1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Trojan spyware - HIJACK THIS LOG

Discussion in 'Malware and Virus Removal Archive' started by RebeccainTO, 2008/04/21.

Page 2 of 4
  1. 2008/04/23
    RebeccainTO

    RebeccainTO Inactive Thread Starter

    Joined:
    2008/04/20
    Messages:
    43
    Likes Received:
    0
    Move It!

    C:\WINDOWS\system32\perfs.exe moved successfully.
    C:\WINDOWS\system32\routing.exe moved successfully.
    C:\WINDOWS\Driver\i386\ms-java.exe moved successfully.
    C:\WINDOWS\system32\afinding.exe moved successfully.
    File/Folder C:\Program Files\RXToolBar not found.
    C:\WINDOWS\system32\andt.sys moved successfully.
    C:\WINDOWS\system32\drmgs.sys moved successfully.
    C:\WINDOWS\system32\ope12.exe moved successfully.
    C:\WINDOWS\system32\opeB.exe moved successfully.
    C:\WINDOWS\st_ud.exe moved successfully.

    OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04232008_165005


    All moved successfully....none were left unmoved.
    More to come.....
     
    RebeccainTO,
    #21
  2. 2008/04/23
    RebeccainTO

    RebeccainTO Inactive Thread Starter

    Joined:
    2008/04/20
    Messages:
    43
    Likes Received:
    0
    New DSS Log

    Deckard's System Scanner v20071014.68
    Run by win on 2008-04-23 16:54:02
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------



    -- HijackThis (run as win.exe) -------------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 16:54, on 2008-04-23
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
    C:\WINDOWS\system32\afinding.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
    C:\Program Files\CA\eTrust Antivirus\InoRT.exe
    C:\Program Files\CA\eTrust Antivirus\InoTask.exe
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    C:\WINDOWS\Driver\i386\ms-java.exe
    C:\WINDOWS\Driver\i386\mssvc.exe
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\WINDOWS\system32\perfs.exe
    C:\WINDOWS\system32\routing.exe
    C:\WINDOWS\system32\ScsiAccess.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\system32\wserving.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\LVCOMSX.EXE
    C:\Program Files\Logitech\Video\CameraAssistant.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
    C:\PROGRA~1\CA\ETRUST~1\realmon.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\uTorrent\uTorrent.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\win\Desktop\dss.exe
    C:\PROGRA~1\TRENDM~1\HIJACK~1\win.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?id=2&svc=mail&cbid=24325&msppjph=1&tw=900&fs=1&lc=1033&_lang=EN
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
    O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
    O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe "
    O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe "
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe "
    O4 - HKLM\..\Run: [Tpscrex] C:\Program Files\MSTpscre\Tpscrex.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe "
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe "
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe "
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
    O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe "
    O4 - HKUS\S-1-5-18\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
    O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://oweb.peelschools.org/jinitiator/jinit.exe
    O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O20 - Winlogon Notify: pmnllij - pmnllij.dll (file missing)
    O20 - Winlogon Notify: urqPfGXQ - urqPfGXQ.dll (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
    O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
    O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
    O23 - Service: Ms-java - Unknown owner - C:\WINDOWS\Driver\i386\ms-java.exe (file missing)
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\system32\wserving.exe

    --
    End of file - 10580 bytes

    -- Files created between 2008-03-23 and 2008-04-23 -----------------------------

    2008-04-21 22:17:10 0 d--h----- C:\WINDOWS\$hf_mig$
    2008-04-21 21:33:19 0 d-------- C:\Documents and Settings\win\Application Data\Malwarebytes
    2008-04-21 21:33:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-04-21 13:47:07 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
    2008-04-21 13:39:50 68096 --a------ C:\WINDOWS\zip.exe
    2008-04-21 13:39:50 49152 --a------ C:\WINDOWS\VFind.exe
    2008-04-21 13:39:50 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
    2008-04-21 13:39:50 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
    2008-04-21 13:39:50 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
    2008-04-21 13:39:50 98816 --a------ C:\WINDOWS\sed.exe
    2008-04-21 13:39:50 80412 --a------ C:\WINDOWS\grep.exe
    2008-04-21 13:39:50 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
    2008-04-21 12:06:15 0 d-------- C:\WINDOWS\ERUNT
    2008-04-21 12:02:19 0 d-------- C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\Application Data\Adobe
    2008-04-21 00:16:21 0 d-------- C:\Program Files\Trend Micro
    2008-04-19 22:04:19 0 d-------- C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\Application Data\ATI
    2008-04-19 20:35:07 0 d--h----- C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\Templates
    2008-04-19 20:35:07 0 dr------- C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\Start Menu
    2008-04-19 20:35:07 0 dr-h----- C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\SendTo
    2008-04-19 20:35:07 0 d--h----- C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\Recent
    2008-04-19 20:35:07 0 d--h----- C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\PrintHood
    2008-04-19 20:35:07 0 d--h----- C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\NetHood
    2008-04-19 20:35:07 0 d-------- C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\My Documents
    2008-04-19 20:35:07 0 d--h----- C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\Local Settings
    2008-04-19 20:35:07 0 d-------- C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\Favorites
    2008-04-19 20:35:07 0 d-------- C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\Desktop
    2008-04-19 20:35:07 0 d--hs---- C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\Cookies
    2008-04-19 20:35:07 0 dr-h----- C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\Application Data
    2008-04-19 20:35:07 0 d---s---- C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\Application Data\Microsoft
    2008-04-19 20:35:06 786432 --ah----- C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\NTUSER.DAT
    2008-04-19 02:07:49 206 --a------ C:\Delme.bat
    2008-04-19 01:52:01 0 d-------- C:\Documents and Settings\Rebecca\Application Data\Nero
    2008-04-19 01:19:18 0 d-------- C:\Documents and Settings\Administrator\Local Settings
    2008-04-19 01:19:18 0 d-------- C:\Documents and Settings\Administrator\Cookies
    2008-04-19 01:19:18 0 d-------- C:\Documents and Settings\Administrator\Application Data
    2008-04-19 01:19:18 0 d-------- C:\Documents and Settings\Administrator\Application Data\Microsoft
    2008-04-19 01:19:17 0 d-------- C:\Documents and Settings\Administrator\Templates
    2008-04-19 01:19:17 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
    2008-04-18 21:41:55 8912896 --a------ C:\Documents and Settings\win\ntuser.dat
    2008-04-18 21:41:55 262144 --a------ C:\Documents and Settings\LocalService\ntuser.dat
    2008-04-18 21:35:43 0 --a------ C:\WINDOWS\system32\FaxMan
    2008-04-18 21:35:20 122880 --a------ C:\WINDOWS\system32\TWNLIB3.DLL <Not Verified; Pegasus Imaging Corp.; TwnLib3>
    2008-04-18 21:35:20 172032 --a------ C:\WINDOWS\system32\FMjr10.dll <Not Verified; Data Techniques, Inc.; FaxMan Jr>
    2008-04-18 21:35:20 6144 --a------ C:\WINDOWS\system32\ClassXps.dll
    2008-04-18 21:35:20 397312 --a------ C:\WINDOWS\system32\ClassX.dll <Not Verified; Data Techniques, Inc.; FaxMan Jr>
    2008-04-17 15:38:26 0 d-------- C:\TempDVD
    2008-04-17 14:39:49 0 d-------- C:\Program Files\DVD Shrink
    2008-04-16 08:16:56 0 d-------- C:\WINDOWS\system32\netdd
    2008-04-15 23:37:41 0 d-------- C:\Program Files\Elaborate Bytes
    2008-04-15 23:05:56 0 d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
    2008-03-30 00:42:24 0 d-------- C:\Program Files\Windows Media Connect 2
    2008-03-30 00:40:12 0 d-------- C:\WINDOWS\system32\drivers\UMDF


    -- Find3M Report ---------------------------------------------------------------

    2008-04-23 16:49:05 0 d-------- C:\Documents and Settings\win\Application Data\Skype
    2008-04-23 16:46:00 0 d-------- C:\Documents and Settings\win\Application Data\uTorrent
    2008-04-19 07:34:01 963813 --a------ C:\Program Files\rootalyz.zip
    2008-04-15 21:52:57 0 d-------- C:\Program Files\VSO
    2008-04-15 21:52:33 0 d-------- C:\Documents and Settings\win\Application Data\Vso
    2008-04-15 21:52:33 33 --a------ C:\Documents and Settings\win\Application Data\pcouffin.log
    2008-04-15 21:52:32 47360 --a------ C:\Documents and Settings\win\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
    2008-04-15 21:52:32 1144 --a------ C:\Documents and Settings\win\Application Data\pcouffin.inf
    2008-04-15 21:52:32 7887 --a------ C:\Documents and Settings\win\Application Data\pcouffin.cat
    2008-04-15 21:30:41 668 --a------ C:\Documents and Settings\win\Application Data\vso_ts_preview.xml
    2008-03-02 16:07:18 31896 --a------ C:\Documents and Settings\win\Application Data\GDIPFONTCACHEV1.DAT
    2008-02-21 18:46:55 2548 --a------ C:\WINDOWS\unins000.dat
    2008-02-21 18:44:23 691545 --a------ C:\WINDOWS\unins000.exe


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59879FA4-4790-461c-A1CC-4EC4DE4CA483}]
    C:\Program Files\RXToolBar\sfcont.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
    "LVCOMSX "= "C:\WINDOWS\system32\LVCOMSX.EXE" [2005-09-01 14:04]
    "LogitechCameraAssistant "= "C:\Program Files\Logitech\Video\CameraAssistant.exe" [2005-09-07 07:33]
    "LogitechVideo[inspector] "= "C:\Program Files\Logitech\Video\InstallHelper.exe" [2005-09-07 07:39]
    "Adobe Photo Downloader "= "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46]
    "OpwareSE2 "= "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 13:00]
    "Realtime Monitor "= "C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2003-02-13 10:25]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11]
    "RemoteControl "= "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-06-28 21:29]
    "itype "= "C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 19:14]
    "IntelliPoint "= "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 19:15]
    "Tpscrex "= "C:\Program Files\MSTpscre\Tpscrex.exe" []
    "NeroFilterCheck "= "C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57]
    "NBKeyScan "= "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51]
    "Fax Machine "=" " []

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LDM "= "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-04-02 15:52]
    "LogitechSoftwareUpdate "= "C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-01-18 18:07]
    "Skype "= "C:\Program Files\Skype\Phone\Skype.exe" [2006-10-13 18:20]
    "NBJ "= "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2004-09-22 17:10]
    "updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 15:18]
    "MsnMsgr "= "C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
    "Uniblue RegistryBooster 2 "= "C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
    "uTorrent "= "C:\Program Files\uTorrent\uTorrent.exe" [2008-02-04 18:07]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "ATICCC "= "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
    "msnmsgr "= "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
    ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2004-09-29 11:37:26]
    Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-04-02 15:52:01]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools "=0 (0x0)
    "HideLegacyLogonScripts "=0 (0x0)
    "HideLogoffScripts "=0 (0x0)
    "RunLogonScriptSync "=1 (0x1)
    "RunStartupScriptSync "=1 (0x1)
    "HideStartupScripts "=0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "HideLegacyLogonScripts "=0 (0x0)
    "HideLogoffScripts "=0 (0x0)
    "RunLogonScriptSync "=1 (0x1)
    "RunStartupScriptSync "=1 (0x1)
    "HideStartupScripts "=0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnllij]
    pmnllij.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqPfGXQ]
    urqPfGXQ.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
    @= "Service "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
    backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup




    -- End of Deckard's System Scanner: finished at 2008-04-23 16:54:24 ------------
     
    RebeccainTO,
    #22


  3. to hide this advert.

  4. 2008/04/23
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi RebeccainTO

    OK good.

    Now do this please.

    Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

    O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing)
    O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM
    O20 - Winlogon Notify: pmnllij - pmnllij.dll (file missing)
    O20 - Winlogon Notify: urqPfGXQ - urqPfGXQ.dll (file missing)
    O23 - Service: Ms-java - Unknown owner - C:\WINDOWS\Driver\i386\ms-java.exe (file missing)

    Now close all windows other than HiJackThis, then click Fix Checked.

    Close HJT.


    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    Now lets get a on-line scan to see if there is anything lurking.

    Please do an online scan with Kaspersky WebScanner

    Click on "Accept" If your pop "“up blocker blocks the ActiveX download, allow it, click on "Accept" again

    You will be prompted to install an ActiveX component from Kaspersky, Click Yes or Install.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
      • Scan Options:
      • Scan Archives
        Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      • Select My Computer
    • This will start the program and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Now click on the Save as Text button:
    • Save the file to your desktop.
    • Copy and paste that information in your next post.

    Please post the Kaspersky results. and one more new HJT log.

    Thanks
    Geri
     
    Geri,
    #23
  5. 2008/04/24
    RebeccainTO

    RebeccainTO Inactive Thread Starter

    Joined:
    2008/04/20
    Messages:
    43
    Likes Received:
    0
    Infected

    39 infected objects, 24 viruses and 8 suspicious objects.

    Whenever data is to be entered such as email, password, the box is shaded in colour.

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    2008-04-24 11:07
    Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 24/04/2008
    Kaspersky Anti-Virus database records: 724614
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\

    Scan Statistics:
    Total number of scanned objects: 54368
    Number of viruses found: 24
    Number of infected objects: 39
    Number of suspicious objects: 8
    Duration of the scan process: 00:41:37

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\Desktop\y\SDFix\backups\backups.zip/backups/default.htm Infected: not-virus:Hoax.HTML.Secureinvites.b skipped
    C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\Desktop\y\SDFix\backups\backups.zip/backups/mrofinu1864.exe Infected: Trojan-Downloader.Win32.Homles.bi skipped
    C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\Desktop\y\SDFix\backups\backups.zip/backups/svchost.exe Infected: Trojan-Downloader.Win32.Delf.feh skipped
    C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\Desktop\y\SDFix\backups\backups.zip/backups/svehost.exe Infected: Net-Worm.Win32.Kolab.qs skipped
    C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\Desktop\y\SDFix\backups\backups.zip/backups/winself.exe Infected: Trojan.Win32.DNSChanger.cii skipped
    C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\Desktop\y\SDFix\backups\backups.zip/backups/wmsdkns.exe Infected: not-virus:Hoax.Win32.Renos.bso skipped
    C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\Desktop\y\SDFix\backups\backups.zip ZIP: infected - 6 skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\017788aee7e964d1f680957279d42afd_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0410daf915c374b96b665279eb48d2f5_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\05992124635c27b414dab51f1003c2c5_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\066ee7c38a345a8c810e02196b16180a_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0861772a42ce45f0f1dec5c31756050d_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\125b2b707d927254502e9355f0350261_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\16e77965674adee239adf2283ea8fa76_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1e5a0bf170a2893b172a1f8587e7ea26_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\26159d7d51220b7ae8eb1c70c556c01f_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\27dc6f77f550c0c4f10d27a95980d9f6_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2f9412c2f622b74aa26fade75d26a2f8_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\364585bc1f33820e43adcbff51917835_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\40e4576ff1a43b9f80a6969a37f04659_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4a64e8b738cf4da69ea96cc30a8768e3_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\55c6e4e8fb026bcc4c86e5f763ae1958_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\570459036f5ddefc9778822c2f76a339_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5a4b2c881be41987ffb6c46816d266ec_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5b593af9a9ad1da6c3d692936b8b1408_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5b643f2f881f1fab0ef188b4a209c055_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5f1aa711bcaf6a6083336b2fa9094c59_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\62280fefc77d0303c05d9c223c985122_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6684fe69ab72c1115ae8b0ead2208c96_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6ec45555659957f19cf6cc451ed75133_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\737807beab3e5fedbb57541c7361af87_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\771631986d0eebf6defcdf3f21ed621a_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7a2c49c0cf9af3701a2ae68dd056298f_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7b1df13ee8c7370457ac9d4ea01c7617_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\813c1bb8141725aac3d80887049d9750_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8c22e54f00b2e2152648537a5e183c99_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9015464dff1f164f8438dc7fcaddef5b_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9daaeb4809ef7549a3b47b302e86d8fa_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a0d34f30e44ae4b23079179cc0ec03f0_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a67508646b45dca8ba549cec30db76cf_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\aa60caa4434977ee9c85d912e2fe953d_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b21fcf67def70100b2d0d306c2520117_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bce83d46a1d72c0abd395a7ca79db682_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bf50a03166257acd6800d7c698fc8cdb_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c895a93762aa1d6d2bed5e53123cc37a_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c9b85b981d498373c8604d8bec8446ff_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cb7a96c56be83ecd699801c770b9b8ef_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cda16dda4371c3a179244a9fae329dce_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d1a817d60f3c7b8b1bd2afe304fc98bd_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d4354a36a629b2ab3f2244e639319bf3_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d52cbc5b7bacebd3d3b029400f734218_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e116647dcb28454d9548345d3adbe60e_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e2b58a1ac12067f3c9a9575a132add08_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e39b7241b018cbee16ce94bfd857dd92_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ea1f342849f9f7a2a48c7b737766e92a_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\eb05245099b8d7313a17df13bf102efc_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f22383b6c3cf70dba79583ac283ca139_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f27adc9055369c2836a77e1009083ed6_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f72615baaa7308b0249044a31a7f83cb_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f77b9afcba0974c1b942e4759677b511_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f8a28d96468a3a70fd72434d0bfa480b_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Nero\Nero8\Nero BackItUp\Cache\NeroBackItUpScheduler3.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet3.zip/asmend.exe Suspicious: Password-protected-EXE skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet3.zip ZIP: suspicious - 1 skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet49.zip/asmend.exe Suspicious: Password-protected-EXE skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet49.zip ZIP: suspicious - 1 skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet98.zip/asmend.exe Suspicious: Password-protected-EXE skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet98.zip ZIP: suspicious - 1 skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl5.zip/mrofinu1864.exe Suspicious: Password-protected-EXE skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl5.zip ZIP: suspicious - 1 skipped
    C:\Documents and Settings\LocalService\Application Data\Adobe\Acrobat\7.0\Updater\udlog.txt Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Microsoft\Internet Explorer\UserData\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\call256.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\call512.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\callmember256.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\chat512.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\contactgroup256.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\index2.dat Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\profile4096.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\transfer256.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\transfer512.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\user1024.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\user16384.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\user256.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\user4096.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\voicemail256.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-3b2a2fb3/vmain.class Infected: Exploit.Java.Gimsh.b skipped
    C:\Documents and Settings\win\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-3b2a2fb3 ZIP: infected - 1 skipped
    C:\Documents and Settings\win\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\win\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
    C:\Documents and Settings\win\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
    C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
    C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
    C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
    C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\win\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\win\Local Settings\History\History.IE5\MSHist012008042420080425\index.dat Object is locked skipped
    C:\Documents and Settings\win\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
    C:\Documents and Settings\win\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\win\My Documents\Downloads\Adobe_Photoshop_CS3_Full_Version_with_Crack\Setup.exe Infected: Trojan-Downloader.Win32.Agent.kbm skipped
    C:\Documents and Settings\win\My Documents\Downloads\iSofter DVD Audio Ripper, DVD Ripper Deluxe, DVD Ripper,convert DVD to AVI-DivX-XviD-MPEG-MP3-WMV-WMA\All Sound Recorder XP.exe Infected: not-a-virus:FraudTool.Win32.SpywareDetector.d skipped
    C:\Documents and Settings\win\My Documents\Downloads\iSofter DVD Audio Ripper, DVD Ripper Deluxe, DVD Ripper,convert DVD to AVI-DivX-XviD-MPEG-MP3-WMV-WMA\iSofter DVD Audio Ripper Deluxe.exe Infected: not-a-virus:FraudTool.Win32.SpywareDetector.d skipped
    C:\Documents and Settings\win\My Documents\Downloads\Nero 8 Ultra Edition 8.1.1.4+KeyMaker\Nero-8.1.1.4_eng_update.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
    C:\Documents and Settings\win\My Documents\Downloads\Nero 8 Ultra Edition 8.1.1.4+KeyMaker\Nero-8.1.1.4_eng_update.exe 7-Zip: infected - 1 skipped
    C:\Documents and Settings\win\My Documents\Downloads\WebCam Spy 4.0 [watch your home, office, or anywhere live through a webcam].rar/webcamspy.exe/server.exe Infected: Trojan.Win32.Agent.bcn skipped
    C:\Documents and Settings\win\My Documents\Downloads\WebCam Spy 4.0 [watch your home, office, or anywhere live through a webcam].rar/webcamspy.exe Infected: Trojan.Win32.Agent.bcn skipped
    C:\Documents and Settings\win\My Documents\Downloads\WebCam Spy 4.0 [watch your home, office, or anywhere live through a webcam].rar RAR: infected - 2 skipped
    C:\Documents and Settings\win\My Documents\Incomplete\Preview-T-3545425-i have loved you all along.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped
    C:\Documents and Settings\win\ntuser.dat Object is locked skipped
    C:\Documents and Settings\win\ntuser.dat.LOG Object is locked skipped
    C:\Program Files\CA\eTrust Antivirus\DB\rtmaster.dbf Object is locked skipped
    C:\Program Files\CA\eTrust Antivirus\DB\rtmaster.ntx Object is locked skipped
    C:\Program Files\Common Files\Adobe\Installers\8d0dc9390f2c596455e1446b5918a40\Setup.exe Infected: Trojan-Downloader.Win32.Agent.kbm skipped
    C:\Program Files\Common Files\epjnrlbc\crcrlrre\bdejcrnp.exe Infected: not-a-virus:AdWare.Win32.Gator.a skipped
    C:\Program Files\Common Files\epjnrlbc\ejprnafaph\jbehcjtln.exe Infected: not-a-virus:AdWare.Win32.Gator.a skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\chandir.dat Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\chandir.idx Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\chn.dat Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\chn.idx Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\D0000000.FCS Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\inuse.txt Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\L0000002.FCS Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\main.log Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs.dat Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs.idx Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_die.dat Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_die.idx Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_dnd.dat Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_dnd.idx Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_ext.dat Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_ext.idx Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_rcv.dat Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_rcv.idx Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\storydb.dat Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\storydb.idx Object is locked skipped
    C:\Program Files\MSTpscre\TPSCREX.EXE.0.AVB Object is locked skipped
    C:\Program Files\MSTpscre\TPSCREX.EXE.1.AVB Object is locked skipped
    C:\Program Files\MSTpscre\TPSCREX.EXE.2.AVB Object is locked skipped
    C:\Program Files\Nero\Nero8\Nero BackItUp\BIU2.txt Object is locked skipped
    C:\QooBox\Quarantine\C\WINDOWS\LFN.EXE.VIR.0.AVB Object is locked skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\cbxwwvs.dll.vir Infected: Packed.Win32.Monder.gen skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\Indt2.sys.vir Infected: not-a-virus:AdWare.Win32.VB.bh skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\nGpxx16\nGpxx162291.exe.vir Infected: Trojan-Downloader.Win32.VB.cgu skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{EB642118-4B86-422B-A5C9-50D9A9203143}\RP2\A0000053.sys Infected: not-a-virus:AdWare.Win32.VB.bh skipped
    C:\System Volume Information\_restore{EB642118-4B86-422B-A5C9-50D9A9203143}\RP2\A0000056.EXE.0.AVB Object is locked skipped
    C:\System Volume Information\_restore{EB642118-4B86-422B-A5C9-50D9A9203143}\RP2\A0000058.dll Infected: Packed.Win32.Monder.gen skipped
    C:\System Volume Information\_restore{EB642118-4B86-422B-A5C9-50D9A9203143}\RP2\A0000071.exe Infected: Trojan-Downloader.Win32.VB.cgu skipped
    C:\System Volume Information\_restore{EB642118-4B86-422B-A5C9-50D9A9203143}\RP6\change.log Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\Driver\i386\TzoLibr.dll Infected: Backdoor.Win32.Iroffer.z skipped
    C:\WINDOWS\Driver\i386\winlogon.exe Infected: Backdoor.Win32.Iroffer.bh skipped
    C:\WINDOWS\NDNuninstall7_22.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\EventCache\{3A42412D-8791-425A-ADA8-A0B5EA931672}.bin Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\afinding.exe Infected: Trojan-Downloader.Win32.Delf.gtj skipped
    C:\WINDOWS\system32\asck.exe Infected: not-a-virus:AdWare.Win32.AlexaBar.y skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\Indt2.sys Infected: Trojan.Win32.VB.cqk skipped
    C:\WINDOWS\system32\routing.exe Infected: Trojan.Win32.Agent.kiy skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\system32\wserving.exe Infected: Trojan-Downloader.Win32.Delf.gtj skipped
    C:\WINDOWS\TEMP\AcrCFA7.tmp Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    C:\_OTMoveIt\MovedFiles\04232008_165005\WINDOWS\system32\afinding.exe Infected: Trojan-Downloader.Win32.Delf.gtj skipped
    C:\_OTMoveIt\MovedFiles\04232008_165005\WINDOWS\system32\ope12.exe/data0006 Infected: Trojan-Downloader.Win32.VB.cgu skipped
    C:\_OTMoveIt\MovedFiles\04232008_165005\WINDOWS\system32\ope12.exe NSIS: infected - 1 skipped
    C:\_OTMoveIt\MovedFiles\04232008_165005\WINDOWS\system32\routing.exe Infected: Trojan.Win32.Agent.kiy skipped

    Scan process completed.
     
    RebeccainTO,
    #24
  6. 2008/04/24
    RebeccainTO

    RebeccainTO Inactive Thread Starter

    Joined:
    2008/04/20
    Messages:
    43
    Likes Received:
    0
    Hijack THIS

    HJTHIS:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:10, on 2008-04-24
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
    C:\WINDOWS\system32\afinding.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
    C:\Program Files\CA\eTrust Antivirus\InoRT.exe
    C:\Program Files\CA\eTrust Antivirus\InoTask.exe
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\WINDOWS\system32\perfs.exe
    C:\WINDOWS\system32\routing.exe
    C:\WINDOWS\system32\ScsiAccess.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\system32\wserving.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\LVCOMSX.EXE
    C:\Program Files\Logitech\Video\CameraAssistant.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\CA\ETRUST~1\realmon.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\uTorrent\uTorrent.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?id=2&svc=mail&cbid=24325&msppjph=1&tw=900&fs=1&lc=1033&_lang=EN
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
    O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
    O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe "
    O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe "
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe "
    O4 - HKLM\..\Run: [Tpscrex] C:\Program Files\MSTpscre\Tpscrex.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe "
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe "
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe "
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
    O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe "
    O4 - HKUS\S-1-5-18\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
    O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://oweb.peelschools.org/jinitiator/jinit.exe
    O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O23 - Service: AFinding Service (AFinding) - Unknown owner - C:\WINDOWS\system32\afinding.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
    O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
    O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe
    O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
    O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\system32\wserving.exe

    --
    End of file - 10480 bytes
     
    RebeccainTO,
    #25
  7. 2008/04/24
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi RebeccainTO
    It is showing some pretty nasty infections.

    First I should tell you this...
    Your computer has multiple infections, including a backdoor Trojan.
    Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, collect confidential data and information from the computer, log activity on the computer and more.

    This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
    I would suggest you change all passwords using a Non-infected computer (Not this one) and refrain from any credit card or financial dealings until clean. If you do any financial dealings with this computer Contact any credit card or banks for possible fraud on your account(s).
    Many experts in the security community believe that once infected with these type of Trojans, there is no way to be sure your computer can ever again be trusted with financial dealings.

    Now you have picked up some (if not all) of these through uTorrent.
    C:\Documents and Settings\win\My Documents\Downloads\Adobe_Photoshop_CS3_Full_Version_with_Crack\Setup.exe Infected: Trojan-Downloader.Win32.Agent.kbm skipped

    I don't know that your system can be cleaned without deleting these programs.
    Adobe_Photoshop_CS3
    WebCam Spy 4.0
    Preview-T-3545425-i have loved you all along.mp3
    Nero 8 Ultra Edition
    iSofter DVD Audio Ripper Deluxe

    Are you prepared to delete these " if " it is necessary?

    Let me know.
    Geri
     
    Geri,
    #26
  8. 2008/04/24
    RebeccainTO

    RebeccainTO Inactive Thread Starter

    Joined:
    2008/04/20
    Messages:
    43
    Likes Received:
    0
    Yes

    I read about back door.
    I can delete all those files. My husband put them on.
     
    RebeccainTO,
    #27
  9. 2008/04/24
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi RebeccainTO
    OK Good, My best suggestion would be to do so, that way we can make sure they won't turn around and reinfect as we try to clean this up.

    Again I strongly suggest you remove uTorrent also. This is the source of most your problems here.
    Any P2P file sharing will just get you into trouble. I've seen it hapeen over and over again.

    Please go to Start > Control Panel > Add/Remove Programs (Windows Vista it’s Programs and Features) and remove the following (if present):


    Adobe_Photoshop_CS3
    WebCam Spy 4.0
    Nero 8 Ultra Edition
    iSofter DVD Audio Ripper Deluxe


    Please note any other programs that you dont recognize in that list and post them in your next response

    Please reboot your computer.


    Now please Open SpyBot S/D
    Click on the Recovery tab at the top.
    Put a check next to everything in there and click Purge selected items.
    OK any prompts.
    Close Spybot S/D

    Now do this.

    Click Start>Run in the run box copy and paste or type ComboFix /u then hit Enter to uninstall ComboFix and remove the files/folders it created.


    Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      C:\Documents and Settings\win\My Documents\Incomplete\Preview-T-3545425-i have loved you all along.mp3
C:\Program Files\Common Files\Adobe\Installers\8d0dc9390f2c596455e1446b5918a40\Setup.exe 
C:\Program Files\Common Files\epjnrlbc
C:\WINDOWS\Driver\i386\TzoLibr.dll
C:\WINDOWS\Driver\i386\winlogon.exe
C:\WINDOWS\NDNuninstall7_22.exe
C:\WINDOWS\system32\afinding.exe
C:\WINDOWS\system32\asck.exe 
C:\WINDOWS\system32\Indt2.sys
C:\WINDOWS\system32\routing.exe 
C:\WINDOWS\system32\wserving.exe
    • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move " window (under the light blue bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTMoveIt2
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

    Now please do another Kaspersky scan and post the log along with the OTMoveIt log.

    Thanks
    Geri
     
    Geri,
    #28
  10. 2008/04/25
    RebeccainTO

    RebeccainTO Inactive Thread Starter

    Joined:
    2008/04/20
    Messages:
    43
    Likes Received:
    0
    Help!

    Add or remove screen freezes will not allow me to delete programs??????
    Tried safe mode as well, to no avail.
     
    RebeccainTO,
    #29
  11. 2008/04/25
    RebeccainTO

    RebeccainTO Inactive Thread Starter

    Joined:
    2008/04/20
    Messages:
    43
    Likes Received:
    0
    Deleted the programs from downloads.....

    Don't recognize the following: (in downloads)
    winnew.rar.torrent
    all the video files, vts files....assume it came with my video camera?
     
    RebeccainTO,
    #30
  12. 2008/04/25
    RebeccainTO

    RebeccainTO Inactive Thread Starter

    Joined:
    2008/04/20
    Messages:
    43
    Likes Received:
    0
    It seems ADOBE pht CS3 is the ONLY program that won't delete and seems to freeze the add/remove screen...
     
    RebeccainTO,
    #31
  13. 2008/04/25
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi RebeccainTO
    winnew.rar.torrent
    Is part of uTorrent, if you removed utorrent then remove that also.


    OK lets see if HJT will uninstall it.

    Delete an Entry from the Uninstall List

    • Open HiJackThis
    • Click on the "Config..." button on the bottom right
    • Click on the tab "Misc Tools "
    • Click on the Box that says "Uninstall Manager "
    • Click on the entry ADOBE pht CS3
    • Click on Delete this entry
    • Click "Yes "

    Let me know if that worked.

    Thanks
    Geri
     
    Geri,
    #32
  14. 2008/04/25
    RebeccainTO

    RebeccainTO Inactive Thread Starter

    Joined:
    2008/04/20
    Messages:
    43
    Likes Received:
    0
    Yippy! It's gone!
    I'll continue on with the your last posts instructions.

    Thanks!!!!!!!!!!!!!!:)
     
    RebeccainTO,
    #33
  15. 2008/04/25
    RebeccainTO

    RebeccainTO Inactive Thread Starter

    Joined:
    2008/04/20
    Messages:
    43
    Likes Received:
    0
    Move it and KAP

    Move it:
    File/Folder C:\Documents and Settings\win\My Documents\Incomplete\Preview-T-3545425-i have loved you all along.mp3 not found.
    File/Folder C:\Program Files\Common Files\Adobe\Installers\8d0dc9390f2c596455e1446b5918a40\Setup.exe not found.
    File/Folder C:\Program Files\Common Files\epjnrlbc not found.
    File/Folder C:\WINDOWS\Driver\i386\TzoLibr.dll not found.
    File/Folder C:\WINDOWS\Driver\i386\winlogon.exe not found.
    File/Folder C:\WINDOWS\NDNuninstall7_22.exe not found.
    File/Folder C:\WINDOWS\system32\afinding.exe not found.
    File/Folder C:\WINDOWS\system32\asck.exe not found.
    File/Folder C:\WINDOWS\system32\Indt2.sys not found.
    File/Folder C:\WINDOWS\system32\routing.exe not found.
    File/Folder C:\WINDOWS\system32\wserving.exe not found.

    OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04252008_174132


    KAP:
    KASPERSKY ONLINE SCANNER REPORT
    Friday, April 25, 2008 6:25:52 PM
    Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 25/04/2008
    Kaspersky Anti-Virus database records: 725749
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\

    Scan Statistics:
    Total number of scanned objects: 48653
    Number of viruses found: 20
    Number of infected objects: 26
    Number of suspicious objects: 0
    Duration of the scan process: 00:36:28

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\Desktop\y\SDFix\backups\backups.zip/backups/default.htm Infected: not-virus:Hoax.HTML.Secureinvites.b skipped
    C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\Desktop\y\SDFix\backups\backups.zip/backups/mrofinu1864.exe Infected: Trojan-Downloader.Win32.Homles.bi skipped
    C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\Desktop\y\SDFix\backups\backups.zip/backups/svchost.exe Infected: Trojan-Downloader.Win32.Delf.feh skipped
    C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\Desktop\y\SDFix\backups\backups.zip/backups/svehost.exe Infected: Net-Worm.Win32.Kolab.qs skipped
    C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\Desktop\y\SDFix\backups\backups.zip/backups/winself.exe Infected: Trojan.Win32.DNSChanger.cii skipped
    C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\Desktop\y\SDFix\backups\backups.zip/backups/wmsdkns.exe Infected: not-virus:Hoax.Win32.Renos.bso skipped
    C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\Desktop\y\SDFix\backups\backups.zip ZIP: infected - 6 skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\017788aee7e964d1f680957279d42afd_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0410daf915c374b96b665279eb48d2f5_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\05992124635c27b414dab51f1003c2c5_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\066ee7c38a345a8c810e02196b16180a_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0861772a42ce45f0f1dec5c31756050d_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\125b2b707d927254502e9355f0350261_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\16e77965674adee239adf2283ea8fa76_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1e5a0bf170a2893b172a1f8587e7ea26_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\26159d7d51220b7ae8eb1c70c556c01f_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\27dc6f77f550c0c4f10d27a95980d9f6_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2f9412c2f622b74aa26fade75d26a2f8_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\364585bc1f33820e43adcbff51917835_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\40e4576ff1a43b9f80a6969a37f04659_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4a64e8b738cf4da69ea96cc30a8768e3_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\55c6e4e8fb026bcc4c86e5f763ae1958_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\570459036f5ddefc9778822c2f76a339_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5a4b2c881be41987ffb6c46816d266ec_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5b593af9a9ad1da6c3d692936b8b1408_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5b643f2f881f1fab0ef188b4a209c055_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5f1aa711bcaf6a6083336b2fa9094c59_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\62280fefc77d0303c05d9c223c985122_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6684fe69ab72c1115ae8b0ead2208c96_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6ec45555659957f19cf6cc451ed75133_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\737807beab3e5fedbb57541c7361af87_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\771631986d0eebf6defcdf3f21ed621a_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7a2c49c0cf9af3701a2ae68dd056298f_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7b1df13ee8c7370457ac9d4ea01c7617_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\813c1bb8141725aac3d80887049d9750_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8c22e54f00b2e2152648537a5e183c99_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9015464dff1f164f8438dc7fcaddef5b_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9daaeb4809ef7549a3b47b302e86d8fa_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a0d34f30e44ae4b23079179cc0ec03f0_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a67508646b45dca8ba549cec30db76cf_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\aa60caa4434977ee9c85d912e2fe953d_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b21fcf67def70100b2d0d306c2520117_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bce83d46a1d72c0abd395a7ca79db682_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bf50a03166257acd6800d7c698fc8cdb_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c895a93762aa1d6d2bed5e53123cc37a_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c9b85b981d498373c8604d8bec8446ff_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cb7a96c56be83ecd699801c770b9b8ef_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cda16dda4371c3a179244a9fae329dce_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d1a817d60f3c7b8b1bd2afe304fc98bd_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d4354a36a629b2ab3f2244e639319bf3_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d52cbc5b7bacebd3d3b029400f734218_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e116647dcb28454d9548345d3adbe60e_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e2b58a1ac12067f3c9a9575a132add08_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e39b7241b018cbee16ce94bfd857dd92_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ea1f342849f9f7a2a48c7b737766e92a_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\eb05245099b8d7313a17df13bf102efc_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f22383b6c3cf70dba79583ac283ca139_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f27adc9055369c2836a77e1009083ed6_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f72615baaa7308b0249044a31a7f83cb_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f77b9afcba0974c1b942e4759677b511_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f8a28d96468a3a70fd72434d0bfa480b_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\call256.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\call512.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\callmember256.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\chat512.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\contactgroup256.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\index2.dat Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\profile4096.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\transfer256.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\transfer512.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\user1024.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\user16384.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\user256.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\user4096.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\voicemail256.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-3b2a2fb3/vmain.class Infected: Exploit.Java.Gimsh.b skipped
    C:\Documents and Settings\win\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-3b2a2fb3 ZIP: infected - 1 skipped
    C:\Documents and Settings\win\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
    C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
    C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
    C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\win\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\win\Local Settings\History\History.IE5\MSHist012008042520080426\index.dat Object is locked skipped
    C:\Documents and Settings\win\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
    C:\Documents and Settings\win\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\win\ntuser.dat Object is locked skipped
    C:\Documents and Settings\win\ntuser.dat.LOG Object is locked skipped
    C:\Program Files\CA\eTrust Antivirus\DB\rtmaster.dbf Object is locked skipped
    C:\Program Files\CA\eTrust Antivirus\DB\rtmaster.ntx Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\chandir.dat Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\chandir.idx Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\chn.dat Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\chn.idx Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\D0000000.FCS Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\inuse.txt Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\L0000002.FCS Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\main.log Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs.dat Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs.idx Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_die.dat Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_die.idx Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_dnd.dat Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_dnd.idx Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_ext.dat Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_ext.idx Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_rcv.dat Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_rcv.idx Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\storydb.dat Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\storydb.idx Object is locked skipped
    C:\Program Files\MSTpscre\TPSCREX.EXE.0.AVB Object is locked skipped
    C:\Program Files\MSTpscre\TPSCREX.EXE.1.AVB Object is locked skipped
    C:\Program Files\MSTpscre\TPSCREX.EXE.2.AVB Object is locked skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{EB642118-4B86-422B-A5C9-50D9A9203143}\RP1\A0000020.exe Infected: not-a-virus:FraudTool.Win32.SpywareDetector.d skipped
    C:\System Volume Information\_restore{EB642118-4B86-422B-A5C9-50D9A9203143}\RP1\A0000021.exe Infected: not-a-virus:FraudTool.Win32.SpywareDetector.d skipped
    C:\System Volume Information\_restore{EB642118-4B86-422B-A5C9-50D9A9203143}\RP1\A0000028.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
    C:\System Volume Information\_restore{EB642118-4B86-422B-A5C9-50D9A9203143}\RP1\A0000028.exe 7-Zip: infected - 1 skipped
    C:\System Volume Information\_restore{EB642118-4B86-422B-A5C9-50D9A9203143}\RP1\change.log Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\andt.sys Infected: Trojan-Downloader.Win32.Delf.gza skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    C:\_OTMoveIt\MovedFiles\04252008_093824\Documents and Settings\win\My Documents\Incomplete\Preview-T-3545425-i have loved you all along.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped
    C:\_OTMoveIt\MovedFiles\04252008_093824\Program Files\Common Files\Adobe\Installers\8d0dc9390f2c596455e1446b5918a40\Setup.exe Infected: Trojan-Downloader.Win32.Agent.kbm skipped
    C:\_OTMoveIt\MovedFiles\04252008_093824\Program Files\Common Files\epjnrlbc\crcrlrre\bdejcrnp.exe Infected: not-a-virus:AdWare.Win32.Gator.a skipped
    C:\_OTMoveIt\MovedFiles\04252008_093824\Program Files\Common Files\epjnrlbc\ejprnafaph\jbehcjtln.exe Infected: not-a-virus:AdWare.Win32.Gator.a skipped
    C:\_OTMoveIt\MovedFiles\04252008_093824\WINDOWS\Driver\i386\TzoLibr.dll Infected: Backdoor.Win32.Iroffer.z skipped
    C:\_OTMoveIt\MovedFiles\04252008_093824\WINDOWS\Driver\i386\winlogon.exe Infected: Backdoor.Win32.Iroffer.bh skipped
    C:\_OTMoveIt\MovedFiles\04252008_093824\WINDOWS\NDNuninstall7_22.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
    C:\_OTMoveIt\MovedFiles\04252008_093824\WINDOWS\system32\afinding.exe Infected: Trojan-Downloader.Win32.Delf.gtj skipped
    C:\_OTMoveIt\MovedFiles\04252008_093824\WINDOWS\system32\asck.exe Infected: not-a-virus:AdWare.Win32.AlexaBar.y skipped
    C:\_OTMoveIt\MovedFiles\04252008_093824\WINDOWS\system32\Indt2.sys Infected: Trojan.Win32.VB.cqk skipped
    C:\_OTMoveIt\MovedFiles\04252008_093824\WINDOWS\system32\routing.exe Infected: Trojan.Win32.Agent.kiy skipped
    C:\_OTMoveIt\MovedFiles\04252008_093824\WINDOWS\system32\wserving.exe Infected: Trojan-Downloader.Win32.Delf.gtj skipped

    Scan process completed.
     
    RebeccainTO,
    #34
  16. 2008/04/25
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi RebeccainTO
    OK good were almost there.

    Please put this into the OTMoveIt2 box and click Move it.

    C:\WINDOWS\system32\andt.sys
    C:\Documents and Settings\win\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-3b2a2fb3 ZIP

    Then do this.

    Reboot your computer if OTMove it did not.

    • Please double-click OTMoveIt.exe to run it.
    • Click on the CleanUp! button. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
    • This step removes the files, folders, and shortcuts created by the tools I had you download and run.

    Now do this please.

    We need to turn off and on system restore. There are infections in it and by using system restore you would reinfect yourself.

    You must be logged in as an Administrator to do this. If you are not logged in as an Administrator, the System Restore tab will not be displayed.
    Turning off System Restore will clear out all previous restore points.

    To turn off Windows XP System Restore:
    NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    8. Restart the computer and follow the instructions in the next section to turn on System Restore.

    To turn on Windows XP System Restore:
    1. Click Start.
    2. Right-click My Computer, and then click Properties.
    3. Click the System Restore tab.
    4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives. "
    5. Click Apply, and then click OK
    6. Make a new restore point.
    7. Click Start, All Programs, Accessories, System Tools, System Restore.
    Choose Create a restore point and clicked Next, Under “Type a description for your restore point…”put a name in the box,. Click Create. In the next window click Close.

    Run ATF Cleaner again.

    Now please do another Kaspersky scan and post the log.

    Thanks
    Geri
     
    Geri,
    #35
  17. 2008/04/25
    RebeccainTO

    RebeccainTO Inactive Thread Starter

    Joined:
    2008/04/20
    Messages:
    43
    Likes Received:
    0
    Kick em' out the BACKDOOR!

    Ok.......
    Kapper 3

    ------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Friday, April 25, 2008 11:52:28 PM
    Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 26/04/2008
    Kaspersky Anti-Virus database records: 725983
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\

    Scan Statistics:
    Total number of scanned objects: 48569
    Number of viruses found: 10
    Number of infected objects: 13
    Number of suspicious objects: 0
    Duration of the scan process: 00:32:04

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\Desktop\y\SDFix\backups\backups.zip/backups/default.htm Infected: not-virus:Hoax.HTML.Secureinvites.b skipped
    C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\Desktop\y\SDFix\backups\backups.zip/backups/mrofinu1864.exe Infected: Trojan-Downloader.Win32.Homles.bi skipped
    C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\Desktop\y\SDFix\backups\backups.zip/backups/svchost.exe Infected: Trojan-Downloader.Win32.Delf.feh skipped
    C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\Desktop\y\SDFix\backups\backups.zip/backups/svehost.exe Infected: Net-Worm.Win32.Kolab.qs skipped
    C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\Desktop\y\SDFix\backups\backups.zip/backups/winself.exe Infected: Trojan.Win32.DNSChanger.cii skipped
    C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\Desktop\y\SDFix\backups\backups.zip/backups/wmsdkns.exe Infected: not-virus:Hoax.Win32.Renos.bso skipped
    C:\Documents and Settings\Administrator.WIN-FDA9083A0F2\Desktop\y\SDFix\backups\backups.zip ZIP: infected - 6 skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\017788aee7e964d1f680957279d42afd_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0410daf915c374b96b665279eb48d2f5_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\05992124635c27b414dab51f1003c2c5_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\066ee7c38a345a8c810e02196b16180a_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0861772a42ce45f0f1dec5c31756050d_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\125b2b707d927254502e9355f0350261_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\16e77965674adee239adf2283ea8fa76_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1e5a0bf170a2893b172a1f8587e7ea26_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\26159d7d51220b7ae8eb1c70c556c01f_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\27dc6f77f550c0c4f10d27a95980d9f6_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2f9412c2f622b74aa26fade75d26a2f8_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\364585bc1f33820e43adcbff51917835_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\40e4576ff1a43b9f80a6969a37f04659_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4a64e8b738cf4da69ea96cc30a8768e3_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\55c6e4e8fb026bcc4c86e5f763ae1958_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\570459036f5ddefc9778822c2f76a339_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5a4b2c881be41987ffb6c46816d266ec_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5b593af9a9ad1da6c3d692936b8b1408_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5b643f2f881f1fab0ef188b4a209c055_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5f1aa711bcaf6a6083336b2fa9094c59_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\62280fefc77d0303c05d9c223c985122_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6684fe69ab72c1115ae8b0ead2208c96_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6ec45555659957f19cf6cc451ed75133_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\737807beab3e5fedbb57541c7361af87_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\771631986d0eebf6defcdf3f21ed621a_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7a2c49c0cf9af3701a2ae68dd056298f_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7b1df13ee8c7370457ac9d4ea01c7617_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\813c1bb8141725aac3d80887049d9750_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8c22e54f00b2e2152648537a5e183c99_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9015464dff1f164f8438dc7fcaddef5b_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9daaeb4809ef7549a3b47b302e86d8fa_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a0d34f30e44ae4b23079179cc0ec03f0_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a67508646b45dca8ba549cec30db76cf_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\aa60caa4434977ee9c85d912e2fe953d_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b21fcf67def70100b2d0d306c2520117_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bce83d46a1d72c0abd395a7ca79db682_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bf50a03166257acd6800d7c698fc8cdb_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c895a93762aa1d6d2bed5e53123cc37a_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c9b85b981d498373c8604d8bec8446ff_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cb7a96c56be83ecd699801c770b9b8ef_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cda16dda4371c3a179244a9fae329dce_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d1a817d60f3c7b8b1bd2afe304fc98bd_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d4354a36a629b2ab3f2244e639319bf3_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d52cbc5b7bacebd3d3b029400f734218_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e116647dcb28454d9548345d3adbe60e_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e2b58a1ac12067f3c9a9575a132add08_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e39b7241b018cbee16ce94bfd857dd92_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ea1f342849f9f7a2a48c7b737766e92a_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\eb05245099b8d7313a17df13bf102efc_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f22383b6c3cf70dba79583ac283ca139_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f27adc9055369c2836a77e1009083ed6_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f72615baaa7308b0249044a31a7f83cb_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f77b9afcba0974c1b942e4759677b511_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f8a28d96468a3a70fd72434d0bfa480b_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\call256.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\call512.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\callmember256.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\chat512.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\contactgroup256.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\index2.dat Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\profile4096.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\transfer256.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\transfer512.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\user1024.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\user16384.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\user256.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\user4096.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Skype\hillierinto\voicemail256.dbb Object is locked skipped
    C:\Documents and Settings\win\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-3b2a2fb3/vmain.class Infected: Exploit.Java.Gimsh.b skipped
    C:\Documents and Settings\win\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-3b2a2fb3 ZIP: infected - 1 skipped
    C:\Documents and Settings\win\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
    C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
    C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
    C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\win\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\win\Local Settings\History\History.IE5\MSHist012008042520080426\index.dat Object is locked skipped
    C:\Documents and Settings\win\Local Settings\temp\~DF35AD.tmp Object is locked skipped
    C:\Documents and Settings\win\Local Settings\temp\~DF35B8.tmp Object is locked skipped
    C:\Documents and Settings\win\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
    C:\Documents and Settings\win\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\win\ntuser.dat Object is locked skipped
    C:\Documents and Settings\win\ntuser.dat.LOG Object is locked skipped
    C:\Program Files\CA\eTrust Antivirus\DB\rtmaster.dbf Object is locked skipped
    C:\Program Files\CA\eTrust Antivirus\DB\rtmaster.ntx Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\chandir.dat Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\chandir.idx Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\chn.dat Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\chn.idx Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\D0000000.FCS Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\inuse.txt Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\L0000002.FCS Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\main.log Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs.dat Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs.idx Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_die.dat Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_die.idx Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_dnd.dat Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_dnd.idx Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_ext.dat Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_ext.idx Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_rcv.dat Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_rcv.idx Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\storydb.dat Object is locked skipped
    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\storydb.idx Object is locked skipped
    C:\Program Files\MSTpscre\TPSCREX.EXE.0.AVB Object is locked skipped
    C:\Program Files\MSTpscre\TPSCREX.EXE.1.AVB Object is locked skipped
    C:\Program Files\MSTpscre\TPSCREX.EXE.2.AVB Object is locked skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{EB642118-4B86-422B-A5C9-50D9A9203143}\RP2\change.log Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\afinding.exe Infected: Trojan-Downloader.Win32.Delf.gtj skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\Indt2.sys Infected: Trojan-Clicker.Win32.VB.and skipped
    C:\WINDOWS\system32\routing.exe Infected: Trojan.Win32.Agent.kiy skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\system32\wserving.exe Infected: Trojan-Downloader.Win32.Delf.gtj skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped

    Scan process completed.
     
    RebeccainTO,
    #36
  18. 2008/04/26
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi RebeccainTO
    OK,Few things let to do,

    OTMoveIt clean up did not remove SDFix? It should have, so we will do it manually.

    Delete SDFix.exe

    Then delete this folder.
    C:/SDFix


    Your Java cache has infections in it.

    Here are the instructions on how to manually remove these malicious applets from the JRE cache directory:

    1. From the Start button, click Settings > Control Panel
    2. In the Control Panel, open the "Java Plug-in Control Panel "
    3. Select the Cache Tab
    4. Click the Clear button inside the Cache Tab, which will clear your JRE cache directory
    Close those windows.

    These files came back (not a good sign :(), so we'll try to delete them manually.

    Enable the 'Show Hidden Files/Folders' option, like this:
    Click Start.
    Open My Computer.
    Select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.
    Click OK.


    Reboot into safe mode.
    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

    Using Windows Explorer (to get there right-click your Start button and go to "Explore "), please delete these files (if present):

    C:\WINDOWS\system32\afinding.exe
    C:\WINDOWS\system32\wserving.exe
    C:\WINDOWS\system32\routing.exe
    C:\WINDOWS\system32\Indt2.sys

    After that, Reboot.

    Run ATF Cleaner again.

    Now run Kaspersky again and post the log.

    Thanks
    Geri
     
    Geri,
    #37
  19. 2008/04/26
    RebeccainTO

    RebeccainTO Inactive Thread Starter

    Joined:
    2008/04/20
    Messages:
    43
    Likes Received:
    0
    Say GOODBYE!!!!

    Almost gone!!! Just a few trojans....looks like Backdoor is gone???...THANK-YOU!!!


    Kapersky:
    Saturday, April 26, 2008 10:26:18 AM
    Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 26/04/2008
    Kaspersky Anti-Virus database records: 726402


    Scan Settings
    Scan using the following antivirus database extended
    Scan Archives true
    Scan Mail Bases true

    Scan Target My Computer
    A:\
    C:\
    D:\

    Scan Statistics
    Total number of scanned objects 47969
    Number of viruses found 3
    Number of infected objects 4
    Number of suspicious objects 0
    Duration of the scan process 00:32:35

    Infected Object Name Virus Name Last Action
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\017788aee7e964d1f680957279d42afd_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0410daf915c374b96b665279eb48d2f5_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\05992124635c27b414dab51f1003c2c5_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\066ee7c38a345a8c810e02196b16180a_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0861772a42ce45f0f1dec5c31756050d_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\125b2b707d927254502e9355f0350261_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\16e77965674adee239adf2283ea8fa76_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1e5a0bf170a2893b172a1f8587e7ea26_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\26159d7d51220b7ae8eb1c70c556c01f_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\27dc6f77f550c0c4f10d27a95980d9f6_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2f9412c2f622b74aa26fade75d26a2f8_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\364585bc1f33820e43adcbff51917835_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\40e4576ff1a43b9f80a6969a37f04659_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4a64e8b738cf4da69ea96cc30a8768e3_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\55c6e4e8fb026bcc4c86e5f763ae1958_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\570459036f5ddefc9778822c2f76a339_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5a4b2c881be41987ffb6c46816d266ec_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5b593af9a9ad1da6c3d692936b8b1408_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5b643f2f881f1fab0ef188b4a209c055_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5f1aa711bcaf6a6083336b2fa9094c59_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\62280fefc77d0303c05d9c223c985122_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6684fe69ab72c1115ae8b0ead2208c96_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6ec45555659957f19cf6cc451ed75133_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\737807beab3e5fedbb57541c7361af87_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\771631986d0eebf6defcdf3f21ed621a_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7a2c49c0cf9af3701a2ae68dd056298f_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7b1df13ee8c7370457ac9d4ea01c7617_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\813c1bb8141725aac3d80887049d9750_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8c22e54f00b2e2152648537a5e183c99_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9015464dff1f164f8438dc7fcaddef5b_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9daaeb4809ef7549a3b47b302e86d8fa_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a0d34f30e44ae4b23079179cc0ec03f0_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a67508646b45dca8ba549cec30db76cf_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\aa60caa4434977ee9c85d912e2fe953d_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b21fcf67def70100b2d0d306c2520117_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bce83d46a1d72c0abd395a7ca79db682_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bf50a03166257acd6800d7c698fc8cdb_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c895a93762aa1d6d2bed5e53123cc37a_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c9b85b981d498373c8604d8bec8446ff_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cb7a96c56be83ecd699801c770b9b8ef_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cda16dda4371c3a179244a9fae329dce_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d1a817d60f3c7b8b1bd2afe304fc98bd_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d4354a36a629b2ab3f2244e639319bf3_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d52cbc5b7bacebd3d3b029400f734218_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e116647dcb28454d9548345d3adbe60e_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e2b58a1ac12067f3c9a9575a132add08_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e39b7241b018cbee16ce94bfd857dd92_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ea1f342849f9f7a2a48c7b737766e92a_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\eb05245099b8d7313a17df13bf102efc_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f22383b6c3cf70dba79583ac283ca139_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f27adc9055369c2836a77e1009083ed6_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f72615baaa7308b0249044a31a7f83cb_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f77b9afcba0974c1b942e4759677b511_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f8a28d96468a3a70fd72434d0bfa480b_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

    C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

    C:\Documents and Settings\win\Application Data\Skype\hillierinto\call256.dbb Object is locked skipped

    C:\Documents and Settings\win\Application Data\Skype\hillierinto\call512.dbb Object is locked skipped

    C:\Documents and Settings\win\Application Data\Skype\hillierinto\callmember256.dbb Object is locked skipped

    C:\Documents and Settings\win\Application Data\Skype\hillierinto\chat512.dbb Object is locked skipped

    C:\Documents and Settings\win\Application Data\Skype\hillierinto\contactgroup256.dbb Object is locked skipped

    C:\Documents and Settings\win\Application Data\Skype\hillierinto\index2.dat Object is locked skipped

    C:\Documents and Settings\win\Application Data\Skype\hillierinto\profile4096.dbb Object is locked skipped

    C:\Documents and Settings\win\Application Data\Skype\hillierinto\transfer256.dbb Object is locked skipped

    C:\Documents and Settings\win\Application Data\Skype\hillierinto\transfer512.dbb Object is locked skipped

    C:\Documents and Settings\win\Application Data\Skype\hillierinto\user1024.dbb Object is locked skipped

    C:\Documents and Settings\win\Application Data\Skype\hillierinto\user16384.dbb Object is locked skipped

    C:\Documents and Settings\win\Application Data\Skype\hillierinto\user256.dbb Object is locked skipped

    C:\Documents and Settings\win\Application Data\Skype\hillierinto\user4096.dbb Object is locked skipped

    C:\Documents and Settings\win\Application Data\Skype\hillierinto\voicemail256.dbb Object is locked skipped

    C:\Documents and Settings\win\Cookies\index.dat Object is locked skipped

    C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped

    C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped

    C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

    C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

    C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

    C:\Documents and Settings\win\Local Settings\History\History.IE5\index.dat Object is locked skipped

    C:\Documents and Settings\win\Local Settings\History\History.IE5\MSHist012008042620080427\index.dat Object is locked skipped

    C:\Documents and Settings\win\Local Settings\temp\~DF115.tmp Object is locked skipped

    C:\Documents and Settings\win\Local Settings\temp\~DF120.tmp Object is locked skipped

    C:\Documents and Settings\win\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

    C:\Documents and Settings\win\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

    C:\Documents and Settings\win\ntuser.dat Object is locked skipped

    C:\Documents and Settings\win\ntuser.dat.LOG Object is locked skipped

    C:\Program Files\CA\eTrust Antivirus\DB\rtmaster.dbf Object is locked skipped

    C:\Program Files\CA\eTrust Antivirus\DB\rtmaster.ntx Object is locked skipped

    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\chandir.dat Object is locked skipped

    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\chandir.idx Object is locked skipped

    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\chn.dat Object is locked skipped

    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\chn.idx Object is locked skipped

    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\D0000000.FCS Object is locked skipped

    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\inuse.txt Object is locked skipped

    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\L0000002.FCS Object is locked skipped

    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\main.log Object is locked skipped

    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs.dat Object is locked skipped

    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs.idx Object is locked skipped

    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_die.dat Object is locked skipped

    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_die.idx Object is locked skipped

    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_dnd.dat Object is locked skipped

    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_dnd.idx Object is locked skipped

    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_ext.dat Object is locked skipped

    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_ext.idx Object is locked skipped

    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_rcv.dat Object is locked skipped

    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_rcv.idx Object is locked skipped

    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\storydb.dat Object is locked skipped

    C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\storydb.idx Object is locked skipped

    C:\Program Files\MSTpscre\TPSCREX.EXE.0.AVB Object is locked skipped

    C:\Program Files\MSTpscre\TPSCREX.EXE.1.AVB Object is locked skipped

    C:\Program Files\MSTpscre\TPSCREX.EXE.2.AVB Object is locked skipped

    C:\RECYCLER\S-1-5-21-2052111302-1035525444-839522115-500\Dc10.sys Infected: Trojan-Clicker.Win32.VB.and skipped

    C:\RECYCLER\S-1-5-21-2052111302-1035525444-839522115-500\Dc7.exe Infected: Trojan-Downloader.Win32.Delf.gtj skipped

    C:\RECYCLER\S-1-5-21-2052111302-1035525444-839522115-500\Dc8.exe Infected: Trojan.Win32.Agent.kiy skipped

    C:\RECYCLER\S-1-5-21-2052111302-1035525444-839522115-500\Dc9.exe Infected: Trojan-Downloader.Win32.Delf.gtj skipped

    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

    C:\System Volume Information\_restore{EB642118-4B86-422B-A5C9-50D9A9203143}\RP3\change.log Object is locked skipped

    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

    C:\WINDOWS\SchedLgU.Txt Object is locked skipped

    C:\WINDOWS\SoftwareDistribution\EventCache\{533BEBB8-0144-408F-BAC3-72CAC82A1DAB}.bin Object is locked skipped

    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

    C:\WINDOWS\Sti_Trace.log Object is locked skipped

    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

    C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped

    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

    C:\WINDOWS\system32\config\default Object is locked skipped

    C:\WINDOWS\system32\config\default.LOG Object is locked skipped

    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

    C:\WINDOWS\system32\config\SAM Object is locked skipped

    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

    C:\WINDOWS\system32\config\SECURITY Object is locked skipped

    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

    C:\WINDOWS\system32\config\software Object is locked skipped

    C:\WINDOWS\system32\config\software.LOG Object is locked skipped

    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

    C:\WINDOWS\system32\config\system Object is locked skipped

    C:\WINDOWS\system32\config\system.LOG Object is locked skipped

    C:\WINDOWS\system32\h323log.txt Object is locked skipped

    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

    C:\WINDOWS\wiadebug.log Object is locked skipped

    C:\WINDOWS\wiaservc.log Object is locked skipped

    C:\WINDOWS\WindowsUpdate.log Object is locked skipped

    Scan process completed.
     
    RebeccainTO,
    #38
  20. 2008/04/26
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi RebeccainTO

    OK That's good.
    Did you run ATF Cleaner?

    These are in your Recycle bin
    C:\RECYCLER.....Dc7.exe, Dc8.exe, Dc9.exe, Dc10.sys
    We should delete them,
    Right click on your recycle bin and click "empty recycle bin "

    Now I know we have ran a lot of scans, but you had some nasty infections so I would like to run one more.

    Please download Rootkit Revealer (link is at the very bottom of the page)
    • Unzip it to your desktop.
    • Open the rootkitrevealer folder and double-click rootkitrevealer.exe
    • Close ALL windows and programs and do nothing on the pc while the scan runs. This includes games, browser windows, email clients, etc.
    • Click the Scan button (bottom right)
    • It may take a while to scan (don't do anything while it's running)
    • When it's done, go up to File > Save. Choose to save it to your desktop.
    • Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here

    Thanks
    Geri
     
    Geri,
    #39
  21. 2008/04/26
    RebeccainTO

    RebeccainTO Inactive Thread Starter

    Joined:
    2008/04/20
    Messages:
    43
    Likes Received:
    0
    Rootkit

    HKU\.DEFAULT\Control Panel\International 4/25/2008 9:37 AM 0 bytes Security mismatch.
    HKU\.DEFAULT\Control Panel\International\Geo 4/25/2008 9:37 AM 0 bytes Security mismatch.
    HKU\S-1-5-21-2052111302-1035525444-839522115-1004\Control Panel\International 4/26/2008 9:47 AM 0 bytes Security mismatch.
    HKU\S-1-5-21-2052111302-1035525444-839522115-1004\Control Panel\International\Geo 4/25/2008 9:37 AM 0 bytes Security mismatch.
    HKU\S-1-5-18\Control Panel\International 4/25/2008 9:37 AM 0 bytes Security mismatch.
    HKU\S-1-5-18\Control Panel\International\Geo 4/25/2008 9:37 AM 0 bytes Security mismatch.
    HKLM\SECURITY\Policy\Secrets\SAC* 3/4/2005 6:07 AM 0 bytes Key name contains embedded nulls (*)
    HKLM\SECURITY\Policy\Secrets\SAI* 3/4/2005 6:07 AM 0 bytes Key name contains embedded nulls (*)
    C:\Documents and Settings\win\Local Settings\Temporary Internet Files\Content.IE5\3FUB3729\videoByTag[1].xml 4/26/2008 3:59 PM 3.61 KB Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\win\Local Settings\Temporary Internet Files\Content.IE5\IOURL3TB\videoByTag[2].xml 4/26/2008 3:49 PM 3.61 KB Visible in Windows API, MFT, but not in directory index.
     
    RebeccainTO,
    #40
Page 2 of 4

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...