Help with Broadcaster/Freestuff virus

drewp2 · 2007/09/08

Hi all, and thanks for your help.

I suddenly got a serious system infection...a week after dumping McAfee and going with Windows Live One Care, coincidentally.

Hijackthis says:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:06:45 PM, on 9/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\SYSTEM32\srxTitan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Apoint\Apntex.exe
C:\Updater.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\South River Technologies\Titan FTP Server\srxTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AceBIT\Wise-FTP\WF_Scheduler.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dehiddnu.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.shycast.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Titan FTP Server Tray App] "C:\Program Files\South River Technologies\Titan FTP Server\srxTray.exe "
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe "
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Wise-FTP Scheduler] C:\Program Files\AceBIT\Wise-FTP\WF_Scheduler.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe "
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F3C9A789-E0C6-4D4B-995B-C6C9349D8C6F} - http://www.vlogville.com/beta/files/plugins/vlogville.cab
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\dehiddnu.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Titan FTP Server Daemon (SRTSERVERDAEMON) - South River Technologies, Inc. - C:\WINDOWS\SYSTEM32\srxTitan.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9801 bytes

noahdfear · 2007/09/08

Welcome to WindowsBBS drewp2

Please go to jotti and upload the following file, click submit then wait for the results. Copy and paste them back here please.

C:\WINDOWS\system32\dehiddnu.exe

Note: You must be logged onto an account with administrator privileges to complete the following.

Download Deckard's System Scanner (dss.exe) to your desktop.
Close all applications and windows.
Double-click on dss.exe to run it and follow the prompts.
When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post the contents of main.txt only for now.

drewp2 · 2007/09/08

Hi Noahdfear,

Thanks for your help.

First a confession. I forgot to run AdAware SE Personal before running HiJackThis. As I was awaiting a reply to my posting here, I realized this and ran it. It found plenty. However rather than take any action I decided to cancel Adaware and follow your instructions.

If you want me to go back to the beginning and start over after re-running Adaware and trying to clean that way I would be happy to.

If you would like to proceed without doing that, here are the results from jotti;

Scan taken on 08 Sep 2007 17:10:29 (GMT)
A-Squared
Found Trojan.Win32.Agent.bck
AntiVir
Found TR/Fotomoto.E
ArcaVir
Found Trojan.Agent.Bck
Avast
Found nothing
AVG Antivirus
Found Generic2.ONQ
BitDefender
Found Trojan.Fotomoto.E
ClamAV
Found Trojan.Agent-7570
CPsecure
Found Troj.W32.Agent.bck
Dr.Web
Found Trojan.EzulaAd
F-Prot Antivirus
Found W32/Trojan.BXOI
F-Secure Anti-Virus
Found Trojan.Win32.Agent.bck
Fortinet
Found nothing
Kaspersky Anti-Virus
Found Trojan.Win32.Agent.bck
NOD32
Found Win32/Agent.BCK
Norman Virus Control
Found W32/Vundo.dam
Panda Antivirus
Found Trj/Downloader.OZB
Rising Antivirus
Found nothing
Sophos Antivirus
Found Troj/Bckdr-QJL
VirusBuster
Found Adware.Vundo.P.Gen
VBA32
Found Trojan.Win32.Agent.bck

noahdfear · 2007/09/08

Download the Killbox from here and save it to the desktop.
Copy the bolded filepath below by highlighting and pressing Ctrl+C

C:\WINDOWS\system32\dehiddnu.exe

Double-click the KillBox icon on your desktop to open it

Select the box Delete on Reboot

Then click the All Files button.

Click File on the Menu and choose Paste from Clipboard.

Click the red x [Delete File] button.

Click Yes at the Delete on Reboot prompt. Click Yes at the Pending Operations prompt.

If the computer does not reboot on it's own, restart it yourself.

Then, go ahead and run Ad-aware (check for updates first!), allowing it to remove whatever it finds. Reboot when done.

Finally, do the Deckards System scanner and post the log as requested.

drewp2 · 2007/09/08

and here is the scan:

Deckard's System Scanner v20070905.67
Run by Podcast Manager on 2007-09-08 13:22:08
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
81: 2007-09-08 17:22:22 UTC - RP649 - Deckard's System Scanner Restore Point
80: 2007-09-07 20:34:48 UTC - RP648 - Microsoft OneCare Protection Checkpoint
79: 2007-09-06 19:32:44 UTC - RP647 - Microsoft OneCare Protection Checkpoint
78: 2007-09-06 19:10:34 UTC - RP646 - Microsoft OneCare Protection Checkpoint
77: 2007-09-06 18:35:24 UTC - RP645 - Restore Operation

-- First Restore Point --
1: 2007-09-06 18:39:40 UTC - RP569 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Podcast Manager.exe) -------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:24:13 PM, on 9/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\SYSTEM32\srxTitan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Apoint\Apntex.exe
C:\Updater.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\South River Technologies\Titan FTP Server\srxTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AceBIT\Wise-FTP\WF_Scheduler.exe
C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Podcast Manager\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Podcast Manager.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.shycast.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\system32\vuyvpxyc.dll
O2 - BHO: (no name) - {FC88306C-CABD-42DA-BA84-DC877BE980CB} - C:\WINDOWS\system32\awtsp.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Titan FTP Server Tray App] "C:\Program Files\South River Technologies\Titan FTP Server\srxTray.exe "
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe "
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Wise-FTP Scheduler] C:\Program Files\AceBIT\Wise-FTP\WF_Scheduler.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe "
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {F3C9A789-E0C6-4D4B-995B-C6C9349D8C6F} - http://www.vlogville.com/beta/files/plugins/vlogville.cab
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\dehiddnu.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Titan FTP Server Daemon (SRTSERVERDAEMON) - South River Technologies, Inc. - C:\WINDOWS\SYSTEM32\srxTitan.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9092 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 DigiFilter - c:\windows\system32\drivers\digifilt.sys <Not Verified; Digidesign, A Division of Avid Technology, Inc.; Pro Tools®>
R0 IFP700 (iRiver Internet Audio Player IFP-700) - c:\windows\system32\drivers\ifp700.sys <Not Verified; iRiver, Inc.; IFP-100>
R0 TPkd - c:\windows\system32\drivers\tpkd.sys <Not Verified; PACE Anti-Piracy, Inc.; InterLok(R)>
R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.1.0.1) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.0.1>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
R3 Tosrfbd (Bluetooth RFBUS from TOSHIBA) - c:\windows\system32\drivers\tosrfbd.sys <Not Verified; TOSHIBA CORPORATION; Bluetooth BUS Driver(WindowsXP,Windows2000)>
R3 Tosrfhid (Bluetooth RFHID from TOSHIBA) - c:\windows\system32\drivers\tosrfhid.sys <Not Verified; TOSHIBA Corporation.; Bluetooth HID Driver from TOSHIBA>
R3 Tosrfusb (Bluetooth USB Controller) - c:\windows\system32\drivers\tosrfusb.sys <Not Verified; TOSHIBA CORPORATION; Bluetooth USB Miniport Driver(Windows2000,WindowsXP)>

S1 Tosrfcom - c:\windows\system32\drivers\tosrfcom.sys <Not Verified; TOSHIBA Corporation; Bluetooth RFCOMM Driver>
S3 dalwdmservice (dal service) - c:\windows\system32\drivers\dalwdm.sys <Not Verified; Digidesign, A Division of Avid Technology, Inc.; Pro Tools®>
S3 FilterService (UVC Filter Service) - c:\windows\system32\drivers\lvuvcflt.sys (file missing)
S3 Lvckap (Logitech Kernel Audio Processing Filter Driver) - c:\windows\system32\drivers\lvckap.sys (file missing)
S3 lvpopflt (Logitech POP Suppression Filter) - c:\windows\system32\drivers\lvpopflt.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 DigiRefresh (Digidesign MME Refresh Service) - c:\program files\digidesign\drivers\mmerefresh.exe -s <Not Verified; Digidesign, A Division of Avid Technology, Inc.; Digidesign MME Binder>
R2 NICCONFIGSVC - c:\program files\dell\nicconfigsvc\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>
R2 QBCFMonitorService (QuickBooks Database Manager Service) - "c:\program files\common files\intuit\quickbooks\qbcfmonitorservice.exe "
R2 RegSrvc - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>
R2 SRTSERVERDAEMON (Titan FTP Server Daemon) - "c:\windows\system32\srxtitan.exe" <Not Verified; South River Technologies, Inc.; Titan FTP Server>
R2 WLANKEEPER - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel® Corporation; SSOFSet Service>

S2 DomainService - c:\windows\system32\dehiddnu.exe /service <Not Verified; ; DDC>
S3 QBFCService (Intuit QuickBooks FCS) - "c:\program files\common files\intuit\quickbooks\fcs\intuit.quickbooks.fcs.exe" <Not Verified; Intuit Inc.; QuickBooks 2007>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2007-09-07 18:30:00 370 --a------ C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (PODCASTER-Podcast Manager).job

-- Files created between 2007-08-08 and 2007-09-08 -----------------------------

2007-09-08 12:05:29 0 d-------- C:\Program Files\Trend Micro
2007-09-08 03:10:30 75328 --a------ C:\WINDOWS\system32\mmihdbtb.exe <Not Verified; ; DDC>
2007-09-07 03:12:10 69184 --a------ C:\WINDOWS\system32\vuyvpxyc.dll
2007-09-07 03:06:12 75328 --a------ C:\WINDOWS\system32\dehiddnu.exe <Not Verified; ; DDC>
2007-09-06 20:43:31 0 d-------- C:\Program Files\FLVPlayer
2007-09-06 15:04:26 2044363 ---hs---- C:\WINDOWS\system32\pstwa.bak2
2007-09-06 14:23:21 0 d-------- C:\WINDOWS\CSC
2007-09-06 14:00:16 244832 --a------ C:\WINDOWS\system32\awtsp.dll
2007-09-06 13:55:05 0 d-------- C:\WINDOWS\system32\f02WtR
2007-09-06 13:55:05 0 d-------- C:\Temp

-- Find3M Report ---------------------------------------------------------------

2007-09-08 13:21:26 0 d-------- C:\Documents and Settings\Podcast Manager\Application Data\Skype
2007-09-07 15:22:08 0 d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-08-12 22:24:55 0 d-------- C:\Program Files\Microsoft Works
2007-08-10 17:17:11 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-08-03 07:30:42 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-07-30 13:35:29 0 d-------- C:\Program Files\McAfee.com
2007-07-20 15:56:11 38502 --a------ C:\Documents and Settings\Podcast Manager\Application Data\Comma Separated Values (Windows).ADR

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}]
09/07/2007 03:12 AM 69184 --a------ C:\WINDOWS\system32\vuyvpxyc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC88306C-CABD-42DA-BA84-DC877BE980CB}]
09/06/2007 02:00 PM 244832 --a------ C:\WINDOWS\system32\awtsp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [10/08/2004 04:31 PM]
"HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [10/08/2004 04:27 PM]
"Apoint "= "C:\Program Files\Apoint\Apoint.exe" [09/13/2004 12:33 PM]
"SunJavaUpdateSched "= "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [11/19/2003 06:48 PM]
"@ "=" " []
"IntelWireless "= "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [10/30/2004 03:59 PM]
"PCMService "= "C:\Program Files\Dell\Media Experience\PCMService.exe" [04/11/2004 09:15 PM]
"Dell QuickSet "= "C:\Program Files\Dell\QuickSet\quickset.exe" [02/07/2005 09:43 AM]
"DVDLauncher "= "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [10/12/2004 05:54 PM]
"UpdateManager "= "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [01/07/2004 02:01 AM]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [12/06/2004 02:05 AM]
"DigidesignMMERefresh "= "C:\Program Files\Digidesign\Drivers\MMERefresh.exe" [10/08/2004 02:48 AM]
"iRiver Updater "= "\Updater.exe" [07/01/2004 05:20 PM]
"pdfSaver3 "=" " []
"MMReminderService "= "C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe" []
"eFax 4.2 "= "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" [07/14/2006 04:36 PM]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [06/14/2006 04:24 PM]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [08/29/2006 08:33 AM]
"Titan FTP Server Tray App "= "C:\Program Files\South River Technologies\Titan FTP Server\srxTray.exe" [03/05/2007 09:33 AM]
"OneCareUI "= "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [08/14/2007 12:11 PM]
"UserFaultCheck "= "C:\WINDOWS\system32\dumprep 0 -u" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport "= "C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 11:09 AM]
"AIM "= "C:\Program Files\AIM\aim.exe" [08/01/2006 03:35 PM]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM]
"Wise-FTP Scheduler "= "C:\Program Files\AceBIT\Wise-FTP\WF_Scheduler.exe" [03/24/2005 08:10 PM]
"Skype "= "C:\Program Files\Skype\Phone\Skype.exe" [10/13/2006 06:20 PM]
"pdfSaver3 "= "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe" [09/05/2004 05:20 PM]

C:\Documents and Settings\Podcast Manager\Start Menu\Programs\Startup\
DESKTOP.INI [8/11/2004 6:15:06 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [12/14/2004 4:44:06 AM]
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [12/22/2004 2:42:22 PM]
DESKTOP.INI [8/11/2004 6:15:06 PM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [5/12/2005 9:12:55 PM]
eFax 4.2.lnk - C:\Program Files\eFax Messenger 4.2\J2GTray.exe [8/16/2006 11:19:28 AM]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [11/29/2006 12:09:20 PM]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [1/7/2007 10:48:08 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 09/07/2004 05:08 PM 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 C:\\WINDOWS\\system32\\awtsp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@= "Service "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0a25d6c-113b-11dc-9fed-00114376c3fc}]
AutoRun\command- E:\wd_windows_tools\setup.exe

*Newly Created Service* - DOMAINSERVICE

-- End of Deckard's System Scanner: finished at 2007-09-08 13:25:19 ------------

noahdfear · 2007/09/08

Did you install the Titan FTP Server program?
http://www.titanftp.com/

Download ComboFix by sUBs from Here or Here, saving the file to your Desktop.

Close all open programs and windows

Double click combofix.exe and follow the prompts.

When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

drewp2 · 2007/09/08

I think I did install TitanFTP a while ago. Why do you ask?

I ran adaware and it picked up only cookies.

I just had an tab pop up in Firefox with an ad for WinAntiVirus Pro 2006...obviously something is still not right.

I will now do the combofix and hijackthis and post it.

noahdfear · 2007/09/08

I asked about TitanFTP because it is a direct file transfer application, and such things can be installed by rogue means. Just wanted to be sure that it wasn't the latter. You will find that if you Google the executable for it, srxTitan.exe, many HijackThis analysts instruct people to remove it, especially if they didn't knowingly install it.

drewp2 · 2007/09/08

2 Log files follow.

1. Combofix log:

ComboFix 07-09-08.7 - "Podcast Manager" 2007-09-08 14:44:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.456 [GMT -4:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\PODCAS~1\APPLIC~1\unins000.exe
C:\Temp\fse
C:\WINDOWS\system32\_000008_.tmp.dll
C:\WINDOWS\system32\_000009_.tmp.dll
C:\WINDOWS\system32\awtsp.dll
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\cgtpwyct.dll
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\mmihdbtb.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\SYSTEM32\pstwa.bak2
C:\WINDOWS\SYSTEM32\pstwa.ini
C:\WINDOWS\system32\vuyvpxyc.dll

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_DOMAINSERVICE
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-08-08 to 2007-09-08 )))))))))))))))))))))))))))))))
.

2007-09-08 14:43 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-08 13:47 <DIR> d-------- C:\!KillBox
2007-09-08 13:21 <DIR> d-------- C:\Deckard
2007-09-08 12:05 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-06 20:43 <DIR> d-------- C:\Program Files\FLVPlayer
2007-09-06 13:55 <DIR> d-------- C:\Temp
2007-08-16 01:13 91,672 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\msfwdrv.sys
2007-08-16 01:13 116,760 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\msfwhlpr.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-08 14:42 --------- d-------- C:\DOCUME~1\PODCAS~1\APPLIC~1\Skype
2007-09-08 13:56 --------- d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-08-12 22:24 --------- d-------- C:\Program Files\Microsoft Works
2007-08-12 22:24 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-08-03 07:30 --------- d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-07-30 13:35 --------- d-------- C:\Program Files\McAfee.com
2007-07-30 13:24 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee.com
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2005-05-13 21:12:00 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 15:13:58 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-10-14 01:27:00 422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-10-07 23:14:52 308,224 --sha-r C:\WINDOWS\SYSTEM32\avisynth.dll
2005-07-14 16:31:20 27,648 --sha-r C:\WINDOWS\SYSTEM32\AVSredirect.dll
2005-06-26 19:32:28 616,448 --sha-r C:\WINDOWS\SYSTEM32\cygwin1.dll
2005-06-22 02:37:42 45,568 --sha-r C:\WINDOWS\SYSTEM32\cygz.dll
2004-01-25 04:00:00 70,656 --sha-r C:\WINDOWS\SYSTEM32\i420vfw.dll
2006-04-27 14:24:24 2,945,024 --sha-r C:\WINDOWS\SYSTEM32\Smab.dll
2005-02-28 17:16:22 240,128 --sha-r C:\WINDOWS\SYSTEM32\x.264.exe
2004-01-25 04:00:00 70,656 --sha-r C:\WINDOWS\SYSTEM32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [2004-10-08 16:31]
"HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [2004-10-08 16:27]
"Apoint "= "C:\Program Files\Apoint\Apoint.exe" [2004-09-13 12:33]
"SunJavaUpdateSched "= "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48]
"IntelWireless "= "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 15:59]
"PCMService "= "C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15]
"Dell QuickSet "= "C:\Program Files\Dell\QuickSet\quickset.exe" [2005-02-07 09:43]
"DVDLauncher "= "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 17:54]
"UpdateManager "= "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 02:01]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05]
"DigidesignMMERefresh "= "C:\Program Files\Digidesign\Drivers\MMERefresh.exe" [2004-10-08 02:48]
"iRiver Updater "= "\Updater.exe" [2004-07-01 17:20]
"pdfSaver3 "=" " []
"MMReminderService "= "C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe" []
"eFax 4.2 "= "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" [2006-07-14 16:36]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2006-08-29 08:33]
"Titan FTP Server Tray App "= "C:\Program Files\South River Technologies\Titan FTP Server\srxTray.exe" [2007-03-05 09:33]
"OneCareUI "= "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2007-08-14 12:11]
"UserFaultCheck "= "C:\WINDOWS\system32\dumprep 0 -u" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport "= "C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"AIM "= "C:\Program Files\AIM\aim.exe" [2006-08-01 15:35]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"Wise-FTP Scheduler "= "C:\Program Files\AceBIT\Wise-FTP\WF_Scheduler.exe" [2005-03-24 20:10]
"Skype "= "C:\Program Files\Skype\Phone\Skype.exe" [2006-10-13 18:20]
"pdfSaver3 "= "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe" [2004-09-05 17:20]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2004-12-22 14:42:22]
DESKTOP.INI [2004-08-11 18:15:06]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-05-12 21:12:55]
eFax 4.2.lnk - C:\Program Files\eFax Messenger 4.2\J2GTray.exe [2006-08-16 11:19:28]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-11-29 12:09:20]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-01-07 10:48:08]

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 18:15:06]

C:\DOCUME~1\DEFAUL~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 18:15:06]

C:\DOCUME~1\Guest\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 18:15:06]

C:\DOCUME~1\PODCAS~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 18:15:06]

C:\DOCUME~1\Test\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 18:15:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 C:\\WINDOWS\\system32\\awtsp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@= "Service "

R0 DigiFilter;DigiFilter;C:\WINDOWS\system32\drivers\DigiFilt.sys
R0 IFP700;iRiver Internet Audio Player IFP-700;C:\WINDOWS\system32\drivers\ifp700.sys
R1 MSFWHLPR;MSFWHLPR;C:\WINDOWS\system32\DRIVERS\msfwhlpr.sys
R2 MSFWDrv;MSFWDrv;C:\WINDOWS\system32\DRIVERS\msfwdrv.sys
R2 msfwsvc;OneCare Firewall; "C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe "
R2 OneCareMP;OneCare AntiSpyware and AntiVirus; "C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe "
R2 SRTSERVERDAEMON;Titan FTP Server Daemon; "C:\WINDOWS\SYSTEM32\srxTitan.exe "
R3 MpFilter;Microsoft Malware Protection Driver;C:\WINDOWS\system32\DRIVERS\MpFilter.sys
R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys
S3 dalwdmservice;dal service;C:\WINDOWS\system32\drivers\dalwdm.sys
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM;C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0a25d6c-113b-11dc-9fed-00114376c3fc}]
AutoRun\command- E:\wd_windows_tools\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-07 22:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (PODCASTER-Podcast Manager).job "
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-08 14:53:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-08 14:56:57 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-08 14:56
.
--- E O F ---

2. Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:59:57 PM, on 9/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\SYSTEM32\srxTitan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Updater.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\South River Technologies\Titan FTP Server\srxTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AceBIT\Wise-FTP\WF_Scheduler.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Microsoft Windows OneCare Live\GtCC.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.shycast.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Titan FTP Server Tray App] "C:\Program Files\South River Technologies\Titan FTP Server\srxTray.exe "
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe "
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Wise-FTP Scheduler] C:\Program Files\AceBIT\Wise-FTP\WF_Scheduler.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe "
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {F3C9A789-E0C6-4D4B-995B-C6C9349D8C6F} - http://www.vlogville.com/beta/files/plugins/vlogville.cab
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Titan FTP Server Daemon (SRTSERVERDAEMON) - South River Technologies, Inc. - C:\WINDOWS\SYSTEM32\srxTitan.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8898 bytes

noahdfear · 2007/09/08

Looks pretty good. Fix the following entries with HijackThis.

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

Copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\[COLOR="Black"]control[/COLOR]\lsa]
 "Authentication Packages "= "msv1_0 "
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

drewp2 · 2007/09/08

will do, but before i go can i ask a way off topic thing:

1. can i remove processes that run for no reason this way with hijackthis? for example i see the iriver updater on there, and it always tries to access the internet even though i don't have an iriver anymore and uninstalled the software long ago. can i kill it with hijack this? prob not...

drewp2 · 2007/09/08

combofix log:

ComboFix 07-09-08.7 - "Podcast Manager" 2007-09-08 15:42:24.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.562 [GMT -4:00]
Command switches used :: C:\Documents and Settings\Podcast Manager\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-08-08 to 2007-09-08 )))))))))))))))))))))))))))))))
.

2007-09-08 14:43 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-08 13:47 <DIR> d-------- C:\!KillBox
2007-09-08 13:21 <DIR> d-------- C:\Deckard
2007-09-08 12:05 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-06 20:43 <DIR> d-------- C:\Program Files\FLVPlayer
2007-09-06 13:55 <DIR> d-------- C:\Temp
2007-08-16 01:13 91,672 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\msfwdrv.sys
2007-08-16 01:13 116,760 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\msfwhlpr.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-08 15:02 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-08 14:59 --------- d-------- C:\DOCUME~1\PODCAS~1\APPLIC~1\Skype
2007-09-08 13:56 --------- d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-08-12 22:24 --------- d-------- C:\Program Files\Microsoft Works
2007-08-12 22:24 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-08-03 07:30 --------- d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\SYSTEM32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\WUPS.DLL
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll
2007-07-30 13:35 --------- d-------- C:\Program Files\McAfee.com
2007-07-30 13:24 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee.com
2007-07-05 17:55 158192 --a------ C:\WINDOWS\SYSTEM32\pxwma.dll
2007-06-26 11:13 851968 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\vgx.dll
2007-06-26 10:09 658944 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2007-06-26 02:08 1104896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\SYSTEM32\gdi32.dll
2007-06-19 09:31 282112 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2007-06-14 14:09 96256 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\inseng.dll
2007-06-14 14:09 615424 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-06-14 14:09 55808 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-06-14 14:09 532480 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-06-14 14:09 474112 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
2007-06-14 14:09 449024 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-06-14 14:09 39424 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
2007-06-14 14:09 357888 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
2007-06-14 14:09 3058688 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-06-14 14:09 251392 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iepeers.dll
2007-06-14 14:09 205312 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-06-14 14:09 16384 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-06-14 14:09 151040 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\cdfview.dll
2007-06-14 14:09 1494528 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
2007-06-14 14:09 146432 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-06-14 14:09 1054208 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\danim.dll
2007-06-14 14:09 1023488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\browseui.dll
2007-06-14 10:07 18432 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 06:23 1033216 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\explorer.exe
2005-05-13 21:12:00 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 15:13:58 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-10-14 01:27:00 422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-10-07 23:14:52 308,224 --sha-r C:\WINDOWS\SYSTEM32\avisynth.dll
2005-07-14 16:31:20 27,648 --sha-r C:\WINDOWS\SYSTEM32\AVSredirect.dll
2005-06-26 19:32:28 616,448 --sha-r C:\WINDOWS\SYSTEM32\cygwin1.dll
2005-06-22 02:37:42 45,568 --sha-r C:\WINDOWS\SYSTEM32\cygz.dll
2004-01-25 04:00:00 70,656 --sha-r C:\WINDOWS\SYSTEM32\i420vfw.dll
2006-04-27 14:24:24 2,945,024 --sha-r C:\WINDOWS\SYSTEM32\Smab.dll
2005-02-28 17:16:22 240,128 --sha-r C:\WINDOWS\SYSTEM32\x.264.exe
2004-01-25 04:00:00 70,656 --sha-r C:\WINDOWS\SYSTEM32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [2004-10-08 16:31]
"HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [2004-10-08 16:27]
"Apoint "= "C:\Program Files\Apoint\Apoint.exe" [2004-09-13 12:33]
"SunJavaUpdateSched "= "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48]
"IntelWireless "= "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 15:59]
"PCMService "= "C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15]
"Dell QuickSet "= "C:\Program Files\Dell\QuickSet\quickset.exe" [2005-02-07 09:43]
"DVDLauncher "= "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 17:54]
"UpdateManager "= "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 02:01]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05]
"DigidesignMMERefresh "= "C:\Program Files\Digidesign\Drivers\MMERefresh.exe" [2004-10-08 02:48]
"iRiver Updater "= "\Updater.exe" [2004-07-01 17:20]
"pdfSaver3 "=" " []
"MMReminderService "= "C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe" []
"eFax 4.2 "= "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" [2006-07-14 16:36]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2006-08-29 08:33]
"OneCareUI "= "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2007-08-14 12:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport "= "C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"AIM "= "C:\Program Files\AIM\aim.exe" [2006-08-01 15:35]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"Wise-FTP Scheduler "= "C:\Program Files\AceBIT\Wise-FTP\WF_Scheduler.exe" [2005-03-24 20:10]
"Skype "= "C:\Program Files\Skype\Phone\Skype.exe" [2006-10-13 18:20]
"pdfSaver3 "= "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe" [2004-09-05 17:20]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2004-12-22 14:42:22]
DESKTOP.INI [2004-08-11 18:15:06]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-05-12 21:12:55]
eFax 4.2.lnk - C:\Program Files\eFax Messenger 4.2\J2GTray.exe [2006-08-16 11:19:28]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-11-29 12:09:20]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-01-07 10:48:08]

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 18:15:06]

C:\DOCUME~1\DEFAUL~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 18:15:06]

C:\DOCUME~1\Guest\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 18:15:06]

C:\DOCUME~1\PODCAS~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 18:15:06]

C:\DOCUME~1\Test\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 18:15:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@= "Service "

R0 DigiFilter;DigiFilter;C:\WINDOWS\system32\drivers\DigiFilt.sys
R0 IFP700;iRiver Internet Audio Player IFP-700;C:\WINDOWS\system32\drivers\ifp700.sys
R1 MSFWHLPR;MSFWHLPR;C:\WINDOWS\system32\DRIVERS\msfwhlpr.sys
R2 MSFWDrv;MSFWDrv;C:\WINDOWS\system32\DRIVERS\msfwdrv.sys
R2 msfwsvc;OneCare Firewall; "C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe "
R2 OneCareMP;OneCare AntiSpyware and AntiVirus; "C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe "
R3 MpFilter;Microsoft Malware Protection Driver;C:\WINDOWS\system32\DRIVERS\MpFilter.sys
R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys
S3 dalwdmservice;dal service;C:\WINDOWS\system32\drivers\dalwdm.sys
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM;C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0a25d6c-113b-11dc-9fed-00114376c3fc}]
AutoRun\command- E:\wd_windows_tools\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-07 22:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (PODCASTER-Podcast Manager).job "
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-08 15:45:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-08 15:46:16
C:\ComboFix-quarantined-files.txt ... 2007-09-08 15:46
C:\ComboFix2.txt ... 2007-09-08 14:56
.
--- E O F ---

noahdfear · 2007/09/08

Yes, you can fix that and others with HijackThis.

noahdfear · 2007/09/08

Please post the contents of C:\ComboFix-quarantined-files.txt

drewp2 · 2007/09/08

Code:

2000-10-27 18:23      50688    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\BSZIP.DLL.vir
2004-08-04 06:00      132096    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\_000008_.tmp.dll.vir
2004-10-27 21:21      721920    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\_000009_.tmp.dll.vir
2007-03-09 17:26      683801    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\PODCAS~1\APPLIC~1\unins000.exe.vir
2007-07-08 21:23      15399    --a------    C:\Qoobox\Quarantine\C\ComboFix\FProps.vbs.vir
2007-09-06 13:55      17    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\msnav32.ax.vir
2007-09-06 14:00      244832    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\awtsp.dll.vir
2007-09-07 03:12      69184    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\vuyvpxyc.dll.vir
2007-09-08 03:04      2044363    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\pstwa.bak2.vir
2007-09-08 03:10      75328    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\mmihdbtb.exe.vir
2007-09-08 14:44      69184    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\cgtpwyct.dll.vir
2007-09-08 14:48      846    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_DOMAINSERVICE.reg.cf
2007-09-08 14:49      152    --a------    C:\Qoobox\Quarantine\catchme.log
2007-09-08 14:49      2081426    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\pstwa.ini.vir
2007-09-08 14:49      224535    --a------    C:\Qoobox\Quarantine\catchme2007-09-08_145317.42.zip
2007-09-08 14:49      2956    --a------    C:\Qoobox\Quarantine\Registry_backups\services_DomainService.reg.cf


Folder PATH listing
Volume serial number is ACD8-0815
C:\QOOBOX\QUARANTINE
|   catchme.log
|   catchme2007-09-08_145317.42.zip
|   
+---C
|   +---ComboFix
|   |       FProps.vbs.vir
|   |       
|   +---DOCUME~1
|   |   \---PODCAS~1
|   |       \---APPLIC~1
|   |               unins000.exe.vir
|   |               
|   \---WINDOWS
|       \---SYSTEM32
|               awtsp.dll.vir
|               BSZIP.DLL.vir
|               cgtpwyct.dll.vir
|               mmihdbtb.exe.vir
|               msnav32.ax.vir
|               pstwa.bak2.vir
|               pstwa.ini.vir
|               vuyvpxyc.dll.vir
|               _000008_.tmp.dll.vir
|               _000009_.tmp.dll.vir
|               
\---Registry_backups
        LEGACY_DOMAINSERVICE.reg.cf
        services_DomainService.reg.cf

noahdfear · 2007/09/08

Looks good.

Please delete the following.

C:\WINDOWS\NirCmd.exe
C:\!KillBox
C:\Deckard
combofix.exe
dss.exe
All combofix logs

Download ATF Cleaner by Atribune and save it to your Desktop.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Reboot.

Now, lets make sure we haven't missed something and do an online scan.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:

Once the files have been downloaded click on NEXT

Now click on Scan Settings

In the scan settings make that the following are selected:

Scan using the following Anti-Virus database:

Extended (if available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan:

Select My Computer

This will program will start and scan your system.

The scan will take a while so be patient and let it run.

Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Copy and paste that information in your next post.

Post the Kaspersky log and one more fresh HijackThis log.

drewp2 · 2007/09/08

you have been so helpful so far...i really appreciate it. i will have to pick this up again this evening.

back soon...

noahdfear · 2007/09/08

Whenever is good for you

drewp2 · 2007/09/08

kaspersky log:

Saturday, September 08, 2007 7:54:13 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 8/09/2007
Kaspersky Anti-Virus database records: 410377
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
Scan Statistics
Total number of scanned objects 72663
Number of viruses found 3
Number of infected objects 8
Number of suspicious objects 4
Duration of the scan process 01:50:01

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\OneCare Protection\Support\MPLog-08162007-011204.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Protection Service\edb.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Protection Service\edbtmp.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Protection Service\MPSSVCInfoLog.etl Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Protection Service\MPSSVCPolicyIdLog.etl Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Podcast Manager\Application Data\Aim\ovbzsppt\drewpelo\cert8.db Object is locked skipped
C:\Documents and Settings\Podcast Manager\Application Data\Aim\ovbzsppt\drewpelo\key3.db Object is locked skipped
C:\Documents and Settings\Podcast Manager\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\Podcast Manager\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped
C:\Documents and Settings\Podcast Manager\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped
C:\Documents and Settings\Podcast Manager\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped
C:\Documents and Settings\Podcast Manager\Application Data\Microsoft\Outlook\Outlook.NK2 Object is locked skipped
C:\Documents and Settings\Podcast Manager\Application Data\Microsoft\Outlook\Outlook.srs Object is locked skipped
C:\Documents and Settings\Podcast Manager\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\Podcast Manager\Application Data\Skype\drewpeloso\call256.dbb Object is locked skipped
C:\Documents and Settings\Podcast Manager\Application Data\Skype\drewpeloso\callmember256.dbb Object is locked skipped
C:\Documents and Settings\Podcast Manager\Application Data\Skype\drewpeloso\chat1024.dbb Object is locked skipped
C:\Documents and Settings\Podcast Manager\Application Data\Skype\drewpeloso\chat256.dbb Object is locked skipped
C:\Documents and Settings\Podcast Manager\Application Data\Skype\drewpeloso\chat512.dbb Object is locked skipped
C:\Documents and Settings\Podcast Manager\Application Data\Skype\drewpeloso\chatmsg1024.dbb Object is locked skipped
C:\Documents and Settings\Podcast Manager\Application Data\Skype\drewpeloso\chatmsg2048.dbb Object is locked skipped
C:\Documents and Settings\Podcast Manager\Application Data\Skype\drewpeloso\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\Podcast Manager\Application Data\Skype\drewpeloso\chatmsg32768.dbb Object is locked skipped
C:\Documents and Settings\Podcast Manager\Application Data\Skype\drewpeloso\chatmsg4096.dbb Object is locked skipped
C:\Documents and Settings\Podcast Manager\Application Data\Skype\drewpeloso\chatmsg512.dbb Object is locked skipped
C:\Documents and Settings\Podcast Manager\Application Data\Skype\drewpeloso\chatmsg8192.dbb Object is locked skipped
C:\Documents and Settings\Podcast Manager\Application Data\Skype\drewpeloso\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\Podcast Manager\Application Data\Skype\drewpeloso\index2.dat Object is locked skipped
C:\Documents and Settings\Podcast Manager\Application Data\Skype\drewpeloso\profile16384.dbb Object is locked skipped
C:\Documents and Settings\Podcast Manager\Application Data\Skype\drewpeloso\transfer256.dbb Object is locked skipped
C:\Documents and Settings\Podcast Manager\Application Data\Skype\drewpeloso\transfer512.dbb Object is locked skipped
C:\Documents and Settings\Podcast Manager\Application Data\Skype\drewpeloso\user1024.dbb Object is locked skipped
C:\Documents and Settings\Podcast Manager\Application Data\Skype\drewpeloso\user16384.dbb Object is locked skipped
C:\Documents and Settings\Podcast Manager\Application Data\Skype\drewpeloso\user256.dbb Object is locked skipped
C:\Documents and Settings\Podcast Manager\Application Data\Skype\drewpeloso\user4096.dbb Object is locked skipped
C:\Documents and Settings\Podcast Manager\Application Data\Skype\drewpeloso\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\Podcast Manager\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Podcast Manager\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Podcast Manager\Local Settings\Application Data\Microsoft\Outlook\archive.pst Object is locked skipped
C:\Documents and Settings\Podcast Manager\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Object is locked skipped
C:\Documents and Settings\Podcast Manager\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Podcast Manager\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Podcast Manager\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Podcast Manager\Local Settings\History\History.IE5\MSHist012007090820070909\index.dat Object is locked skipped
C:\Documents and Settings\Podcast Manager\Local Settings\Temp\~DF20DD.tmp Object is locked skipped
C:\Documents and Settings\Podcast Manager\Local Settings\Temp\~DFFB9.tmp Object is locked skipped
C:\Documents and Settings\Podcast Manager\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Podcast Manager\My Documents\Email PST files\Gateway 9550 latest dump.pst Object is locked skipped
C:\Documents and Settings\Podcast Manager\My Documents\Email PST files\Older Gateway dump.pst/Personal Folders/Inbox/17 Aug 2002 01:36 from MAILER-DAEMON@mpls-mailin-14.inet.qwest.n.eml/[From "25386-3BE9E237-1206" <25386-3BE9E237-1206@storefull-136.iap.bryant.webtv.net>][Date Fri, 16 Aug 2002 21:13:41 -0400 (EDT)]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Podcast Manager\My Documents\Email PST files\Older Gateway dump.pst/Personal Folders/Inbox/17 Aug 2002 01:36 from MAILER-DAEMON@mpls-mailin-14.inet.qwest.n.eml/[From "25386-3BE9E237-1206" <25386-3BE9E237-1206@storefull-136.iap.bryant.webtv.net>][Date Fri, 16 Aug 2002 21:13:41 -0400 (EDT)]/UNNAMED/border.pif Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\Podcast Manager\My Documents\Email PST files\Older Gateway dump.pst/Personal Folders/Inbox/17 Aug 2002 01:36 from MAILER-DAEMON@mpls-mailin-14.inet.qwest.n.eml/[From "25386-3BE9E237-1206" <25386-3BE9E237-1206@storefull-136.iap.bryant.webtv.net>][Date Fri, 16 Aug 2002 21:13:41 -0400 (EDT)]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\Podcast Manager\My Documents\Email PST files\Older Gateway dump.pst/Personal Folders/Inbox/17 Aug 2002 01:36 from MAILER-DAEMON@mpls-mailin-14.inet.qwest.n.eml Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\Podcast Manager\My Documents\Email PST files\Older Gateway dump.pst/Personal Folders/Inbox/17 Aug 2002 01:36 from MAILER-DAEMON@mpls-mailin-14.inet.qwest.n.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Podcast Manager\My Documents\Email PST files\Older Gateway dump.pst/Personal Folders/Inbox/17 Aug 2002 02:43 from MAILER-DAEMON@get.hotwired.com:failure no.eml/[From info ][Date Fri, 16 Aug 2002 20:48:27 -0400 (EDT)]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Podcast Manager\My Documents\Email PST files\Older Gateway dump.pst/Personal Folders/Inbox/17 Aug 2002 02:43 from MAILER-DAEMON@get.hotwired.com:failure no.eml/[From info ][Date Fri, 16 Aug 2002 20:48:27 -0400 (EDT)]/UNNAMED/body_btq_bradford[1].bat Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\Podcast Manager\My Documents\Email PST files\Older Gateway dump.pst/Personal Folders/Inbox/17 Aug 2002 02:43 from MAILER-DAEMON@get.hotwired.com:failure no.eml/[From info ][Date Fri, 16 Aug 2002 20:48:27 -0400 (EDT)]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\Podcast Manager\My Documents\Email PST files\Older Gateway dump.pst/Personal Folders/Inbox/17 Aug 2002 02:43 from MAILER-DAEMON@get.hotwired.com:failure no.eml Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\Podcast Manager\My Documents\Email PST files\Older Gateway dump.pst/Personal Folders/Inbox/17 Aug 2002 02:43 from MAILER-DAEMON@get.hotwired.com:failure no.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Podcast Manager\My Documents\Email PST files\Older Gateway dump.pst Mail MS Mail: infected - 6, suspicious - 4 skipped
C:\Documents and Settings\Podcast Manager\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Podcast Manager\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Ent.dat Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\prov.xml Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\service.xml Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\service.xml.bak Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\user.xml Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\user.xml.bak Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\SubInfo.xml Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\Database\edb.log Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\Database\tmp.edb Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\Database\WinSS_st.edb Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\mps_log.bin Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\onecaremp_log.bin Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\WinSSSvc_log.bin Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\mmihdbtb.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{424F0E0D-FB5E-488E-986B-759A460CB9D3}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\MSFWSVC.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\ODiag.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\OSession.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Windows_OneCare_Evt.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_1cc.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_b00.dat Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:55:44 PM, on 9/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AceBIT\Wise-FTP\WF_Scheduler.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.shycast.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe "
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Wise-FTP Scheduler] C:\Program Files\AceBIT\Wise-FTP\WF_Scheduler.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe "
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {F3C9A789-E0C6-4D4B-995B-C6C9349D8C6F} - http://www.vlogville.com/beta/files/plugins/vlogville.cab
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8428 bytes

noahdfear · 2007/09/08

Great!

The only things of note are some saved emails that are infected.

C:\Documents and Settings\Podcast Manager\My Documents\Email PST files\Older Gateway dump.pst/Personal Folders/Inbox/17 Aug 2002 01:36 from MAILER-DAEMON@mpls-mailin-14.inet.qwest.n.eml/[From "25386-3BE9E237-1206" <25386-3BE9E237-1206@storefull-136.iap.bryant.webtv.net>][Date Fri, 16 Aug 2002 21:13:41 -0400 (EDT)]/UNNAMED/border.pif Infected: Email-Worm.Win32.Klez.h

C:\Documents and Settings\Podcast Manager\My Documents\Email PST files\Older Gateway dump.pst/Personal Folders/Inbox/17 Aug 2002 01:36 from MAILER-DAEMON@mpls-mailin-14.inet.qwest.n.eml/[From "25386-3BE9E237-1206" <25386-3BE9E237-1206@storefull-136.iap.bryant.webtv.net>][Date Fri, 16 Aug 2002 21:13:41 -0400 (EDT)]/UNNAMED Infected: Email-Worm.Win32.Klez.h

C:\Documents and Settings\Podcast Manager\My Documents\Email PST files\Older Gateway dump.pst/Personal Folders/Inbox/17 Aug 2002 01:36 from MAILER-DAEMON@mpls-mailin-14.inet.qwest.n.eml Infected: Email-Worm.Win32.Klez.h

C:\Documents and Settings\Podcast Manager\My Documents\Email PST files\Older Gateway dump.pst/Personal Folders/Inbox/17 Aug 2002 02:43 from MAILER-DAEMON@get.hotwired.com:failure no.eml/[From info ][Date Fri, 16 Aug 2002 20:48:27 -0400 (EDT)]/UNNAMED/body_btq_bradford[1].bat Infected: Email-Worm.Win32.Klez.h

C:\Documents and Settings\Podcast Manager\My Documents\Email PST files\Older Gateway dump.pst/Personal Folders/Inbox/17 Aug 2002 02:43 from MAILER-DAEMON@get.hotwired.com:failure no.eml/[From info ][Date Fri, 16 Aug 2002 20:48:27 -0400 (EDT)]/UNNAMED Infected: Email-Worm.Win32.Klez.h

C:\Documents and Settings\Podcast Manager\My Documents\Email PST files\Older Gateway dump.pst/Personal Folders/Inbox/17 Aug 2002 02:43 from MAILER-DAEMON@get.hotwired.com:failure no.eml Infected: Email-Worm.Win32.Klez.h

I'm not going to tell you how to handle them, but they should be removed. Unless some of those emails in the Older Gateway dump.pst folder are needed, I'd delete them all, were it mine.

Delete the C:\qoobox folder then empty the recycle bin.

Once the above has been done, you're computer is clean. If you're satisfied everything is working properly, I recommend you clear your System Restore points and create a new one that is infection free.

Clear past system restore points and create a new one.
Right click My Computer and select Properties. On the System Restore tab, check the box to turn System Restore off. Click Apply. Now, uncheck the box and click Apply. Click OK, then OK to close the System Properties dialog.

Verify a new restore point was created.
Click Start>All Programs>Accessories>System Tools>System Restore
Select 'Restore my computer to an earlier time', then click next.
You should have a newly created System Checkpoint available. If so, click Cancel. If not, click Back and select 'Create a restore point' then click Next. Give the restore point a name and click next.

Your computer is now clean! Geri has posted some very helpful information and recommendations regarding future protection in the following link.

http://www.windowsbbs.com/showpost.php?p=356653&postcount=49

Surf safe!

Log in or Sign up

Help with Broadcaster/Freestuff virus

drewp2 Inactive Thread Starter

noahdfear Inactive

drewp2 Inactive Thread Starter

noahdfear Inactive

drewp2 Inactive Thread Starter

noahdfear Inactive

drewp2 Inactive Thread Starter

noahdfear Inactive

drewp2 Inactive Thread Starter

noahdfear Inactive

drewp2 Inactive Thread Starter

drewp2 Inactive Thread Starter

noahdfear Inactive

noahdfear Inactive

drewp2 Inactive Thread Starter

noahdfear Inactive

drewp2 Inactive Thread Starter

noahdfear Inactive

drewp2 Inactive Thread Starter

noahdfear Inactive

Share This Page

Log in or Sign up

Help with Broadcaster/Freestuff virus

drewp2 Inactive Thread Starter

noahdfear Inactive

drewp2 Inactive Thread Starter

noahdfear Inactive

drewp2 Inactive Thread Starter

noahdfear Inactive

drewp2 Inactive Thread Starter

noahdfear Inactive

drewp2 Inactive Thread Starter

noahdfear Inactive

drewp2 Inactive Thread Starter

drewp2 Inactive Thread Starter

noahdfear Inactive

noahdfear Inactive

drewp2 Inactive Thread Starter

noahdfear Inactive

drewp2 Inactive Thread Starter

noahdfear Inactive

drewp2 Inactive Thread Starter

noahdfear Inactive

Share This Page

Useful Searches