Author Topic: Help to remove FOTOMOTO.A Trojan  (Read 55658 times)

0 Members and 1 Guest are viewing this topic.

Maze

  • Guest
Help to remove FOTOMOTO.A Trojan
« on: July 05, 2007, 01:46:25 PM »
I have the fotomoto trojan on my pc. Avast does not find it, but Windows Defender does. Everytime it catches it, Win-defender gives me the option to remove, and afterwards tells me the computer is clean. But after every reeboot, Fotomoto is still running wild on my pc. Does anyone have a solution? Thanks in advance.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Help to remove FOTOMOTO.A Trojan
« Reply #1 on: July 05, 2007, 03:00:12 PM »
Hi Maze,

Fotomoto is possibly a variant of Begin2Search/B2Search/eZula.

First go to Start>Control Panel>Add/Remove Programs and remove this program if found under any of the above names. (It may not be there.)

Then try the usual free adware/spyware scanners.

AVG Anti-Spyware Free (Requires Win2k/XP)
Ad-Aware Free
Spybot Search & Destroy
SUPERAntiSpyware Free
a-Squared Free

Download, install and update all the programs. Disconnect from the internet (pull the plug) before running scans in Safe Mode if possible.

If still having problems, post a HijackThis! log.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Help to remove FOTOMOTO.A Trojan
« Reply #2 on: July 05, 2007, 03:45:34 PM »
Before dealing with it, if you know the file name and location, send the sample to virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Maze

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #3 on: July 05, 2007, 04:27:21 PM »
Thanks both of you. I will perform the recommendations above, you both mentioned, one by one and then post a reply later today.
Avast also detects "Win32:Agent-ISI[Trj]" and "Win32:VBStat-C[Trj]". I was going to search the threads and start a new one if these haven't been discussed already. Just mentioning in case these will also be solved by the above process or are related. I have been moving the files to chest, but these keep coming back.

Rafel

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #4 on: July 05, 2007, 04:30:39 PM »
You must uncheck system restore.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Help to remove FOTOMOTO.A Trojan
« Reply #5 on: July 05, 2007, 05:11:07 PM »
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?  Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.

This is likely to be of more help to us than the malware name alone.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Help to remove FOTOMOTO.A Trojan
« Reply #6 on: July 06, 2007, 03:57:55 AM »
But these keep coming back.
If a virus is replicant (coming and coming again), you could follow the general cleaning procedure:

1. Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it's not available in Windows 2k. After boot you can enable System Restore again after step 3).

2. Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

4. It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

5. If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG, Panda and/or F-Secure BlackLight.

6. Also, if you still detecting strange behaviors or you want to be sure you're clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.

7. After you're clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

8. Finally, when you're clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.
The best things in life are free.

Maze

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #7 on: July 07, 2007, 09:52:12 PM »
Hi guys,
Unfortunately I wasn't aware of unchecking System Restore, and ran scans for the last two days in safe mode with internet plugged off, just logged back in normal with internet on, and I am back to square one. Would you suggest I redo everything with System Restore turned off. (I just turned it off).

Question: I currently have Avast, Windows Defender and Spybot Search and Destroy installed. Would it conflict if I install more spyware like "AVG Antispyware" that you guys have recommended. If so should all the programs run scans simultaneously or one by one. Is there any particular order that is most effective. Also in safe mode Avast senstivity was disabled (even though I tried changing it to high), is that normal or is avast infected?

I have noted down results of the scans and the file names and locations (pasted below). It was 3 pages in Word, so its long. Hopefully the information you all will need is in here. I will wait for a reply and then install more spyware and redo the scans with system restore turned off.

=====================================

Below steps were performed in Safe mode with the internet connection turned off but after updating Spybot Search and Destroy, Windows Defender and Avast to the latest version.
Step1: Spybot scan results
Step2: Windows Defender scan results
Step3: Avast Thorough scan results
Step4: Avast activity after first normal boot.
-----------------------------------------------
Step I. Ran “Spybot Search and Destroy 1.2”
Results:
1)Mediaplex: Tracking cookie or cookie of tracking site
File: Mediaplex[1].txt in documents and settings
2,3,4) Windows Media Player (WMP) Registry change

I tried fixing the Mediaplex and left the WMP registry change as it is. A warning message came up saying
“Some problems couldn’t be fixed; the reason could be that the associated files are still in use (in memory). This could be fixed after a restart. May SpyBot-S&D run on your next system startup?”     -       I clicked “Yes”.
I have been through this process before with Mediaplex and Spybot, but it keeps coming back every time.

Note: Spybot did not find Fotomoto
--------------------------------------

Step II. Full System scan with “Windows Defender”
Results:
Trojan: Win32/Fotomoto.A (Alert Level: Severe)
Category:
Trojan

Description:
This program is dangerous and can hide programs or bypass security.

Advice:
Review the alert details to see why the software was detected. If you do not like how the software operates or if you do not recognize and trust the publisher, consider blocking or removing the software.

Resources:
file:
C:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1382\A0234026.exe

file:
C:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1379\A0233839.exe

file:
C:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1379\A0233798.exe

file:
C:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1378\A0233710.exe

file:
C:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1376\A0233657.exe

file:
C:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1375\A0233549.exe

file:
C:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1373\A0233439.exe

file:
C:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1372\A0233336.exe

file:
C:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1371\A0233244.exe

file:
C:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1369\A0233166.exe

file:
C:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1368\A0233087.exe

file:
C:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1367\A0233067.exe

file:
C:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1366\A0232958.exe

file:
C:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1364\A0232853.exe

I am not sure how to find these files and send them to you. I tried opening avast to try and save them to chest, but the chest did not open in safe mode. Hence I quarantined fotomoto using Windows Defender. Again, I have done this before. It keeps coming back.

Upon checking with Software Explorer that comes with Windows Defender, I found a program “jusched.exe” running. The following is the information that was available. Should this be disabled?
File Name: jusched.exe
Display Name: jusched.exe
Description: Not Available
Publisher: Not Available
Digitally Signed By: NOT SIGNED
File Type: Application
Startup Value: C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
File Path: C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
File Size: 32881
File Version: Not Available
Date Installed: 2/22/2068 11:44:46 PM
Startup Type: Registry: Local Machine
Location: Software\Microsoft\Windows\CurrentVersion\Run
Classification: Permitted
Ships with Operating System: No
--------------------------------------------------------

Step III: Avast Version 4.7 Home Edition Thorough Scan
Note:                 Resident sensitivity for avast keeps resetting from high to disabled??

Scan results:
1)   File name:         c:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1373\A0233532.dll
Malware name: Win32:BHO-ES[Trj]                                   (deleted by avast)
2)   File name:   c:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1373\A0233533.exe
Malware name: Win32:Agent-HZS [Trj]         (deleted by avast)
3)   File name:   c:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1373\A0233534.exe\[Embedded#0eb0]
Malware name: Win32:Zlob-ZL [Trj]          (deleted by avast)
4)   File name:   c:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1373\A0233535.exe
Malware name: Win32:Agent-HZS [Trj]         (deleted by avast)
5)   File name:   c:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1373\A0233536.dll
Malware name: Win32:BHO-EP [Trj]         (deleted by avast)
6)   File name:   c:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1373\A0233537.exe
Malware name: Win32:Agent-HZS [Trj]         (deleted by avast)
7)   File name:   c:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1373\A0233538.exe
Malware name: Win32:Agent-HZS [Trj]         (deleted by avast)
8)   File name:   c:\WINDOWS\Temp\0lebapmc.TMP\WEDDINGC.AVI
   Avast Result:   Unable to scan: the file is a decompression bomb
9)   File name:   c:\WINDOWS\Temp\9bb1ut1z.TMP\WEDDING.AVI
   Avast Result:   Unable to scan: the file is a decompression bomb
Malware Type: Trojan Horse
VPS version:     000754-3, 07/06/2007
10)   whole bunch of user@servedby.advertising[1].txt & user@advertising[1].txt

Action Taken: Permanently deleted the above files since chest was not working in safe mode.

Step IV:
Logged back into Windows XP Pro – Normal boot (internet connected)
Avast detected the following Trojans


File name:   DOCUME~1\Family\LOCALS~1\Temp\kfquukys.exe\[PECompact]
Malware name: Win32:Agent-ISI [Trj]
Malware type:     Trojan Horse
VPS Version:      000754-4, 07/06/2007
Action taken: File moved to chest

File name:   C:\WINDOWS\SYSTEM32\DKXSKSOR.DLL
File name:   C:\DOCUME~1\Family\LOCALS~1\Temp\seokwdqy.dll
Malware name: Win32:Virtumonde-BA [Adw]
Malware type:     Adware
VPS Version:      000754-4, 07/06/2007
Action taken: 000754-4, 07/06/2007

File name:   C:\DOCUME~1\Family\LOCALS~1\Temp\yxygbfdk.dll
Malware name: Win32:VBStat-C [Trj]
Malware type:     Trojan Horse
VPS Version:      000754-4, 07/06/2007
Action taken: File moved to chest

Thanks for the help.

Rafel

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #8 on: July 07, 2007, 10:55:05 PM »
You can install for on demmand scan AVG antispyware free and SuperAntispyware. You'll have no problems.
You'd may redo all with system restore unchecked
« Last Edit: July 07, 2007, 10:57:37 PM by Rafel »

mauserme

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #9 on: July 07, 2007, 11:08:37 PM »
If those don't solve the problem try this:

Download ATF Cleaner from here

http://www.atribune.org/content/view/25/2/

It does not need to be installed - just download it to your desktop and double click to run it.  The directions are on the page I linked to but, instead of leaving all options checked I would un-check the Prefetch option.


After running ATF Cleaner download ComboFix from Here or Here to your Desktop.
 
Double click combofix.exe and follow the prompts.
 
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
 
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.


When Combofix has finished run HijackThis and post the log.

Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Maze

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #10 on: July 08, 2007, 09:38:37 PM »
Hi everyone,
Thanks for all the help and I have done everything or almost everything you all recommended.

1) Checked for unknown problems in Add/Remove Programs - did not find any
2) Disabled system restore
3) Updated all antivirus programs and plugged off the internet
4) Restarted in Safe Mode
5) Ran and cleaned Temporary Files using both Windows Advanced Care and ATF Cleaner
6) Ran Avast (hung after 3 hours of scanning, so though the scan was over, action could not be taken)
7) Ran AVG Anti-Spyware simultaneosly and fixed/quarantined problems
8) Ran SuperAntiSpyware simultaneously and fixed/quarantined problems
9) Ran Anti-rootkit applications AVG and Panda (panda shut down without working)
10) Ran Spybot Search and Destroy - found 3 Windows Media Player registry change-I assumed they are OK?   (Multiplex[1].txt did not show up this time)
11) Immunized using Spybot, did not find an "immunization option in Windows Advanced Care"
12) Ran Combofix and saved log (will paste below)
13) Tried running Secunia Software Inspector from the site, but Java did not load.
14) Ran HijackThis and saved log (will post below)
15) Ran Runscanner and saved log (will post below)

I have been online for 30min, till now nothing has popped up.
Since there are 3 logs and they are long, I will post them as 3 separate posts in the following order:
HijackThis log
RunScanner log
Combofix log

Thanks for all the help, do recommend any fixes that need to made according to hijackthis, runscanner and combofix logs.

Maze

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #11 on: July 08, 2007, 09:42:57 PM »
HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:10:13 PM, on 7/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Installed Utilities\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Anti Virus\Avast\aswUpdSv.exe
E:\Program Files\Anti Virus\Avast\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Anti Virus\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Anti Virus\Avast\ashMaiSv.exe
E:\Program Files\Anti Virus\Avast\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
E:\Program Files\Internet\Logitech WebCam\LogiTray.exe
C:\Program Files\Common Files\AOL\1141834038\ee\AOLSoftware.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Utilities\iTunes&Quicktime\iTunesHelper.exe
E:\PROGRA~1\ANTIVI~1\Avast\ashDisp.exe
E:\Program Files\Utilities\Quicktime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Internet\Mozilla\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Anti Virus\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.bbc.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://officeupdate.microsoft.com/outlook
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LogitechVideoTray] E:\Program Files\Internet\Logitech WebCam\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] E:\Program Files\Internet\Logitech WebCam\ISStart.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141834038\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\Utilities\iTunes&Quicktime\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ANTIVI~1\Avast\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\Utilities\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKCU\..\Run: [FolderShare] "E:\Program Files\Utilities\FolderShare\FolderShare.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - E:\Program Files\Utilities\PDFill\\DownloadPDF.exe
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/14.21/uploader2.cab
O16 - DPF: {4CCA4E6B-9259-11D9-AC6E-444553544200} - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01.cab
O16 - DPF: {611627F1-D9A5-4235-958E-618E483BF8E7} (AutoUploader Class) - http://www.splashbulb.com/uploader/lib/uploader.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\Anti Virus\SuperAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Anti Virus\Avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Anti Virus\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Anti Virus\Avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Anti Virus\Avast\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - E:\Program Files\Anti Virus\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe

--
End of file - 7798 bytes

Next post: Runscanner log

Maze

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #12 on: July 08, 2007, 09:47:51 PM »
Runscanner log

Runscanner logfile http://www.runscanner.net

000 General info
----------------
Computer name : HOMEUSER
Type of scan : Full scan
RunScanner Version : 0.9.0.0
Creation time : 7/8/2007 3:27:21 PM
OS : Microsoft Windows XP
OS Build : 2600
OS SP : Service Pack 2
User Language : English (United States)
IE version : 7.0.5730.11
Windows folder : C:\WINDOWS

001 Running processes
---------------------
* e:\program files\anti virus\avast\aswupdsv.exe (ALWIL Software)
* e:\program files\anti virus\avast\ashserv.exe (ALWIL Software)
* e:\program files\anti virus\avg anti-spyware 7.5\guard.exe (GRISOFT s.r.o.)
c:\windows\system32\nvsvc32.exe (NVIDIA Corporation)
* c:\program files\siteadvisor\6066\saservice.exe (McAfee, Inc.)
* e:\program files\anti virus\avast\ashmaisv.exe (ALWIL Software)
* e:\program files\anti virus\avast\ashwebsv.exe (ALWIL Software)
c:\program files\java\j2re1.4.2_04\bin\jusched.exe
e:\program files\internet\logitech webcam\logitray.exe (Logitech Inc.)
* c:\program files\common files\aol\1141834038\ee\aolsoftware.exe (America Online, Inc.)
c:\program files\common files\real\update_ob\realsched.exe (RealNetworks, Inc.)
e:\program files\utilities\itunes&quicktime\ituneshelper.exe (Apple Computer, Inc.)
* e:\progra~1\antivi~1\avast\ashdisp.exe (ALWIL Software)
e:\program files\utilities\quicktime\qttask.exe (Apple Computer, Inc.)
c:\program files\hp\hp software update\hpwuschd2.exe (Hewlett-Packard Company)
c:\program files\ipod\bin\ipodservice.exe (Apple Computer, Inc.)
c:\program files\olympus\devicedetector\devdtct2.exe (OLYMPUS Corporation.)
c:\program files\palmone\hotsync.exe (PalmSource, Inc)
c:\windows\system32\lvcoms.exe (Logitech Inc.)
c:\program files\hp\digital imaging\bin\hpqgalry.exe (Hewlett-Packard Co.)
* e:\program files\internet\mozilla\firefox.exe (Mozilla Corporation)
* c:\program files\siteadvisor\6066\siteadv.exe (McAfee, Inc.)
* e:\program files\anti virus\hijackthis\hijackthis.exe (Trend Micro Inc.)
e:\program files\anti virus\runscanner.exe (Runscanner.net)

002 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
-----------------------------------------------------------------
c:\program files\java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\system32\nwiz.exe (NVIDIA Corporation)
e:\program files\internet\logitech webcam\logitray.exe (Logitech Inc.)
e:\program files\internet\logitech webcam\isstart.exe (Logitech Inc.)
* c:\program files\common files\aol\1141834038\ee\aolsoftware.exe (America Online, Inc.)
c:\program files\common files\real\update_ob\realsched.exe (RealNetworks, Inc.)
e:\program files\utilities\itunes&quicktime\ituneshelper.exe (Apple Computer, Inc.)
* e:\progra~1\antivi~1\avast\ashdisp.exe (ALWIL Software)
e:\program files\utilities\quicktime\qttask.exe (Apple Computer, Inc.)
c:\program files\hp\hp software update\hpwuschd2.exe (Hewlett-Packard Company)

003 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
-----------------------------------------------------------------
- e:\program files\utilities\foldershare\foldershare.exe

005 C:\Documents and Settings\All Users\Start Menu\Programs\Startup
-------------------------------------------------------------------
c:\progra~1\common~1\adobe\calibr~1\adobeg~1.exe (Adobe Systems, Inc.)
c:\progra~1\olympus\device~1\devdtct2.exe (OLYMPUS Corporation.)
c:\progra~1\palmone\hotsync.exe (PalmSource, Inc)
c:\progra~1\hp\digita~1\bin\hpqthb08.exe (Hewlett-Packard Co.)

010 HKLM\SYSTEM\CurrentControlSet\Services (Services)
-----------------------------------------------------
* e:\program files\anti virus\avast\aswupdsv.exe (avast! iAVS4 Control Service)
* e:\program files\anti virus\avast\ashserv.exe (avast! Antivirus)
* e:\program files\anti virus\avast\ashmaisv.exe (avast! Mail Scanner)
* e:\program files\anti virus\avast\ashwebsv.exe (avast! Web Scanner)
* e:\program files\anti virus\avg anti-spyware 7.5\guard.exe (AVG Anti-Spyware Guard)
c:\program files\common files\installshield\driver\11\intel 32\idrivert.exe (InstallDriver Table Manager)
c:\program files\ipod\bin\ipodservice.exe (iPodService)
C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Driver Helper Service)
c:\windows\system32\hpzipm12.exe (Pml Driver HPZ12)
* c:\program files\siteadvisor\6066\saservice.exe (SiteAdvisor Service)

011 HKLM\SYSTEM\CurrentControlSet\Services (drivers)
----------------------------------------------------
* C:\WINDOWS\system32\drivers\aeaudio.sys (Andrea Audio Noise Cancellation Driver)
C:\WINDOWS\system32\drivers\avgarkt.sys (AVG Anti-Rootkit)
* e:\program files\anti virus\avg anti-spyware 7.5\guard.sys (AVG Anti-Spyware Driver)
C:\WINDOWS\system32\drivers\avgarcln.sys (Avg Anti-Rootkit Clean Driver)
* C:\WINDOWS\system32\drivers\avgascln.sys (AVG Anti-Spyware Clean Driver)
- c:\docume~1\family\locals~1\temp\catchme.sys (Base)
C:\WINDOWS\system32\drivers\sqcaptur.sys (Dual-Mode DSC(2770))
C:\WINDOWS\system32\drivers\dvdriver.sys (DVdriver)
C:\WINDOWS\system32\drivers\el2k_xp.sys (3Com 3C2000x EtherLink XL Adapter)
* C:\WINDOWS\system32\drivers\gearaspiwdm.sys (GEARAspiWDM)
* C:\WINDOWS\system32\drivers\hpzid412.sys (IEEE-1284.4 Driver HPZid412)
* C:\WINDOWS\system32\drivers\hpzipr12.sys (Print Class Driver for IEEE-1284.4 HPZipr12)
* C:\WINDOWS\system32\drivers\hpzius12.sys (USB to IEEE-1284.4 Translation Driver HPZius12)
* C:\WINDOWS\system32\drivers\icrecusb.sys (IC Recorder Driver)
C:\WINDOWS\system32\drivers\intelc51.sys (Driver executs DSP proccessing)
C:\WINDOWS\system32\drivers\intelc52.sys (Intel(R) 537 Data Fax Voice V.92 Modem)
C:\WINDOWS\system32\drivers\intelc53.sys (Driver executs AFE proccessing)
- c:\docume~1\family\locals~1\temp\jgameenp.sys (jgameenp)
- c:\windows\system32\drivers\fw220.sys (McAfee Firewall Network Filter Miniport)
C:\WINDOWS\system32\drivers\nv4_mini.sys (Video)
* C:\WINDOWS\system32\drivers\palmusbd.sys (USB Driver for Palm OS Handheld Devices)
C:\WINDOWS\system32\drivers\camdrl21.sys (Logitech QuickCam Pro 3000(PID_08B0))
* C:\WINDOWS\system32\drivers\ptilink.sys (Direct Parallel Link Driver)
C:\WINDOWS\system32\drivers\pxhelp20.sys (PxHelp20)
e:\program files\anti virus\superantispyware\sasdifsv.sys (SASDIFSV)
e:\program files\anti virus\superantispyware\sasenum.sys (SASENUM)
e:\program files\anti virus\superantispyware\saskutil.sys (SASKUTIL)
C:\WINDOWS\system32\drivers\secdrv.sys (Secdrv)
* C:\WINDOWS\system32\drivers\silvrlnk.sys (Texas Instruments SilverLink (USB GraphLink) Cable)
* C:\WINDOWS\system32\drivers\smwdm.sys (SoundMAX Integrated Digital Audio)
C:\WINDOWS\system32\drivers\sscdbus.sys (SAMSUNG USB Composite Device driver (WDM))
C:\WINDOWS\system32\drivers\viaraid.sys (SCSI Miniport)
C:\WINDOWS\system32\drivers\vnusb.sys (VN Series Device)
- c:\windows\system32\drivers\wanatw4.sys (WAN Miniport (ATW))
- f:\winio.sys (WINIO)

030 HKLM\SOFTWARE\Classes\PROTOCOLS\Filter
------------------------------------------
C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}

031 HKLM\SOFTWARE\Classes\PROTOCOLS\Handler
-------------------------------------------
c:\program files\hp\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company) {CF184AD3-CDCB-4168-A3F7-8E447D129300}
c:\program files\common files\microsoft shared\information retrieval\msitss.dll (Microsoft Corporation) {0A9007C0-4076-11D3-8789-0000F8105754}
* c:\program files\siteadvisor\6066\siteadv.dll (McAfee, Inc.) {3A5DC592-7723-4EAA-9EE6-AF4222BCF879}

ComboFix Log will continue in next post since it exceeds max char limit

Maze

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #13 on: July 08, 2007, 09:51:22 PM »
Sorry - I meant Runscanner log continues here:

035 HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
-------------------------------------------------------------
c:\windows\system32\mscories.dll (Microsoft Corporation) {89B4C1CD-B018-4511-B0A1-5476DBF70820}

036 HKCU\Software\Microsoft\Internet Explorer\Desktop\Components
----------------------------------------------------------------
About:Home

041 HKLM-HKCU\Software\Microsoft\Internet Explorer\Toolbar
----------------------------------------------------------
* c:\program files\siteadvisor\6066\siteadv.dll (McAfee, Inc.) {0BF43445-2F28-4351-9252-17FE6E806AA0}

042 HKLM\Software\Microsoft\Internet Explorer\Extensions
--------------------------------------------------------
e:\program files\utilities\pdfill\\downloadpdf.exe (PlotSoft LLC) {FB858B22-55E2-413f-87F5-30ADC5552151}

050 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
-----------------------------------------------------------------------------
* e:\program files\anti virus\avg anti-spyware 7.5\shellexecutehook.dll (GRISOFT s.r.o.) {57B86673-276A-48B2-BAE7-C6DBB3020EB8}
e:\program files\anti virus\superantispyware\sasseh.dll (SuperAdBlocker.com) {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}

052 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
----------------------------------------------------------------------------------
* c:\program files\common files\adobe\acrobat\activex\acroiehelper.dll (Adobe Systems Incorporated) {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
* c:\program files\siteadvisor\6066\siteadv.dll (McAfee, Inc.) {089FD14D-132B-48FC-8861-0048AE113215}

061 HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
----------------------------------------------------------------------------
- deskpan.dll {42071714-76d4-11d1-8b24-00a0c9068ff3}
* c:\windows\system32\hticons.dll (Hilgraeve, Inc.) {88895560-9AA2-1069-930E-00AA0030EBC8}
c:\windows\system32\nvshell.dll (NVIDIA Corporation) {1CDB2949-8F65-4355-8456-263E7C208A5D}
c:\windows\system32\nvshell.dll (NVIDIA Corporation) {1E9B04FB-F9E5-4718-997B-B8DA88302A47}
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1D2680C9-0E2A-469d-B787-065558BC7D43}
e:\program files\internet\logitech webcam\namespc2.dll (Logitech Inc.) {400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}
c:\program files\real\realplayer\rpshell.dll (RealNetworks, Inc.) {F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}
* c:\program files\microsoft office\visio11\visshe.dll {506F4668-F13E-4AA1-BB04-B43203AB3CC0}
* c:\program files\microsoft office\visio11\visshe.dll {D66DC78C-4F61-447F-942B-3FB6980118CF}
c:\windows\system32\dfshim.dll (Microsoft Corporation) {e82a2d71-5b2f-43a0-97b8-81be15854de8}
c:\windows\system32\dfshim.dll (Microsoft Corporation) {E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}
e:\program files\utilities\itunes&quicktime\itunesminiplayer.dll (Apple Computer, Inc.) {B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}
* e:\program files\anti virus\avast\ashshell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}

062 HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
-------------------------------------------------------
c:\program files\common files\adobe\acrobat\activex\pdfshell.dll (Adobe Systems, Inc.) {F9DB5320-233E-11D1-9F84-707F02C10627}

063 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
---------------------------------------------------------------------
autocheck autochk *

067 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
---------------------------------------------------------------------
e:\program files\anti virus\superantispyware\saswinlo.dll (SUPERAntiSpyware.com)
-

069 HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
--------------------------------------------------------
C:\WINDOWS\system32\custmon2k.dll
* C:\WINDOWS\system32\hpzlnt10.dll (HP)

073 %windir%\Tasks
------------------
c:\windows\tasks\mp scheduled scan.job

100 Internet Explorer settings
------------------------------
Start Page HKCU : www.bbc.co.uk
Start Page HKLM : about:blank
Search Page HKCU : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Search Page HKLM : http://go.microsoft.com/fwlink/?LinkId=54896
Default_Page_URL HKLM : http://go.microsoft.com/fwlink/?LinkId=69157
Default_Search_URL HKLM : http://go.microsoft.com/fwlink/?LinkId=54896
SearchAssistant HKLM : http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
CustomizeSearch HKLM : http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
ShellNext HKCU : http://officeupdate.microsoft.com/outlook

104 HKLM\Software\Microsoft\Code Store Database\Distribution Units
------------------------------------------------------------------
c:\windows\downloaded program files\yinsthelper.dll (Yahoo! Inc.) {30528230-99F7-4BB4-88D8-FA1D4F56A2AB}
* c:\windows\downloaded program files\uploaderx.dll {474F00F5-3853-492C-AC3A-476512BBC336}
c:\windows\downloaded program files\uploader.dll {611627F1-D9A5-4235-958E-618E483BF8E7}
c:\program files\java\j2re1.4.2_04\bin\npjpi142_04.dll (JavaSoft / Sun Microsystems, Inc.) {8AD9C840-044E-11D1-B3E9-00805F499D93}
c:\program files\java\j2re1.4.2_04\bin\npjpi142_04.dll (JavaSoft / Sun Microsystems, Inc.) {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA}
* c:\windows\system32\macromed\flash\flash9b.ocx (Adobe Systems, Inc.) {D27CDB6E-AE6D-11CF-96B8-444553540000}

106 HKLM\Software\Microsoft\Windows\CurrentVersion\URL
------------------------------------------------------
Default : http://
ftp : ftp://
gopher : gopher://
home : http://
mosaic : http://
www : http://

147 HKLM\System\CurrentControlSet\Control\SecurityProviders\SecurityProviders
-----------------------------------------------------------------------------
C:\WINDOWS\system32\zwebauth.dll

161 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
------------------------------------------------------------------
dontdisplaylastusername : 0
shutdownwithoutlogon : 1
undockwithoutlogon : 1

173 HKCR\*\shellex\ContextMenuHandlers
--------------------------------------
* e:\program files\anti virus\avast\ashshell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}
* e:\program files\anti virus\avg anti-spyware 7.5\context.dll (GRISOFT s.r.o.) {8934FCEF-F5B8-468f-951F-78A921CD3920}

180 FileType Hijacking
----------------------
HKEY_CLASSES_ROOT batfile : "%1" %*
HKEY_CLASSES_ROOT cmdfile : "%1" %*
HKEY_CLASSES_ROOT comfile : "%1" %*
HKEY_CLASSES_ROOT exefile : "%1" %*
HKEY_CLASSES_ROOT htafile : C:\WINDOWS\system32\mshta.exe "%1" %*
HKEY_CLASSES_ROOT piffile : "%1" %*
HKEY_CLASSES_ROOT scrfile : "%1" /S

Next post: ComboFix log

Maze

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #14 on: July 08, 2007, 09:58:07 PM »
ComboFix Log

"Mr.C!" - 2007-07-08 14:45:21 - ComboFix 07-07-07.3 - Service Pack 2 


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Family\APPLIC~1.\macromedia\Flash Player\#SharedObjects\8FSAHFWA\www.broadcaster.com
C:\DOCUME~1\Family\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\Family\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\DOCUME~1\Family\Desktop.\internet explorer.lnk
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\zxdnt3d.cfg


(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\DomainService


(((((((((((((((((((((((((   Files Created from 2007-06-08 to 2007-07-08  )))))))))))))))))))))))))))))))


2007-07-08 14:44   51,200   --a------   C:\WINDOWS\nircmd.exe
2007-07-08 14:30   8,704   --a------   C:\WINDOWS\system32\drivers\njyoxcnhlwus.sys
2007-07-08 11:18   <DIR>   d--------   C:\DOCUME~1\Family\Pavark
2007-07-07 17:59   <DIR>   d--------   C:\HijackThis
2007-07-07 17:51   3,968   --a------   C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-07-07 17:42   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-07 17:41   <DIR>   d--------   C:\DOCUME~1\Family\APPLIC~1\SUPERAntiSpyware.com
2007-07-07 17:40   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2007-07-07 17:30   10,872   --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-19 22:43   <DIR>   d--------   C:\DOCUME~1\Jiggy\APPLIC~1\SiteAdvisor
2007-06-11 12:20   <DIR>   d--------   C:\DOCUME~1\User\APPLIC~1\SiteAdvisor
2007-06-11 09:49   73,216   --a------   C:\WINDOWS\system32\avwav.dll
2007-06-11 09:49   56,832   --a------   C:\WINDOWS\system32\sol.exe
2007-06-11 09:49   55,296   --a------   C:\WINDOWS\system32\freecell.exe
2007-06-11 09:49   5,632   --a------   C:\WINDOWS\system32\write.exe
2007-06-11 09:49   44,544   --a------   C:\WINDOWS\system32\hticons.dll
2007-06-11 09:49   35,328   --a------   C:\WINDOWS\system32\winchat.exe
2007-06-11 09:49   31,744   --a------   C:\WINDOWS\system32\fxsroute.dll
2007-06-11 09:49   227,840   --a------   C:\WINDOWS\system32\avtapi.dll
2007-06-11 09:49   16,384   --a------   C:\WINDOWS\system32\avmeter.dll
2007-06-11 09:49   138,752   --a------   C:\WINDOWS\system32\sndvol32.exe
2007-06-11 09:49   132,608   --a------   C:\WINDOWS\system32\fxsclntR.dll
2007-06-11 09:49   126,976   --a------   C:\WINDOWS\system32\mshearts.exe
2007-06-11 09:49   119,808   --a------   C:\WINDOWS\system32\winmine.exe
2007-06-11 09:49   114,688   --a------   C:\WINDOWS\system32\calc.exe
2007-06-11 09:49   111,104   --a------   C:\WINDOWS\system32\fxscfgwz.dll
2007-06-11 09:49   11,264   --a------   C:\WINDOWS\system32\fxssend.exe
2007-06-11 09:49   <DIR>   d--------   C:\WINDOWS\system32\FxsTmp
2007-06-08 18:23   <DIR>   d--------   C:\Program Files\Hewlett-Packard
2007-06-08 18:23   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Hewlett-Packard
2007-06-08 18:13   17,176   ---------   C:\WINDOWS\hpomdl04.dat
2007-06-08 18:13   104,549   --a------   C:\WINDOWS\hpoins04.dat
2007-06-08 15:50   <DIR>   d--------   C:\WINDOWS\SxsCaPendDel
2007-06-08 14:41   <DIR>   d--------   C:\Program Files\Common Files\HP
2007-06-08 14:26   <DIR>   d--------   C:\temp\HP_WebRelease


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-07 19:00:11   1,844,926   --sh--w   C:\WINDOWS\system32\rqtss.bak2
2007-06-16 19:31:56   --------   d-----w   C:\Program Files\PERRLA
2007-06-11 13:49:21   --------   d-----w   C:\Program Files\Windows NT
2007-06-08 22:23:35   --------   d-----w   C:\Program Files\HP
2007-06-07 11:17:14   --------   d-----w   C:\Program Files\HighMAT CD Writing Wizard
2007-06-04 02:56:24   --------   d-----w   C:\DOCUME~1\Family\APPLIC~1\SiteAdvisor
2007-06-04 02:49:53   --------   d-----w   C:\Program Files\SiteAdvisor
2007-06-04 01:52:39   --------   d-----w   C:\Program Files\Installed Utilities
2007-06-03 16:26:56   --------   d-----w   C:\Program Files\Real
2007-06-02 20:05:47   --------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-06-02 20:02:21   --------   d-----w   C:\DOCUME~1\Family\APPLIC~1\Symantec
2007-06-02 18:07:42   1,583,854   --sh--w   C:\WINDOWS\system32\rqtss.bak1
2007-05-16 15:12:02   683,520   ----a-w   C:\WINDOWS\system32\inetcomm.dll
2007-04-30 15:46:10   745,600   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:35:28   95,872   ----a-w   C:\WINDOWS\system32\AVASTSS.scr
2007-04-25 16:53:49   11,029   ----a-w   C:\WINDOWS\mozver.dat
2007-04-25 14:21:15   144,896   ----a-w   C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23   2,854,400   ----a-w   C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36   33,624   ----a-w   C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54   1,710,936   ----a-w   C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48   549,720   ----a-w   C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42   325,976   ----a-w   C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36   203,096   ----a-w   C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28   92,504   ----a-w   C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20   53,080   ----a-w   C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20   43,352   ----a-w   C:\WINDOWS\system32\wups2.dll


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08   62080   --a------   C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{089FD14D-132B-48FC-8861-0048AE113215}]
2007-03-30 11:41   1099304   --a------   C:\Program Files\SiteAdvisor\6066\SiteAdv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [2004-02-22 23:44]
"nwiz"="nwiz.exe" [2003-06-18 01:31 C:\WINDOWS\system32\nwiz.exe]
"LogitechVideoTray"="E:\Program Files\Internet\Logitech WebCam\LogiTray.exe" [2003-08-29 15:20]
"LogitechVideoRepair"="E:\Program Files\Internet\Logitech WebCam\ISStart.exe" [2003-08-29 15:17]
"HostManager"="C:\Program Files\Common Files\AOL\1141834038\ee\AOLSoftware.exe" [2005-11-02 23:01]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-25 20:53]
"iTunesHelper"="E:\Program Files\Utilities\iTunes&Quicktime\iTunesHelper.exe" [2006-06-14 16:24]
"avast!"="E:\PROGRA~1\ANTIVI~1\Avast\ashDisp.exe" [2007-04-30 11:42]
"QuickTime Task"="E:\Program Files\Utilities\Quicktime\qttask.exe" [2007-02-16 10:54]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"FolderShare"="E:\Program Files\Utilities\FolderShare\FolderShare.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="E:\Program Files\Anti Virus\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="E:\Program Files\Anti Virus\SuperAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
E:\Program Files\Anti Virus\SuperAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages    scecli scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


Contents of the 'Scheduled Tasks' folder
2007-07-08 18:29:47  C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

disk not found C:\

scanning hidden processes ...

scanning hidden autostart entries ...

**************************************************************************

Completion time: 2007-07-08 14:51:52 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-08 14:51

   --- E O F ---


Thanks Again.