Trojan / Virus problems

Hello there. I had a problem with my PC about 6 months ago and the people on this site were absolutely terrific in guiding me through how to fix the virus issues I had.

This time it's my father-in-laws PC which has the problem. For the last week or so his AVG software has been going crazy with messages about various trojans found and the Spybot is continually telling of changes in the Registry.

I'm not sure if this is related or not but the following message also appears whenever you re-boot:

ERROR LOADING C:\windows\system32\qfjcmodg.dll The Specified Module Could Not Be Found.

The PC is running Windows XP but the computer itself would be close to 7-8 years old and used to run quite slow as it was. Since this problem it is virtually impossible to access the internet (due to the error messages constantly popping up). Would it be possible for someone to guide me through what programs to download etc. (whilst I am posting from my PC) and then for me to copy both the programs and instructions on what to do onto a memory stick so I could take them around to my father-in-laws computer? Then I'd copy the relevant log files back onto the memory stick, bring it back to my PC and then post them here?

Any help here would be appreciated. Ever since Noahdfear helped me fix my computers problems I always refer people here if they mention they've got virus (or related) issues.

Thanks

 

Hi Waverly

That message is referring to a Vundo file (rogue). Download ComboFix by sUBs from here, and transfer the file to his desktop.


Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


The internet connection might well work after running CF, allowing you to post directly from his pc.

 

G'day noahdfear - thanks for your reply.

I will follow your instructions and hopefully post the relevant logs in the next day or so. Will I need to seperately download the latest hijackthis program as well?

Cheers.

 

Yes, you'll need to download HijackThis as well.

 

OK. We've been able to run combofix and hijackthis. Here are the two log files:


ComboFix 08-07-08.5 - Dad 2008-07-09 19:22:05.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.174 [GMT 10:00]
Running from: C:\Documents and Settings\Dad\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\companion wizard
C:\Program Files\Common Files\companion wizard\compwiz.exe
C:\Program Files\winupdate
C:\WINDOWS\BM132020c8.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ahtewflx.ini
C:\WINDOWS\SYSTEM32\BbHQBJlm.ini
C:\WINDOWS\SYSTEM32\BbHQBJlm.ini2
C:\WINDOWS\system32\brpqowoy.dll
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\dixuwpqh.ini
C:\WINDOWS\system32\ewrnqgmv.ini
C:\WINDOWS\system32\extfcgfd.ini
C:\WINDOWS\system32\exwghlgq.dll
C:\WINDOWS\system32\gdomcjfq.ini
C:\WINDOWS\SYSTEM32\giyvptds.ini
C:\WINDOWS\system32\gjsmyqia.ini
C:\WINDOWS\system32\gqctpqsm.ini
C:\WINDOWS\system32\gtkxefwn.ini
C:\WINDOWS\system32\hkumfvek.dll
C:\WINDOWS\system32\ihdjajdt.ini
C:\WINDOWS\system32\iiffFvsS.dll
C:\WINDOWS\system32\intaudmj.ini
C:\WINDOWS\SYSTEM32\JTEKlUtv.ini
C:\WINDOWS\SYSTEM32\JTEKlUtv.ini2
C:\WINDOWS\system32\jyqorvgt.ini
C:\WINDOWS\system32\khfGaaWp.dll
C:\WINDOWS\system32\KTAyayxx.ini
C:\WINDOWS\SYSTEM32\KTAyayxx.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ping.com
C:\WINDOWS\SYSTEM32\qglhgwxe.ini
C:\WINDOWS\system32\rxqooaon.ini
C:\WINDOWS\system32\sdtpvyig.dll
C:\WINDOWS\system32\ssqOFYQk.dll
C:\WINDOWS\system32\SsvFffii.ini
C:\WINDOWS\SYSTEM32\SsvFffii.ini2
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\system32\vmgqnrwe.dll
C:\WINDOWS\system32\wqkqntfq.ini
C:\WINDOWS\system32\wrchyjsu.dll
C:\WINDOWS\system32\xbxjkhht.dll
C:\WINDOWS\system32\xytlyrvc.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FOPN


((((((((((((((((((((((((( Files Created from 2008-06-09 to 2008-07-09 )))))))))))))))))))))))))))))))
.

2008-07-09 18:42 . 2008-07-09 18:42 51,200 --a------ C:\WINDOWS\SYSTEM32\__c00B5216.dat
2008-07-02 21:23 . 2008-07-04 09:14 510 --a------ C:\WINDOWS\wininit.ini
2008-07-02 15:44 . 2008-07-02 15:44 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-02 15:36 . 2008-07-02 15:31 691,545 --a------ C:\WINDOWS\unins000.exe
2008-07-02 15:36 . 2008-07-02 15:36 2,540 --a------ C:\WINDOWS\unins000.dat
2008-07-02 15:25 . 2008-07-02 15:25 <DIR> d-------- C:\Program Files\AVG
2008-07-02 15:25 . 2008-07-02 15:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-02 14:56 . 2006-11-09 15:07 49,265 --a------ C:\WINDOWS\SYSTEM32\jpicpl32.cpl
2008-06-30 16:54 . 2008-07-09 17:43 110,419 --a------ C:\WINDOWS\BM132020c8.xml
2008-06-27 22:29 . 2004-10-07 14:39 1,060,864 --a------ C:\WINDOWS\SYSTEM32\mfc71.dll
2008-06-27 22:29 . 2001-03-08 19:30 24,064 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll
2008-06-27 22:29 . 2004-10-07 14:39 8,704 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
2008-06-11 14:18 . 2008-06-13 23:10 272,128 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthport.sys
2008-06-11 14:18 . 2008-06-13 23:10 272,128 --------- C:\WINDOWS\SYSTEM32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\SYSTEM32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\dllcache\quartz.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wininet.dll
2008-04-21 07:04 615,936 ----a-w C:\WINDOWS\SYSTEM32\dllcache\urlmon.dll
2008-04-21 07:04 532,480 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mstime.dll
2008-04-21 07:04 474,112 ----a-w C:\WINDOWS\SYSTEM32\dllcache\shlwapi.dll
2008-04-21 07:04 449,024 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtmled.dll
2008-04-21 07:04 39,424 ----a-w C:\WINDOWS\SYSTEM32\dllcache\pngfilt.dll
2008-04-21 07:04 3,059,712 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2008-04-21 07:04 146,432 ----a-w C:\WINDOWS\SYSTEM32\dllcache\msrating.dll
2008-04-21 07:04 1,494,528 ----a-w C:\WINDOWS\SYSTEM32\dllcache\shdocvw.dll
2008-04-21 07:03 96,256 ----a-w C:\WINDOWS\SYSTEM32\dllcache\inseng.dll
2008-04-21 07:03 55,808 ----a-w C:\WINDOWS\SYSTEM32\dllcache\extmgr.dll
2008-04-21 07:03 357,888 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dxtmsft.dll
2008-04-21 07:03 251,392 ----a-w C:\WINDOWS\SYSTEM32\dllcache\iepeers.dll
2008-04-21 07:03 205,312 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dxtrans.dll
2008-04-21 07:03 16,384 ----a-w C:\WINDOWS\SYSTEM32\dllcache\jsproxy.dll
2008-04-21 07:03 151,040 ----a-w C:\WINDOWS\SYSTEM32\dllcache\cdfview.dll
2008-04-21 07:03 1,054,208 ----a-w C:\WINDOWS\SYSTEM32\dllcache\danim.dll
2008-04-21 07:03 1,023,488 ----a-w C:\WINDOWS\SYSTEM32\dllcache\browseui.dll
2008-04-17 10:52 18,432 ----a-w C:\WINDOWS\SYSTEM32\dllcache\iedw.exe
2005-04-04 11:31 266 --sh--w C:\Program Files\desktop.ini
2005-04-04 11:31 11,079 ---h--w C:\Program Files\folder.htt
2004-06-13 02:34 462 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"msnmsgr "= "C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-21 22:49 68856]
"updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 12:00 208952]
"PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 22:00 455168]
"PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 22:00 455168]
"NeroFilterCheck "= "C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2005-12-14 18:11 77824]
"MSPY2002 "= "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 22:00 59392]
"REGSHAVE "= "C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 22:32 53248]
"EPSON Stylus CX3100 (Copy 1) "= "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE" [2002-07-01 14:05 74752]
"EPSON Stylus CX3100 "= "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE" [2002-07-01 14:05 74752]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 15:07 49263]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 12:05:56 65588]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2003-06-25 06:25:38 614531]
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2006-06-11 20:16:14 282624]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"C:\\Program Files\\MSN Messenger\\livecall.exe "=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE "=


.
- - - - ORPHANS REMOVED - - - -

BHO-{44E6C9DF-841C-46D0-9BB5-B70F9E425C0F} - (no file)
BHO-{7F0164B9-1B61-41E1-A392-33AC2265AF18} - (no file)
BHO-{A6FCCE36-CD60-480F-86F5-34F843AF865A} - C:\WINDOWS\system32\vtUlKETJ.dll
BHO-{B1C04858-94C0-46D5-BB27-32FEC05D37EC} - C:\WINDOWS\system32\xxyayATK.dll
BHO-{DCAA8084-147B-4FF0-A8B0-CBC446BFAA32} - C:\WINDOWS\system32\mlJBQHbB.dll
HKLM-Run-svshost - C:\WINDOWS\system32\ubrxyx\svshost.exe
HKLM-Run-msnappau - C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe
HKLM-Run-SurfAccuracy - C:\Program Files\SurfAccuracy\SAcc.exe
HKLM-Run-10131354 - C:\WINDOWS\system32\sdtpvyig.dll
HKLM-Run-BM132020c8 - C:\WINDOWS\system32\xbxjkhht.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-09 19:39:54
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\EEBSVC.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM32\SCSIACCESS.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-07-09 19:44:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-09 09:44:34

Pre-Run: 4,119,011,328 bytes free
Post-Run: 5,150,851,072 bytes free

176 --- E O F --- 2008-06-20 12:44:48




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:47:29 PM, on 9/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [EPSON Stylus CX3100 (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P28 "EPSON Stylus CX3100 (Copy 1)" /O6 "USB001" /M "Stylus CX3100 "
O4 - HKLM\..\Run: [EPSON Stylus CX3100] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3100" /O5 "LPT1:" /M "Stylus CX3100 "
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKLM\..\Run: [svshost] C:\WINDOWS\system32\ubrxyx\svshost.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe "
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [BM132020c8] Rundll32.exe "C:\WINDOWS\system32\xbxjkhht.dll ",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/controls/DigWebX2.cab?10,0,910,0
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE

--
End of file - 7639 bytes

 

And is the internet connection working again?

Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

http://www.windowsbbs.com/showthread.php?t=74938

Collect::[22]
C:\WINDOWS\SYSTEM32\__c00B5216.dat
C:\WINDOWS\BM132020c8.xml

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.


Please note that I have instructed CFScript to collect the above files. This means that at some point, likely after reboot when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created on your desktop. The zip contains the aforementioned files. Please copy the path shown in the prompt and paste it into the box, then click Send. Thanks!

 

G'day Noahdfear,

It does appear that the internet connection is now working again. Since running the combofix (and uninstalling AVG for the time being) the pc is running a fair bit better (although still got spybot coming up with errors).

I will run through with the additional instructions and revert sometime tonight my time.

Cheers.

 

Let me know what those Spybot errors are too.

 

Just to confirm - is that url for this thread supposed to be in the text box? (apologies if it is - it just looks slightly odd being in there).

Thanks

 

Yes. That lets me know where the file came from.

 

G'day again. Everything seems to have worked. The file was successfully uploaded to bleepingcomputer.com and here are the two log files (after the spybot error stuff):

BTW, here is what the Spybot error says:

Browser Helper Object. Change is: Value Deleted. Entry (44E6C9DF-841C-46D0-PBB5-B70F9E425C0F)

The only option it is asking for is 'Allow Change "

ComboFix 08-07-08.5 - Dad 2008-07-10 19:46:34.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.142 [GMT 10:00]
Running from: C:\Documents and Settings\Dad\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dad\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Dad\err.log
C:\Documents and Settings\Dad\ResErrors.log
C:\WINDOWS\BM132020c8.xml
C:\WINDOWS\SYSTEM32\__c00B5216.dat

.
((((((((((((((((((((((((( Files Created from 2008-06-10 to 2008-07-10 )))))))))))))))))))))))))))))))
.

2008-07-09 19:47 . 2008-07-09 19:47 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-02 21:23 . 2008-07-04 09:14 510 --a------ C:\WINDOWS\wininit.ini
2008-07-02 15:44 . 2008-07-02 15:44 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-02 15:36 . 2008-07-02 15:31 691,545 --a------ C:\WINDOWS\unins000.exe
2008-07-02 15:36 . 2008-07-02 15:36 2,540 --a------ C:\WINDOWS\unins000.dat
2008-07-02 15:25 . 2008-07-02 15:25 <DIR> d-------- C:\Program Files\AVG
2008-07-02 15:25 . 2008-07-02 15:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-02 14:56 . 2006-11-09 15:07 49,265 --a------ C:\WINDOWS\SYSTEM32\jpicpl32.cpl
2008-06-27 22:29 . 2004-10-07 14:39 1,060,864 --a------ C:\WINDOWS\SYSTEM32\mfc71.dll
2008-06-27 22:29 . 2001-03-08 19:30 24,064 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll
2008-06-27 22:29 . 2004-10-07 14:39 8,704 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
2008-06-11 14:18 . 2008-06-13 23:10 272,128 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthport.sys
2008-06-11 14:18 . 2008-06-13 23:10 272,128 --------- C:\WINDOWS\SYSTEM32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\SYSTEM32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\dllcache\tcpip6.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\SYSTEM32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\dllcache\quartz.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wininet.dll
2008-04-21 07:04 615,936 ----a-w C:\WINDOWS\SYSTEM32\dllcache\urlmon.dll
2008-04-21 07:04 532,480 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mstime.dll
2008-04-21 07:04 474,112 ----a-w C:\WINDOWS\SYSTEM32\dllcache\shlwapi.dll
2008-04-21 07:04 449,024 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtmled.dll
2008-04-21 07:04 39,424 ----a-w C:\WINDOWS\SYSTEM32\dllcache\pngfilt.dll
2008-04-21 07:04 3,059,712 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2008-04-21 07:04 146,432 ----a-w C:\WINDOWS\SYSTEM32\dllcache\msrating.dll
2008-04-21 07:04 1,494,528 ----a-w C:\WINDOWS\SYSTEM32\dllcache\shdocvw.dll
2008-04-21 07:03 96,256 ----a-w C:\WINDOWS\SYSTEM32\dllcache\inseng.dll
2008-04-21 07:03 55,808 ----a-w C:\WINDOWS\SYSTEM32\dllcache\extmgr.dll
2008-04-21 07:03 357,888 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dxtmsft.dll
2008-04-21 07:03 251,392 ----a-w C:\WINDOWS\SYSTEM32\dllcache\iepeers.dll
2008-04-21 07:03 205,312 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dxtrans.dll
2008-04-21 07:03 16,384 ----a-w C:\WINDOWS\SYSTEM32\dllcache\jsproxy.dll
2008-04-21 07:03 151,040 ----a-w C:\WINDOWS\SYSTEM32\dllcache\cdfview.dll
2008-04-21 07:03 1,054,208 ----a-w C:\WINDOWS\SYSTEM32\dllcache\danim.dll
2008-04-21 07:03 1,023,488 ----a-w C:\WINDOWS\SYSTEM32\dllcache\browseui.dll
2008-04-17 10:52 18,432 ----a-w C:\WINDOWS\SYSTEM32\dllcache\iedw.exe
2005-04-04 11:31 266 --sh--w C:\Program Files\desktop.ini
2005-04-04 11:31 11,079 ---h--w C:\Program Files\folder.htt
2004-06-13 02:34 462 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((( snapshot@2008-07-09_19.43.38.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-09 09:39:04 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-10 08:36:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-02-20 05:32:44 148,992 ----a-w C:\WINDOWS\SYSTEM32\dnsapi.dll
+ 2008-06-20 17:41:10 148,992 ----a-w C:\WINDOWS\SYSTEM32\dnsapi.dll
- 2007-11-30 11:18:52 17,272 ------w C:\WINDOWS\SYSTEM32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w C:\WINDOWS\SYSTEM32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"msnmsgr "= "C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-21 22:49 68856]
"updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 12:00 208952]
"PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 22:00 455168]
"PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 22:00 455168]
"NeroFilterCheck "= "C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2005-12-14 18:11 77824]
"MSPY2002 "= "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 22:00 59392]
"REGSHAVE "= "C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 22:32 53248]
"EPSON Stylus CX3100 (Copy 1) "= "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE" [2002-07-01 14:05 74752]
"EPSON Stylus CX3100 "= "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE" [2002-07-01 14:05 74752]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 15:07 49263]
"svshost "= "C:\WINDOWS\system32\ubrxyx\svshost.exe" [BU]
"msnappau "= "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe" [BU]
"SurfAccuracy "= "C:\Program Files\SurfAccuracy\SAcc.exe" [BU]
"BM132020c8 "= "C:\WINDOWS\system32\xbxjkhht.dll" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 12:05:56 65588]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2003-06-25 06:25:38 614531]
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2006-06-11 20:16:14 282624]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"C:\\Program Files\\MSN Messenger\\livecall.exe "=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE "=


*Newly Created Service* - CATCHME
.
- - - - ORPHANS REMOVED - - - -

BHO-{44E6C9DF-841C-46D0-9BB5-B70F9E425C0F} - (no file)
BHO-{7F0164B9-1B61-41E1-A392-33AC2265AF18} - (no file)
BHO-{A6FCCE36-CD60-480F-86F5-34F843AF865A} - (no file)
BHO-{B1C04858-94C0-46D5-BB27-32FEC05D37EC} - (no file)
BHO-{DCAA8084-147B-4FF0-A8B0-CBC446BFAA32} - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-10 19:50:15
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-10 19:51:33
ComboFix-quarantined-files.txt 2008-07-10 09:51:30
ComboFix2.txt 2008-07-09 09:44:56

Pre-Run: 5,037,031,424 bytes free
Post-Run: 5,044,584,448 bytes free

140 --- E O F --- 2008-07-10 08:30:05


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:57:30 PM, on 10/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [EPSON Stylus CX3100 (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P28 "EPSON Stylus CX3100 (Copy 1)" /O6 "USB001" /M "Stylus CX3100 "
O4 - HKLM\..\Run: [EPSON Stylus CX3100] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3100" /O5 "LPT1:" /M "Stylus CX3100 "
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKLM\..\Run: [svshost] C:\WINDOWS\system32\ubrxyx\svshost.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe "
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [BM132020c8] Rundll32.exe "C:\WINDOWS\system32\xbxjkhht.dll ",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/controls/DigWebX2.cab?10,0,910,0
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE

--
End of file - 7808 bytes

 

By all means yes, tell Spybot to allow that change. It looks like TeaTimer might be preventing the following registry entries from being removed as well.

O4 - HKLM\..\Run: [svshost] C:\WINDOWS\system32\ubrxyx\svshost.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [BM132020c8] Rundll32.exe "C:\WINDOWS\system32\xbxjkhht.dll ",s

Scan again with HijackThis and fix those 3 entries. Tell Spybot to allow if prompted. You might need to disable TeaTimer if the entries remain after a reboot.

Delete the following folder if present.

C:\WINDOWS\system32\ubrxyx


Download ATF Cleaner by Atribune and save it to your Desktop.

• Double click ATF-Cleaner.exe to run the program.
• Check the boxes to the left of:
  
  
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Prefetch
  • Java Cache
  • Recycle bin
  
  
• The rest are optional - if you want it to remove everything check "Select All ".
• Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK then exit.

Reboot


Please scan with Kaspersky WebScanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.

Post the Kaspersky log and a fresh HijackThis log to this topic.

 

Friday, July 11, 2008 10:56:13 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/07/2008
Kaspersky Anti-Virus database records: 941430
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 40969
Number of viruses found 15
Number of infected objects 44
Number of suspicious objects 0
Duration of the scan process 02:14:31

Infected Object Name Virus Name Last Action
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{04DD23F0-EBCD-489F-84A2-CA7C2C0C7190}.bin Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts.20060122-181958.backup Infected: Trojan.Win32.Qhost skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\spool\PRINTERS\00007.SPL Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\brpqowoy.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aaex skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hkumfvek.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\iiffFvsS.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aafe skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\khfGaaWp.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ssqOFYQk.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.zrk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\wrchyjsu.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\xytlyrvc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aaas skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\__c00B5216.dat.vir Infected: Trojan.Win32.Monder.gen skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll.zip/mlJBQHbB.dll Infected: Trojan.Win32.Monder.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechPowerScan.zip/powerscan.exe Infected: not-a-virus:AdWare.Win32.PowerScan.d skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechPowerScan.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Pacimedia.zip/mqexdlm.srg Infected: not-a-virus:AdWare.Win32.BargainBuddy.q skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Pacimedia.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfAccuracy.zip/SAcc.exe Infected: not-a-virus:AdWare.Win32.SurfAccuracy.d skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfAccuracy.zip/SAccU.exe Infected: not-a-virus:AdWare.Win32.SurfAccuracy.d skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfAccuracy.zip ZIP: infected - 2 skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Dad\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Live Contacts\lindex08@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Live Contacts\lindex08@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\temp\~DF485D.tmp Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\temp\~DF48C1.tmp Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\temp\~DF89DF.tmp Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\temp\~DF8A64.tmp Object is locked skipped
C:\Documents and Settings\Dad\Desktop\[22]-Submit_2008-07-10@19.46.zip/Collect___c00B5216.dat.vir Infected: Trojan.Win32.Monder.gen skipped
C:\Documents and Settings\Dad\Desktop\[22]-Submit_2008-07-10@19.46.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Dad\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Dad\NTUSER.DAT Object is locked skipped
C:\System Volume Information\_restore{2F1CF0A1-3437-452E-9A32-6BC2E265D88C}\RP710\A0033785.exe/file01 Infected: Trojan-Downloader.Win32.Agent.alr skipped
C:\System Volume Information\_restore{2F1CF0A1-3437-452E-9A32-6BC2E265D88C}\RP710\A0033785.exe/file05 Infected: not-a-virusownloader.Win32.WinFixer.gv skipped
C:\System Volume Information\_restore{2F1CF0A1-3437-452E-9A32-6BC2E265D88C}\RP710\A0033785.exe/file22 Infected: not-a-virus:FraudTool.Win32.BestSeller.au skipped
C:\System Volume Information\_restore{2F1CF0A1-3437-452E-9A32-6BC2E265D88C}\RP710\A0033785.exe Inno: infected - 3 skipped
C:\System Volume Information\_restore{2F1CF0A1-3437-452E-9A32-6BC2E265D88C}\RP714\A0033896.exe Infected: not-a-virus:FraudTool.Win32.PerfomanceOptimizer.a skipped
C:\System Volume Information\_restore{2F1CF0A1-3437-452E-9A32-6BC2E265D88C}\RP714\A0033899.exe Infected: not-a-virus:FraudTool.Win32.PerfomanceOptimizer.d skipped
C:\System Volume Information\_restore{2F1CF0A1-3437-452E-9A32-6BC2E265D88C}\RP714\A0033922.exe Infected: not-a-virus:FraudTool.Win32.PerfomanceOptimizer.a skipped
C:\System Volume Information\_restore{2F1CF0A1-3437-452E-9A32-6BC2E265D88C}\RP719\A0034620.exe/stream/data0002 Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{2F1CF0A1-3437-452E-9A32-6BC2E265D88C}\RP719\A0034620.exe/stream Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{2F1CF0A1-3437-452E-9A32-6BC2E265D88C}\RP719\A0034620.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{2F1CF0A1-3437-452E-9A32-6BC2E265D88C}\RP721\A0034680.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{2F1CF0A1-3437-452E-9A32-6BC2E265D88C}\RP721\A0034693.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{2F1CF0A1-3437-452E-9A32-6BC2E265D88C}\RP722\A0034724.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{2F1CF0A1-3437-452E-9A32-6BC2E265D88C}\RP723\A0034734.DLL Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{2F1CF0A1-3437-452E-9A32-6BC2E265D88C}\RP723\A0034744.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{2F1CF0A1-3437-452E-9A32-6BC2E265D88C}\RP727\A0034864.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.zrk skipped
C:\System Volume Information\_restore{2F1CF0A1-3437-452E-9A32-6BC2E265D88C}\RP730\A0034990.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aaex skipped
C:\System Volume Information\_restore{2F1CF0A1-3437-452E-9A32-6BC2E265D88C}\RP730\A0034992.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{2F1CF0A1-3437-452E-9A32-6BC2E265D88C}\RP730\A0034993.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aafe skipped
C:\System Volume Information\_restore{2F1CF0A1-3437-452E-9A32-6BC2E265D88C}\RP730\A0034994.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{2F1CF0A1-3437-452E-9A32-6BC2E265D88C}\RP730\A0034996.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.zrk skipped
C:\System Volume Information\_restore{2F1CF0A1-3437-452E-9A32-6BC2E265D88C}\RP730\A0034998.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{2F1CF0A1-3437-452E-9A32-6BC2E265D88C}\RP730\A0035000.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aaas skipped
C:\System Volume Information\_restore{2F1CF0A1-3437-452E-9A32-6BC2E265D88C}\RP732\change.log Object is locked skipped
Scan process completed.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:06 PM, on 11/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [EPSON Stylus CX3100 (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P28 "EPSON Stylus CX3100 (Copy 1)" /O6 "USB001" /M "Stylus CX3100 "
O4 - HKLM\..\Run: [EPSON Stylus CX3100] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3100" /O5 "LPT1:" /M "Stylus CX3100 "
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe "
O4 - HKLM\..\Run: [svshost] C:\WINDOWS\system32\ubrxyx\svshost.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [BM132020c8] Rundll32.exe "C:\WINDOWS\system32\xbxjkhht.dll ",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/controls/DigWebX2.cab?10,0,910,0
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE

--
End of file - 7700 bytes

 

Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose "Yes" at the Warning prompt.
• Expand the "Tools" menu.
• Click "Resident ".
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• In the File menu click "Exit" to exit Spybot Search & Destroy.

Reboot.

Now scan again with HijackThis and place a check next to the following entries.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [svshost] C:\WINDOWS\system32\ubrxyx\svshost.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [BM132020c8] Rundll32.exe "C:\WINDOWS\system32\xbxjkhht.dll ",s

Close all other windows then click Fix Checked.
Close HijackThis.

Delete the following files and folder if present.

C:\Program Files\SurfAccuracy
C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts.20060122-181958.backup
C:\Documents and Settings\Dad\Desktop\[22]-Submit_2008-07-10@19.46.zip


Open Spybot and click Recovery
Click Select all, then Purge selected items
Close Spybot

Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing the infected files there as well. The C:\Deckard's folder will also be removed. You can delete any logs that were created/saved too.

Run ATF Cleaner again to clean temps and recycle bin then reboot.

Create and post a fresh HijackThis log.

 

Here we go (by the way, my Father in law has said his computer is running the best it has in years):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:33:30 PM, on 15/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [EPSON Stylus CX3100 (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P28 "EPSON Stylus CX3100 (Copy 1)" /O6 "USB001" /M "Stylus CX3100 "
O4 - HKLM\..\Run: [EPSON Stylus CX3100] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3100" /O5 "LPT1:" /M "Stylus CX3100 "
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe "
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: Exif Launcher.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/controls/DigWebX2.cab?10,0,910,0
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE

--
End of file - 7025 bytes

 

Looks great! Lets get Java updated now.

Please download JavaRa and save the file to your desktop.

• Right click and Extract All
• Once extracted, open and run JavaRa.exe
• Click Search For Updates
• Select Update Using jucheck.exe
• Click Search
• A newer version should be found. Allow it to be installed.
• If no newer version found, use the Web Update option instead and download the latest (JRE) package, then install.
• When complete, click Remove Older Versions in the JavaRa interface and allow it to proceed
• When that is complete, click Additional Tasks, then select Remove Useless JRE Files and click Go
• Exit the tool when complete.

Once done you can re-enable TeaTimer. Wouldn't hurt to run another Kaspersky scan to make sure we got everything. If clean, looks like we're done.

 

Cool mate. I'll walk my father-in-law through that tonight.

Thanks.

 

When I asked my father-in-law to delete that file that was under C:\Windows\System32...... he says there was no directory 'system32' under c:\Windows when he was looking through windows explorer. I have noticed that the Kaspersky scan has still found something under that directory. I will have a look myself over the weekend if that still needs to be deleted. A further note is that it didn't sound like the java update worked properly (it kept stalling when trying to find updates I believe).

Anyway, here's the log (along with a fresh hijackthis log):


Wednesday, July 16, 2008 10:44:54 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/07/2008
Kaspersky Anti-Virus database records: 959271
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 37656
Number of viruses found 2
Number of infected objects 2
Number of suspicious objects 0
Duration of the scan process 01:55:54

Infected Object Name Virus Name Last Action
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts.20060122-181958.backup Infected: Trojan.Win32.Qhost skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\spool\PRINTERS\00007.SPL Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Dad\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\History\History.IE5\MSHist012008071620080717\index.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Live Contacts\lindex08@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Live Contacts\lindex08@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\temp\~DFBFF4.tmp Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\temp\~DFBFFB.tmp Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\temp\~DFC953.tmp Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\temp\~DFC961.tmp Object is locked skipped
C:\Documents and Settings\Dad\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Dad\NTUSER.DAT Object is locked skipped
C:\System Volume Information\_restore{2F1CF0A1-3437-452E-9A32-6BC2E265D88C}\RP1\change.log Object is locked skipped
Scan process completed.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:25 PM, on 16/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [EPSON Stylus CX3100 (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P28 "EPSON Stylus CX3100 (Copy 1)" /O6 "USB001" /M "Stylus CX3100 "
O4 - HKLM\..\Run: [EPSON Stylus CX3100] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3100" /O5 "LPT1:" /M "Stylus CX3100 "
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe "
O4 - HKLM\..\Run: [svshost] C:\WINDOWS\system32\ubrxyx\svshost.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [BM132020c8] Rundll32.exe "C:\WINDOWS\system32\xbxjkhht.dll ",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/controls/DigWebX2.cab?10,0,910,0
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE

--
End of file - 7766 bytes

 

Yep, it's still there.

C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts.20060122-181958.backup Infected: Trojan.Win32.Qhost

If you find the system32 folder is missing, type or paste the following command in a command window then hit enter.

attrib -r -h c:\windows\system32

Should be visible now.

Try downloading Java Runtime Environment (JRE) 6 Update 7 directly.

 

Hi there.

Have since been able to find that file and delete it (the one you mention above). Also, have updated Java so here are the latest logfiles:



Tuesday, July 22, 2008 10:51:06 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/07/2008
Kaspersky Anti-Virus database records: 983940
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 49981
Number of viruses found 1
Number of infected objects 1
Number of suspicious objects 0
Duration of the scan process 03:18:17

Infected Object Name Virus Name Last Action
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\spool\PRINTERS\00007.SPL Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Dad\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Live Contacts\lindex08@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Live Contacts\lindex08@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\temp\~DFD1C3.tmp Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\temp\~DFD221.tmp Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\temp\~DFE29B.tmp Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\temp\~DFE2A2.tmp Object is locked skipped
C:\Documents and Settings\Dad\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Dad\NTUSER.DAT Object is locked skipped
C:\System Volume Information\_restore{2F1CF0A1-3437-452E-9A32-6BC2E265D88C}\RP9\change.log Object is locked skipped
Scan process completed.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:15 PM, on 22/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Documents and Settings\Dad\Desktop\spider.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [EPSON Stylus CX3100 (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P28 "EPSON Stylus CX3100 (Copy 1)" /O6 "USB001" /M "Stylus CX3100 "
O4 - HKLM\..\Run: [EPSON Stylus CX3100] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3100" /O5 "LPT1:" /M "Stylus CX3100 "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe "
O4 - HKLM\..\Run: [svshost] C:\WINDOWS\system32\ubrxyx\svshost.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [BM132020c8] Rundll32.exe "C:\WINDOWS\system32\xbxjkhht.dll ",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/controls/DigWebX2.cab?10,0,910,0
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE

--
End of file - 7843 bytes