Need Help Again for Virus's, Spyware, and Such.

Okay, this time it isn't my computer. But, I decided to help this acquaintence at work. It is an older dell desktop (A real desktop) with WIN2000PRO. If any other details of the computer I will supply them later. For starters here is the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:30 PM, on 1/27/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\NewSoft\Smart Start UP\PnPDetect.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\QdrPack\QdrPack12.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {47405797-676C-46A0-9B90-565600A78F8A} - C:\WINNT\system32\cbxyv.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: OsbornTech Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O2 - BHO: 0 - {CD596FC8-AB25-4AF6-C699-C54E36B263CC} - C:\Program Files\Accessories\lavufawe.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Defender Pro Anti-Scam - {102BAD8B-CD05-46ff-94FF-A2C1ABD5F7D5} - C:\Program Files\Defender Pro\Defender Pro Anti-Scam\mscoree.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Smart Start UP] C:\Program Files\NewSoft\Smart Start UP\PnPDetect.exe /Automation
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [i34yuc387] C:\WINNT\i34yuc387
O4 - HKLM\..\Run: [eabmitaA] C:\WINNT\eabmitaA.exe
O4 - HKLM\..\Run: [bantool] C:\WINNT\system32\sdadlrow-t2.exe
O4 - HKLM\..\Run: [avp] C:\WINNT\TEMP\win54C.tmp.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [Oler] "C:\WINNT\system32\ASKS~1\wuauclt.exe" -vt yazb
O4 - HKCU\..\Run: [QdrPack12] "C:\Program Files\QdrPack\QdrPack12.exe "
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT Startup: TA_Start.lnk = C:\WINNT\system32\dwdsrngt.exe (User 'Default user')
O4 - .DEFAULT User Startup: TA_Start.lnk = C:\WINNT\system32\dwdsrngt.exe (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\WINNT\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\WINNT\system32\shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: Yahoo! Chess - http://download2.games.yahoo.com/games/clients/y/ct5_x.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136401595865
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O20 - AppInit_DLLs: c:\winnt\system32\ldcore.dll
O20 - Winlogon Notify: cbxyv - C:\WINNT\system32\cbxyv.dll (file missing)
O20 - Winlogon Notify: winsfg32 - winsfg32.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Net Agent - Unknown owner - C:\WINNT\dls0523pmw.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\Accessories\profsysyqu.html

--
End of file - 8490 bytes

Let me know.

Later. Pepse.

 

This compter doesn't appear to have a normal e-mail account so hopefully it won't be neccessary. I think he uses AOL.

Pepse.

 

Hi Pepse

Download ComboFix from [color= "Red"]Here[/color] to your Desktop.
It's best to disable realtime protection applications as they sometimes interfere with the tool. Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Please post the log.

Thanks
Geri

 

ComboFix 08-01-30.6 - Administrator 01/30/2008 12:04:43.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.92 [GMT 9:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - svchost.exe: deleted 68 bytes in 1 streams.
ADS - ntoskrnl.exe: deleted 68 bytes in 1 streams.
ADS - explorer.exe: deleted 132 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\Install.dat
C:\Documents and Settings\Administrator\Local Settings\Application Data\n.ini
C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Default User\Local Settings\Application Data\n.ini
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\TA_Start.lnk
C:\Program Files\Accessories\profsysyqu.html
C:\Program Files\Common Files\companion wizard
C:\Program Files\ISM
C:\Program Files\ISM\bndloader.exe
C:\Program Files\ISM\dictionary.gz
C:\Program Files\ISM\targets.gz
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\outerinfo
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dic.gz
C:\Program Files\QdrModule\kwd.gz
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\QdrPack12.exe
C:\Program Files\QdrPack\trgts.gz
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINNT\cookies.ini
C:\WINNT\system32\asks~1
C:\WINNT\system32\asks~1\?asks\
C:\WINNT\system32\B1
C:\WINNT\system32\f06WtR
C:\WINNT\system32\jqvnvbbs.ini
C:\WINNT\system32\ldinfo.ldr
C:\WINNT\system32\mcrh.tmp
C:\WINNT\system32\mit.bat
C:\WINNT\system32\n.ini
C:\WINNT\system32\rubvgdmf.ini
C:\WINNT\system32\vyxbc.bak1
C:\WINNT\system32\vyxbc.bak2
C:\WINNT\system32\vyxbc.ini
C:\WINNT\system32\wnstssv.exe
C:\WINNT\system32\X1
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\Net Agent


((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.

2008-01-30 12:10 . 08-01-30 12:10 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_484.dat
2008-01-27 23:18 . 08-01-27 23:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-25 14:03 . 08-01-24 21:28 91,136 --------- C:\WINNT\eraseme_51362.exe
2008-01-25 13:13 . 08-01-25 13:13 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_208.dat
2008-01-24 10:53 . 07-12-04 22:04 837,496 --a------ C:\WINNT\system32\aswBoot.exe
2008-01-24 10:53 . 04-01-09 18:13 380,928 --a------ C:\WINNT\system32\actskin4.ocx
2008-01-24 10:53 . 07-12-04 21:54 95,608 --a------ C:\WINNT\system32\AvastSS.scr
2008-01-24 10:53 . 07-12-04 23:55 94,544 --a------ C:\WINNT\system32\drivers\aswmon2.sys
2008-01-24 10:53 . 07-12-04 23:56 93,264 --a------ C:\WINNT\system32\drivers\aswmon.sys
2008-01-24 10:53 . 07-12-04 23:51 42,912 --a------ C:\WINNT\system32\drivers\aswTdi.sys
2008-01-24 10:53 . 07-12-04 23:49 26,624 --a------ C:\WINNT\system32\drivers\aavmker4.sys
2008-01-24 10:53 . 07-12-04 23:53 23,152 --a------ C:\WINNT\system32\drivers\aswRdr.sys
2008-01-24 10:52 . 08-01-24 10:52 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-24 10:00 . 08-01-24 10:00 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-01-24 10:00 . 08-01-24 10:00 1,409 --a------ C:\WINNT\QTFont.for
2008-01-23 22:47 . 08-01-23 22:47 230 --a------ C:\WINNT\wininit.ini
2008-01-23 21:43 . 08-01-30 11:54 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 03:06 --------- d-----w C:\Program Files\Accessories
2008-01-24 00:34 --------- d-----w C:\Program Files\DefenderPro AntiSpy
2008-01-23 23:55 --------- d-----w C:\Program Files\Defender Pro
2006-01-04 17:52 271 ---h--w C:\Program Files\desktop.ini
2006-01-04 17:52 21,952 ---h--w C:\Program Files\folder.htt
2005-07-29 06:24 472 --sha-r C:\WINNT\QWRtaW5pc3RyYXRvcg\kqlQuqcDwalVsrlSw0.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47405797-676C-46A0-9B90-565600A78F8A}]
C:\WINNT\system32\cbxyv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD596FC8-AB25-4AF6-C699-C54E36B263CC}]
C:\Program Files\Accessories\lavufawe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "ctfmon.exe" [01-02-21 04:09 8192 C:\WINNT\system32\CTFMON.EXE]
"Weather "= "C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [ ]
"Oler "= "C:\WINNT\system32\ASKS~1\wuauclt.exe" [ ]
"QdrPack12 "= "C:\Program Files\QdrPack\QdrPack12.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager "= "mobsync.exe" [03-06-20 04:05 111376 C:\WINNT\system32\mobsync.exe]
"RealTray "= "C:\Program Files\Real\RealPlayer\RealPlay.exe" [06-01-17 16:46 26112]
"Smart Start UP "= "C:\Program Files\NewSoft\Smart Start UP\PnPDetect.exe" [03-01-21 13:25 98304]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [07-06-03 15:21 155648]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [05-04-13 02:48 36975]
"eabmitaA "= "C:\WINNT\eabmitaA.exe" [ ]
"avast! "= "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07-12-04 22:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop "= "C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-20 04:05 186640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-02 03:29:26 180224]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 16:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxyv]
C:\WINNT\system32\cbxyv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau]
nwprovau.dll 06-09-01 14:49 140048 C:\WINNT\system32\NWPROVAU.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winsfg32]
winsfg32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

R0 Achernar;Achernar - SCSI Command Filters;C:\WINNT\system32\Drivers\Achernar.sys [05-05-13 14:07 ]
R2 aswMon;avast! Standard Shield Support;C:\WINNT\system32\drivers\aswMon.sys [07-12-04 23:56 ]
R3 Aldebaran;Aldebaran - SCSI Command Filters;C:\WINNT\system32\Drivers\Aldebaran.sys [05-05-13 14:07 ]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys [99-10-23 21:22 ]

*Newly Created Service* - IPNAT
*Newly Created Service* - SHAREDACCESS
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 12:10:18
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\NewSoft\Smart Start UP\PnPDetect.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-01-30 12:13:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-30 03:13:25
.
2008-01-25 04:06:20 --- E O F ---

 

Hi
OK we need to have a few files scanned, Please do each, one at a time and post the results.

Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan "box on the top of the page: one at a time.
  
  • C:\WINNT\eraseme_51362.exe
    C:\WINNT\QTFont.qfn
    C:\WINNT\QTFont.for
    C:\WINNT\eabmitaA.exe
• Click on the submit button
  
• Please post the results for each in your next reply.

Thanks
Geri

 

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: eraseme_51362.exe
Status: INFECTED/MALWARE
MD5: 6fa83066094190a1c76b0c350c6f27ce
Packers detected: -
Bit9 reports: File not found

Scanner results
Scan taken on 31 Jan 2008 07:29:06 (GMT)
A-Squared Found nothing
AntiVir Found TR/Crypt.XPACK.Gen
ArcaVir Found nothing
Avast Found Win32:SdBot-5054
AVG Antivirus Found nothing
BitDefender Found DeepScan:Generic.Sdbot.F681A9C3
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found Win32.HLLW.MyBot.based
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Backdoor.Win32.SdBot.csq
Fortinet Found W32/MS04011.A!exploit
Ikarus Found Backdoor.Win32.SdBot.aad
Kaspersky Anti-Virus Found Backdoor.Win32.SdBot.csq
NOD32 Found a variant of IRC/SdBot
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found Exp/MS04011-A
VirusBuster Found nothing
VBA32 Found Backdoor.Win32.SdBot.csq

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by HotelScraper.com.
--------------------------------------------------------------------------------


Statistics
Last file scanned at least one scanner reported something about: xxx.exe (MD5: 5c6f9f3205de3410fdc778ca913f38ac, size: 46592 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender Trojan.Peed.Gen
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Ikarus X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Rising Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 X


You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.





Frequently asked questions - Feedback - Privacy policy



Page generated by JTPL

© 2004-2008 Jordi Bosveld <jotti@jotti.org>

Warning: Invalid argument supplied for foreach() in /var/www/virusscan.jotti.org/http/index.php on line 813

 

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: QTFont.qfn
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: dba91cd5a3a68302967c03213e52bde8
Packers detected: -
Bit9 reports: No threat detected (more info)

Scanner results
Scan taken on 31 Jan 2008 07:35:42 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by HotelScraper.com.
--------------------------------------------------------------------------------


Statistics
Last file scanned at least one scanner reported something about: Worm-fix.exe.zip (MD5: a160559f755bea6f3a8713b0d3581d11, size: 218250 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Ikarus Trojan-Dropper.Win32.Agent.bzc
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Rising Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 Trojan-Downloader.Win32.Agent.hgg


You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.





Frequently asked questions - Feedback - Privacy policy



Page generated by JTPL

© 2004-2008 Jordi Bosveld <jotti@jotti.org>

 

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: QTFont.for
Status: OK
MD5: d4ace7913fe3a799875790f7e4fd8f15
Packers detected: -
Bit9 reports: File not found

Scanner results
Scan taken on 31 Jan 2008 07:42:12 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by HotelScraper.com.
--------------------------------------------------------------------------------


Statistics
Last file scanned at least one scanner reported something about: avz00005.dta (MD5: 3521637bc1a9f2181bd7af58ba51489b, size: 14592 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir TR/Agent.enz
ArcaVir X
Avast Win32:Agent-IWC
AVG Antivirus X
BitDefender X
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus Trojan.Win32.Agent.enz
Fortinet X
Ikarus Virus.Win32.Agent.IWC
Kaspersky Anti-Virus Trojan.Win32.Agent.enz
NOD32 X
Norman Virus Control X
Panda Antivirus X
Rising Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 X


You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.





Frequently asked questions - Feedback - Privacy policy



Page generated by JTPL

© 2004-2008 Jordi Bosveld <jotti@jotti.org>

 

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

 

Hi Pepse

Please delete the combofix you have and download the newer version.

Download ComboFix from [color= "Red"]Here[/color] to your Desktop.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.

Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

File::
C:\WINNT\system32\Perflib_Perfdata_484.dat
C:\WINNT\system32\Perflib_Perfdata_208.dat
C:\WINNT\eraseme_51362.exe

Folder::
C:\WINNT\QWRtaW5pc3RyYXRvcg

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47405797-676C-46A0-9B90-565600A78F8A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD596FC8-AB25-4AF6-C699-C54E36B263CC}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxyv]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winsfg32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "eabmitaA "=-

Please post the new combofix log.

Let me know how things are.

Thanks
Geri

 

ComboFix 08-02.01.5 - Administrator 02/01/2008 2:01:33.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.107 [GMT 9:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINNT\QWRtaW5pc3RyYXRvcg
C:\WINNT\QWRtaW5pc3RyYXRvcg\kqlQuqcDwalVsrlSw0.vbs

----- BITS: Possible infected sites -----

hxxp://au.download.windowsupdate.com
.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
.

2008-01-27 23:18 . 08-01-27 23:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-25 14:03 . 08-01-24 21:28 91,136 --------- C:\WINNT\eraseme_51362.exe
2008-01-24 10:53 . 07-12-04 22:04 837,496 --a------ C:\WINNT\system32\aswBoot.exe
2008-01-24 10:53 . 04-01-09 18:13 380,928 --a------ C:\WINNT\system32\actskin4.ocx
2008-01-24 10:53 . 07-12-04 21:54 95,608 --a------ C:\WINNT\system32\AvastSS.scr
2008-01-24 10:53 . 07-12-04 23:55 94,544 --a------ C:\WINNT\system32\drivers\aswmon2.sys
2008-01-24 10:53 . 07-12-04 23:56 93,264 --a------ C:\WINNT\system32\drivers\aswmon.sys
2008-01-24 10:53 . 07-12-04 23:51 42,912 --a------ C:\WINNT\system32\drivers\aswTdi.sys
2008-01-24 10:53 . 07-12-04 23:49 26,624 --a------ C:\WINNT\system32\drivers\aavmker4.sys
2008-01-24 10:53 . 07-12-04 23:53 23,152 --a------ C:\WINNT\system32\drivers\aswRdr.sys
2008-01-24 10:52 . 08-01-24 10:52 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-24 10:00 . 08-01-24 10:00 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-01-24 10:00 . 08-01-24 10:00 1,409 --a------ C:\WINNT\QTFont.for
2008-01-23 22:47 . 08-01-23 22:47 230 --a------ C:\WINNT\wininit.ini
2008-01-23 21:43 . 08-01-30 11:54 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 03:06 --------- d-----w C:\Program Files\Accessories
2008-01-24 00:34 --------- d-----w C:\Program Files\DefenderPro AntiSpy
2008-01-23 23:55 --------- d-----w C:\Program Files\Defender Pro
2006-01-04 17:52 271 ---h--w C:\Program Files\desktop.ini
2006-01-04 17:52 21,952 ---h--w C:\Program Files\folder.htt
1999-12-07 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47405797-676C-46A0-9B90-565600A78F8A}]
C:\WINNT\system32\cbxyv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD596FC8-AB25-4AF6-C699-C54E36B263CC}]
C:\Program Files\Accessories\lavufawe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "ctfmon.exe" [01-02-21 04:09 8192 C:\WINNT\system32\CTFMON.EXE]
"Weather "= "C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [ ]
"Oler "= "C:\WINNT\system32\ASKS~1\wuauclt.exe" [ ]
"QdrPack12 "= "C:\Program Files\QdrPack\QdrPack12.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager "= "mobsync.exe" [03-06-20 04:05 111376 C:\WINNT\system32\mobsync.exe]
"RealTray "= "C:\Program Files\Real\RealPlayer\RealPlay.exe" [06-01-17 16:46 26112]
"Smart Start UP "= "C:\Program Files\NewSoft\Smart Start UP\PnPDetect.exe" [03-01-21 13:25 98304]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [07-06-03 15:21 155648]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [05-04-13 02:48 36975]
"avast! "= "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07-12-04 22:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop "= "C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-20 04:05 186640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-02 03:29:26 180224]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 16:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau]
nwprovau.dll 06-09-01 14:49 140048 C:\WINNT\system32\NWPROVAU.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

R0 Achernar;Achernar - SCSI Command Filters;C:\WINNT\system32\Drivers\Achernar.sys [05-05-13 14:07 ]
R2 aswMon;avast! Standard Shield Support;C:\WINNT\system32\drivers\aswMon.sys [07-12-04 23:56 ]
R3 Aldebaran;Aldebaran - SCSI Command Filters;C:\WINNT\system32\Drivers\Aldebaran.sys [05-05-13 14:07 ]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys [99-10-23 21:22 ]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 02:05:26
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\NewSoft\Smart Start UP\PnPDetect.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
.
**************************************************************************
.
Completion time: 2008-02-01 2:08:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-31 17:08:06
ComboFix2.txt 2008-01-30 03:13:31
.
2008-01-25 04:06:20 --- E O F ---

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:13:17 AM, on 2/1/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\NewSoft\Smart Start UP\PnPDetect.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {47405797-676C-46A0-9B90-565600A78F8A} - C:\WINNT\system32\cbxyv.dll (file missing)
O2 - BHO: 0 - {CD596FC8-AB25-4AF6-C699-C54E36B263CC} - C:\Program Files\Accessories\lavufawe.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Defender Pro Anti-Scam - {102BAD8B-CD05-46ff-94FF-A2C1ABD5F7D5} - C:\Program Files\Defender Pro\Defender Pro Anti-Scam\mscoree.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Smart Start UP] C:\Program Files\NewSoft\Smart Start UP\PnPDetect.exe /Automation
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [Oler] "C:\WINNT\system32\ASKS~1\wuauclt.exe" -vt yazb
O4 - HKCU\..\Run: [QdrPack12] "C:\Program Files\QdrPack\QdrPack12.exe "
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\WINNT\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\WINNT\system32\shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: Yahoo! Chess - http://download2.games.yahoo.com/games/clients/y/ct5_x.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games "“ Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136401595865
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games "“ Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe

--
End of file - 6744 bytes

 

Geri,

This computer seems to be running better, boots up to the desktop quicker. Gets to IE without any strange sites popping in. I will cruise around a bit and post sometime Fri. afternoon or late Fri. nite/Sat. morn.

I gotta 'nother Dell desktop that was wa-a-a-ay too messed up to try and de-bug so I got the re-installation software and am going through that now.

Later. Pepse.

 

Hi Pepse

OK Lets do this again.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

File::
C:\WINNT\system32\cbxyv.dll
C:\Program Files\Accessories\lavufawe.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD596FC8-AB25-4AF6-C699-C54E36B263CC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47405797-676C-46A0-9B90-565600A78F8A}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "Oler "=-
 "QdrPack12 "=-

Please post the new Combofix log.

Thanks
Geri

 

I am not sure if this is important, but I clicked on the "click here to see how to use the CFScript.txt" and the error is: Invalid attachment specified. If you followed a valid link please notify the administrator. Altho I don't think that is important I thought I would post it. I think when I did this earlier it worked out OK.

Later. Pepse.

 

Hi

Please delete the combofix you have and get the newer version before running the CFScript.

The link worked for me? Just drag and drop the CFScript onto Combofix.exe
Thanks
Geri

 

ComboFix 08-02.02.5 - Administrator 02/02/2008 10:27:23.3 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.107 [GMT 9:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

2008-02-02 10:31 . 08-02-02 10:31 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_474.dat
2008-02-02 10:31 . 08-02-02 10:31 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_208.dat
2008-01-27 23:18 . 08-01-27 23:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-25 14:03 . 08-01-24 21:28 91,136 --------- C:\WINNT\eraseme_51362.exe
2008-01-24 10:53 . 07-12-04 22:04 837,496 --a------ C:\WINNT\system32\aswBoot.exe
2008-01-24 10:53 . 04-01-09 18:13 380,928 --a------ C:\WINNT\system32\actskin4.ocx
2008-01-24 10:53 . 07-12-04 21:54 95,608 --a------ C:\WINNT\system32\AvastSS.scr
2008-01-24 10:53 . 07-12-04 23:55 94,544 --a------ C:\WINNT\system32\drivers\aswmon2.sys
2008-01-24 10:53 . 07-12-04 23:56 93,264 --a------ C:\WINNT\system32\drivers\aswmon.sys
2008-01-24 10:53 . 07-12-04 23:51 42,912 --a------ C:\WINNT\system32\drivers\aswTdi.sys
2008-01-24 10:53 . 07-12-04 23:49 26,624 --a------ C:\WINNT\system32\drivers\aavmker4.sys
2008-01-24 10:53 . 07-12-04 23:53 23,152 --a------ C:\WINNT\system32\drivers\aswRdr.sys
2008-01-24 10:52 . 08-01-24 10:52 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-24 10:00 . 08-01-24 10:00 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-01-24 10:00 . 08-01-24 10:00 1,409 --a------ C:\WINNT\QTFont.for
2008-01-23 22:47 . 08-01-23 22:47 230 --a------ C:\WINNT\wininit.ini
2008-01-23 21:43 . 08-02-01 02:24 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-23 21:43 . 08-02-01 02:51 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 03:06 --------- d-----w C:\Program Files\Accessories
2008-01-24 00:34 --------- d-----w C:\Program Files\DefenderPro AntiSpy
2008-01-23 23:55 --------- d-----w C:\Program Files\Defender Pro
2006-01-04 17:52 271 ---h--w C:\Program Files\desktop.ini
2006-01-04 17:52 21,952 ---h--w C:\Program Files\folder.htt
1999-12-07 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "ctfmon.exe" [01-02-21 04:09 8192 C:\WINNT\system32\CTFMON.EXE]
"Weather "= "C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [ ]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager "= "mobsync.exe" [03-06-20 04:05 111376 C:\WINNT\system32\mobsync.exe]
"RealTray "= "C:\Program Files\Real\RealPlayer\RealPlay.exe" [06-01-17 16:46 26112]
"Smart Start UP "= "C:\Program Files\NewSoft\Smart Start UP\PnPDetect.exe" [03-01-21 13:25 98304]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [07-06-03 15:21 155648]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [05-04-13 02:48 36975]
"avast! "= "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07-12-04 22:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop "= "C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-20 04:05 186640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-02 03:29:26 180224]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 16:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau]
nwprovau.dll 06-09-01 14:49 140048 C:\WINNT\system32\NWPROVAU.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

R0 Achernar;Achernar - SCSI Command Filters;C:\WINNT\system32\Drivers\Achernar.sys [05-05-13 14:07 ]
R2 aswMon;avast! Standard Shield Support;C:\WINNT\system32\drivers\aswMon.sys [07-12-04 23:56 ]
R3 Aldebaran;Aldebaran - SCSI Command Filters;C:\WINNT\system32\Drivers\Aldebaran.sys [05-05-13 14:07 ]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys [99-10-23 21:22 ]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 10:31:40
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
.
**************************************************************************
.
Completion time: 2008-02-02 10:35:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-02 01:35:03
ComboFix2.txt 2008-01-31 17:08:12
ComboFix3.txt 2008-01-30 03:13:31
.
2008-01-25 04:06:20 --- E O F ---

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:29 AM, on 2/2/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\NewSoft\Smart Start UP\PnPDetect.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Defender Pro Anti-Scam - {102BAD8B-CD05-46ff-94FF-A2C1ABD5F7D5} - C:\Program Files\Defender Pro\Defender Pro Anti-Scam\mscoree.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Smart Start UP] C:\Program Files\NewSoft\Smart Start UP\PnPDetect.exe /Automation
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\WINNT\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\WINNT\system32\shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: Yahoo! Chess - http://download2.games.yahoo.com/games/clients/y/ct5_x.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games "“ Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136401595865
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games "“ Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe

--
End of file - 6898 bytes

 

Hi Pepse

OK Looking good.

Make sure Tea Timer is disabled, then do this.

Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/in...eanerstart.cab

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

Using Windows Explorer (to get there right-click your Start button and go to "Explore "), please delete these files (if present):

C:\WINNT\system32\Perflib_Perfdata_474.dat
C:\WINNT\system32\Perflib_Perfdata_208.dat
C:\WINNT\eraseme_51362.exe

After that, Reboot.

Now please go back to see that the files above were not recreated after a reboot.

Let me know.

Thanks
Geri

 

I couldn't figure out how to shut off tea timer so I deleted Spybot. Now as for Explorer? Nothing even close to what you want me to do comes up. Being that this is WIN2000 maybe that is why. I am pretty sure I know where you want me to go but I can't remember what command to put in "Start-Run- xxx window.

Later. Pepse.