsguidll.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Shaw Secure\Anti-Virus\fssm32.exe
c:\program files\Shaw Secure\FSAUA\program\fsaua.exe
c:\program files\Shaw Secure\FWES\program\fsdfwd.exe
c:\program files\Shaw Secure\FSAUA\program\fsus.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\program files\Shaw Secure\Anti-Virus\fsav32.exe
.
**************************************************************************
.
Completion time: 2009-04-15 11:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-15 18:49

Pre-Run: 48,587,157,504 bytes free
Post-Run: 48,784,105,472 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

300

waynerw
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-04-15
OS OS : XP - sp3
Points Points : 27939
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bonuspromooffer.com or VirusRemover2009

Post by Belahzur on 15th April 2009, 7:14 pm

Hello.
Patched file is fixed. Please enable F-Secure now.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: bonuspromooffer.com or VirusRemover2009

Post by waynerw on 15th April 2009, 7:22 pm

Seems great, thank-you. When I get back from dialysis I will have time to check further.

waynerw
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-04-15
OS OS : XP - sp3
Points Points : 27939
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum