Solved cannot copy file log from hijackthis

[Resolved] cannot copy file log from hijackthis

I am new to this forum, and at wits end. I have windows XP home and a XP antivirus problem. I have searched here and found some great ideas, but my problem persists. I have no internet, and I have run the tools, and the connection is good. I cannot download anything because of no way to get online. I have another laptop I am using now, and I downloaded hijack this, and put it on a flash stick and put that in the other computer. I did the install of hijack this, and it gave me the log file, but as soon as i try to copy it, it vanishes. I thought i could send it back to the flash and post it here, but no avail. I would certainly appreciate some advice on this. I now have the blue screen of death, and it restarts continually.

 

Hi dtonning

OK please download this and transfer it to the infected computer and run it.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post the Combofix log

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

Please post the log if you get one.

Thanks
Geri

 

Here is the log from combofix



ComboFix 08-09-05.14 - David Tonning 2008-09-10 7:52:51.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1606 [GMT -4:00]
Running from: H:\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Broc Tonning\Cookies\broc_tonning@ad.yieldmanager[2].txt
C:\Documents and Settings\Broc Tonning\Cookies\broc_tonning@advertising[1].txt
C:\Documents and Settings\Broc Tonning\Cookies\broc_tonning@ehg-chrysler.hitbox[2].txt
C:\Documents and Settings\Broc Tonning\Cookies\broc_tonning@insightexpressai[1].txt
C:\Documents and Settings\Broc Tonning\Cookies\broc_tonning@trafficmp[2].txt
C:\Documents and Settings\David Tonning\Favorites\Online Security Test.url
C:\Documents and Settings\David Tonning\My Documents\My Documents.url
C:\Documents and Settings\David Tonning\My Documents\My Music\My Music.url
C:\Documents and Settings\David Tonning\My Documents\My Pictures\My Pictures.url
C:\Documents and Settings\David Tonning\My Documents\My Videos\My Video.url
C:\Documents and Settings\Karen Tonning\Cookies\karen tonning@ehg-clearchannel.hitbox[2].txt
C:\Program Files\AAV
C:\Program Files\AAV\aav.cpl
C:\Program Files\AAV\aav.exe
C:\Program Files\AAV\aav0.dat
C:\Program Files\AAV\aav1.dat
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\SYSTEM32\788877
C:\WINDOWS\SYSTEM32\788877\788877.dll
C:\WINDOWS\system32\blphcre5j0e7a9.scr
C:\WINDOWS\system32\lphcre5j0e7a9.exe
C:\WINDOWS\system32\msvcsv60.dll
C:\WINDOWS\system32\phcre5j0e7a9.bmp
C:\WINDOWS\system32\tdssadw.dll
C:\WINDOWS\system32\tdssinit.dll
C:\WINDOWS\system32\tdssl.dll
C:\WINDOWS\system32\tdsslog.dll
C:\WINDOWS\system32\tdssmain.dll
C:\WINDOWS\system32\tdssserf.dll
C:\WINDOWS\system32\tdssservers.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYSREST.SYS
-------\Service_sysrest.sys


((((((((((((((((((((((((( Files Created from 2008-08-10 to 2008-09-10 )))))))))))))))))))))))))))))))
.

2008-09-10 07:34 . 2008-09-10 08:11 86,804 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\6af91fe.sys
2008-09-08 19:27 . 2008-09-08 19:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-24 13:49 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll
2008-08-24 13:49 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthport.sys
2008-08-24 13:49 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-08-24 13:39 . 2008-08-24 13:39 <DIR> d-------- C:\WINDOWS\EHome
2008-08-24 13:30 . 2008-04-13 20:12 7,680 --a------ C:\WINDOWS\SYSTEM32\spdwnwxp.exe
2008-08-24 13:09 . 2008-08-25 19:57 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot_bak
2008-08-24 09:56 . 2008-08-24 09:56 <DIR> d-------- C:\Program Files\Kjaerhus Audio
2008-08-24 09:56 . 2008-08-24 09:56 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-08-24 09:56 . 2008-08-24 09:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-08-17 15:18 . 2008-08-24 09:50 <DIR> d-------- C:\Documents and Settings\David Tonning\.housecall6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-24 16:53 --------- d-----w C:\Program Files\Common Files\Scanner
2008-08-24 13:59 --------- d-----w C:\Program Files\Dvd-cloner
2008-08-24 13:56 --------- d-----w C:\Program Files\Common Files\Real
2008-08-24 13:56 --------- d-----w C:\Program Files\Apple Software Update
2008-08-01 01:05 --------- d-----w C:\Program Files\Toontrack
2005-12-29 01:46 533 -c--a-w C:\Program Files\INSTALL.LOG
2005-01-21 00:53 45,056 -c----r C:\Program Files\SetAttrib.exe
2004-11-30 07:23 40,960 -c----r C:\Program Files\delete.exe
2002-07-26 22:02 153,088 -c--a-w C:\Program Files\UNWISE.EXE
2006-01-16 02:58 8 -csh--r C:\WINDOWS\SYSTEM32\B08EB01652.sys
2006-01-16 02:58 4,184 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

------- Sigcheck -------

2008-04-13 20:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe
2004-08-04 06:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\SYSTEM32\SVCHOST.EXE

2008-04-13 20:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ws2_32.dll
2004-08-04 06:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\SYSTEM32\WS2_32.DLL

2008-04-13 20:12 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
2004-08-04 06:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\SYSTEM32\WINLOGON.EXE

2008-04-13 15:20 182656 1df7f42665c94b825322fae71721130d C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys
2004-08-04 06:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\SYSTEM32\DRIVERS\NDIS.SYS

2008-04-13 14:53 36608 3bb22519a194418d5fec05d800a19ad0 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ip6fw.sys
2004-08-04 06:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\SYSTEM32\DLLCACHE\ip6fw.sys
2004-08-04 06:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\SYSTEM32\DRIVERS\IP6FW.SYS

2008-04-13 20:12 108544 0e776ed5f7cc9f94299e70461b7b8185 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\services.exe
2004-08-04 06:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\SYSTEM32\SERVICES.EXE

2008-04-13 20:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe
2004-08-04 06:00 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\SYSTEM32\LSASS.EXE

2008-04-13 20:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe
2004-08-04 06:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\SYSTEM32\CTFMON.EXE
2004-08-04 06:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\SYSTEM32\DLLCACHE\ctfmon.exe

2008-04-13 20:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
2004-08-04 06:00 24576 39b1ffb03c2296323832acbae50d2aff C:\WINDOWS\SYSTEM32\USERINIT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr "= "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VX3000 "= "C:\WINDOWS\vVX3000.exe" [2007-04-10 709992]
"H2O "= "C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 385024]
"EverioService "= "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe" [2006-11-22 151552]
"LifeCam "= "C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
LoopBe1 Monitor.lnk - C:\Program Files\nerds.de\LoopBe1\loopBeMon.exe [2005-04-20 225280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.MI-SC4 "= MI-SC4.acm
"Midi1 "= gmidi.dll
"Midi2 "= KORGUMDD.DRV

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a--c--- 2007-01-10 01:59 115816 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a--c--- 2004-08-04 06:00 15360 C:\WINDOWS\SYSTEM32\CTFMON.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-04-03 18:29 165784 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Photo AIO Printer 942]
--a--c--- 2004-08-31 15:18 294912 C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellMCM]
--a--c--- 2004-07-27 15:08 262144 C:\Program Files\Dell Photo AIO Printer 942\memcard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2007-03-15 11:09 460784 C:\Program Files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2004-12-06 02:05 127035 C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2004-10-12 17:54 57344 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
--a------ 2005-10-23 01:00 385024 C:\Program Files\Syncrosoft\POS\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a--c--- 2005-09-20 09:32 77824 C:\WINDOWS\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a--c--- 2005-09-20 09:36 114688 C:\WINDOWS\SYSTEM32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a--c--- 2005-09-20 09:35 94208 C:\WINDOWS\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2007-09-26 14:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaFace Integration]
--a--c--- 2003-08-18 17:46 53248 C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a--c--- 2005-03-12 07:25 11776 C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a--c--- 2005-03-12 07:25 110592 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a--c--- 2007-01-14 03:11 771704 C:\Program Files\Norton AntiVirus\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a--c--- 2004-10-14 16:42 1404928 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2006-11-09 15:07 49263 C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-05-21 21:25 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
--a--c--- 2007-03-07 10:58 1773568 C:\Program Files\support.com\bin\tgcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EW Message Server]
--a--c--- 2003-01-24 16:00 45056 C:\WINDOWS\SYSTEM32\Msg32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartTranzPortApplet]
--a--c--- 2005-02-14 16:14 180224 C:\WINDOWS\SYSTEM32\TranzPortApplet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SymAppCore "=2 (0x2)
"Symantec Core LC "=3 (0x3)
"Roger Wilco Base Station "=2 (0x2)
"RichVideo "=2 (0x2)
"NetSvc "=3 (0x3)
"LiveUpdate "=3 (0x3)
"KodakCCS "=3 (0x3)
"ISPwdSvc "=3 (0x3)
"iPod Service "=3 (0x3)
"IDriverT "=3 (0x3)
"gusvc "=3 (0x3)
"DSBrokerService "=3 (0x3)
"dlbu_device "=3 (0x3)
"CLTNetCnService "=2 (0x2)
"ccSetMgr "=2 (0x2)
"ccEvtMgr "=2 (0x2)
"Automatic LiveUpdate Scheduler "=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\WINDOWS\\SYSTEM32\\USMT\\MIGWIZ.EXE "=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\eJamming\\eJammingAUDiiO\\eJammingAUDiiO.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=
"C:\\Program Files\\BitTorrent\\bittorrent.exe "=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe "=
"C:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe "=
"C:\\Program Files\\CyberLink\\PCM4Everio\\EverioService.exe "=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe "=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8995:TCP "= 8995:TCP:BitComet 8995 TCP
"8995:UDP "= 8995:UDP:BitComet 8995 UDP
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009

R2 MSCamSvc;MSCamSvc;C:\Program Files\Microsoft LifeCam\MSCamS32.exe [2007-05-17 271720]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 33792]
R3 sysrest.sys;sysrest.sys;C:\WINDOWS\system32\sysrest.sys [2008-09-10 15328]
R3 TranzPort;TranzPort Driver;C:\WINDOWS\system32\Drivers\TranzPort.sys [2005-02-18 55992]
R3 TranzPortWdmService;TranzPort Wdm Audio;C:\WINDOWS\system32\Drivers\TranzPortWdm.sys [2004-12-08 86776]
S3 CEUSBAUD;DigiTech USB MIDI Driver;C:\WINDOWS\system32\Drivers\CEUSBAUD.sys [2003-11-01 17920]
S3 FILESPY;FILESPY;C:\WINDOWS\system32\drivers\FILESPY.sys [2003-01-24 27060]
S3 KORGUMDS;KORG USB-MIDI Driver for Windows XP;C:\WINDOWS\system32\Drivers\KORGUMDS.SYS [2005-12-20 14976]
S3 NSTATION;NSTATION;C:\WINDOWS\system32\drivers\nstation.sys [2003-01-24 13152]
S3 SynasUSB;SynasUSB;C:\WINDOWS\system32\drivers\SynasUSB.sys [2002-11-25 16896]
S3 US122;US122 Driver;C:\WINDOWS\system32\Drivers\US122.sys [2004-07-30 217472]
S3 US122DL;US122 Firmware Downloader;C:\WINDOWS\system32\Drivers\US122DL.sys [2004-07-30 17277]
S3 Us122WdmService;US122 Wdm Audio;C:\WINDOWS\system32\Drivers\US122Wdm.sys [2004-07-30 86648]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67ac1d0c-1047-11da-a151-0013200144d9}]
\Shell\AutoRun\command - H:\setupSNK.exe

*Newly Created Service* - sysrest.sys
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Antivirus - C:\Program Files\AAV\aav.exe
HKLM-Run-lphcre5j0e7a9 - C:\WINDOWS\system32\lphcre5j0e7a9.exe
HKLM-Run-inrhcve5j0e7a9 - C:\Documents and Settings\David Tonning\Local Settings\Temp\.tt2B.tmp.exe
HKLM-Run-sysrest32.exe - C:\WINDOWS\system32\sysrest32.exe
SharedTaskScheduler-{ecc974ae-6ede-44a2-90da-93b996d8eaf8} - C:\WINDOWS\system32\blbpeoy.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\David Tonning\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.comcast.net/home.html
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-10 08:10:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\sysrest.sys 15328 bytes executable
C:\WINDOWS\system32\sysrest32.exe 23552 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\6af91fe]
"ImagePath "= "\SystemRoot\System32\drivers\6af91fe.sys "
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\SYSTEM32\FXSSVC.EXE
C:\WINDOWS\SYSTEM32\WSCNTFY.EXE
.
**************************************************************************
.
Completion time: 2008-09-10 8:21:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-10 12:21:14

Pre-Run: 44,833,935,360 bytes free
Post-Run: 47,235,981,312 bytes free

278 --- E O F --- 2008-09-10 11:35:17

 

Hi
Please do this.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

File::
C:\WINDOWS\SYSTEM32\DRIVERS\6af91fe.sys

RootKit::
C:\WINDOWS\system32\sysrest.sys

Driver::
sysrest.sys 

Please post the combofix log.

Thanks
Geri

 

here is the new combo fix log



ComboFix 08-09-10.02 - David Tonning 2008-09-10 23:42:15.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1572 [GMT -4:00]
Running from: C:\Documents and Settings\David Tonning\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\David Tonning\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\6af91fe.sys
C:\WINDOWS\system32\sysrest.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_sysrest.sys
-------\Service_6af91fe


((((((((((((((((((((((((( Files Created from 2008-08-11 to 2008-09-11 )))))))))))))))))))))))))))))))
.

2008-09-08 19:27 . 2008-09-08 19:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-08 19:26 . 2008-09-08 19:26 23,552 --a------ C:\WINDOWS\SYSTEM32\sysrest32.exe
2008-08-24 13:49 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll
2008-08-24 13:49 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthport.sys
2008-08-24 13:49 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-08-24 13:39 . 2008-08-24 13:39 <DIR> d-------- C:\WINDOWS\EHome
2008-08-24 13:30 . 2008-04-13 20:12 7,680 --a------ C:\WINDOWS\SYSTEM32\spdwnwxp.exe
2008-08-24 13:09 . 2008-08-25 19:57 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot_bak
2008-08-24 09:56 . 2008-08-24 09:56 <DIR> d-------- C:\Program Files\Kjaerhus Audio
2008-08-24 09:56 . 2008-08-24 09:56 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-08-24 09:56 . 2008-08-24 09:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-08-17 15:18 . 2008-08-24 09:50 <DIR> d-------- C:\Documents and Settings\David Tonning\.housecall6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-24 16:53 --------- d-----w C:\Program Files\Common Files\Scanner
2008-08-24 13:59 --------- d-----w C:\Program Files\Dvd-cloner
2008-08-24 13:56 --------- d-----w C:\Program Files\Common Files\Real
2008-08-24 13:56 --------- d-----w C:\Program Files\Apple Software Update
2008-08-01 01:05 --------- d-----w C:\Program Files\Toontrack
2005-12-29 01:46 533 -c--a-w C:\Program Files\INSTALL.LOG
2005-01-21 00:53 45,056 -c----r C:\Program Files\SetAttrib.exe
2004-11-30 07:23 40,960 -c----r C:\Program Files\delete.exe
2002-07-26 22:02 153,088 -c--a-w C:\Program Files\UNWISE.EXE
2006-01-16 02:58 8 -csh--r C:\WINDOWS\SYSTEM32\B08EB01652.sys
2006-01-16 02:58 4,184 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

------- Sigcheck -------

2008-04-13 20:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe
2004-08-04 06:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\SYSTEM32\SVCHOST.EXE

2008-04-13 20:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ws2_32.dll
2004-08-04 06:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\SYSTEM32\WS2_32.DLL

2008-04-13 20:12 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
2004-08-04 06:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\SYSTEM32\WINLOGON.EXE

2008-04-13 15:20 182656 1df7f42665c94b825322fae71721130d C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys
2004-08-04 06:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\SYSTEM32\DRIVERS\NDIS.SYS

2008-04-13 14:53 36608 3bb22519a194418d5fec05d800a19ad0 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ip6fw.sys
2004-08-04 06:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\SYSTEM32\DLLCACHE\ip6fw.sys
2004-08-04 06:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\SYSTEM32\DRIVERS\IP6FW.SYS

2008-04-13 20:12 108544 0e776ed5f7cc9f94299e70461b7b8185 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\services.exe
2004-08-04 06:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\SYSTEM32\SERVICES.EXE

2008-04-13 20:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe
2004-08-04 06:00 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\SYSTEM32\LSASS.EXE

2008-04-13 20:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe
2004-08-04 06:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\SYSTEM32\CTFMON.EXE
2004-08-04 06:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\SYSTEM32\DLLCACHE\ctfmon.exe

2008-04-13 20:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
2004-08-04 06:00 24576 39b1ffb03c2296323832acbae50d2aff C:\WINDOWS\SYSTEM32\USERINIT.EXE
.
((((((((((((((((((((((((((((( snapshot@2008-09-10_ 8.20.49.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-11 03:48:21 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6ec.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr "= "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VX3000 "= "C:\WINDOWS\vVX3000.exe" [2007-04-10 709992]
"H2O "= "C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 385024]
"EverioService "= "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe" [2006-11-22 151552]
"LifeCam "= "C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
LoopBe1 Monitor.lnk - C:\Program Files\nerds.de\LoopBe1\loopBeMon.exe [2005-04-20 225280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.MI-SC4 "= MI-SC4.acm
"Midi1 "= gmidi.dll
"Midi2 "= KORGUMDD.DRV

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a--c--- 2007-01-10 01:59 115816 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a--c--- 2004-08-04 06:00 15360 C:\WINDOWS\SYSTEM32\CTFMON.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-04-03 18:29 165784 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Photo AIO Printer 942]
--a--c--- 2004-08-31 15:18 294912 C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellMCM]
--a--c--- 2004-07-27 15:08 262144 C:\Program Files\Dell Photo AIO Printer 942\memcard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2007-03-15 11:09 460784 C:\Program Files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2004-12-06 02:05 127035 C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2004-10-12 17:54 57344 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
--a------ 2005-10-23 01:00 385024 C:\Program Files\Syncrosoft\POS\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a--c--- 2005-09-20 09:32 77824 C:\WINDOWS\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a--c--- 2005-09-20 09:36 114688 C:\WINDOWS\SYSTEM32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a--c--- 2005-09-20 09:35 94208 C:\WINDOWS\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2007-09-26 14:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaFace Integration]
--a--c--- 2003-08-18 17:46 53248 C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a--c--- 2005-03-12 07:25 11776 C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a--c--- 2005-03-12 07:25 110592 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a--c--- 2007-01-14 03:11 771704 C:\Program Files\Norton AntiVirus\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a--c--- 2004-10-14 16:42 1404928 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2006-11-09 15:07 49263 C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-05-21 21:25 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
--a--c--- 2007-03-07 10:58 1773568 C:\Program Files\support.com\bin\tgcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EW Message Server]
--a--c--- 2003-01-24 16:00 45056 C:\WINDOWS\SYSTEM32\Msg32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartTranzPortApplet]
--a--c--- 2005-02-14 16:14 180224 C:\WINDOWS\SYSTEM32\TranzPortApplet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SymAppCore "=2 (0x2)
"Symantec Core LC "=3 (0x3)
"Roger Wilco Base Station "=2 (0x2)
"RichVideo "=2 (0x2)
"NetSvc "=3 (0x3)
"LiveUpdate "=3 (0x3)
"KodakCCS "=3 (0x3)
"ISPwdSvc "=3 (0x3)
"iPod Service "=3 (0x3)
"IDriverT "=3 (0x3)
"gusvc "=3 (0x3)
"DSBrokerService "=3 (0x3)
"dlbu_device "=3 (0x3)
"CLTNetCnService "=2 (0x2)
"ccSetMgr "=2 (0x2)
"ccEvtMgr "=2 (0x2)
"Automatic LiveUpdate Scheduler "=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\WINDOWS\\SYSTEM32\\USMT\\MIGWIZ.EXE "=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\eJamming\\eJammingAUDiiO\\eJammingAUDiiO.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=
"C:\\Program Files\\BitTorrent\\bittorrent.exe "=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe "=
"C:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe "=
"C:\\Program Files\\CyberLink\\PCM4Everio\\EverioService.exe "=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe "=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8995:TCP "= 8995:TCP:BitComet 8995 TCP
"8995:UDP "= 8995:UDP:BitComet 8995 UDP
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009

R2 MSCamSvc;MSCamSvc;C:\Program Files\Microsoft LifeCam\MSCamS32.exe [2007-05-17 271720]
R3 CEUSBAUD;DigiTech USB MIDI Driver;C:\WINDOWS\system32\Drivers\CEUSBAUD.sys [2003-11-01 17920]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 33792]
R3 TranzPort;TranzPort Driver;C:\WINDOWS\system32\Drivers\TranzPort.sys [2005-02-18 55992]
R3 TranzPortWdmService;TranzPort Wdm Audio;C:\WINDOWS\system32\Drivers\TranzPortWdm.sys [2004-12-08 86776]
S3 FILESPY;FILESPY;C:\WINDOWS\system32\drivers\FILESPY.sys [2003-01-24 27060]
S3 KORGUMDS;KORG USB-MIDI Driver for Windows XP;C:\WINDOWS\system32\Drivers\KORGUMDS.SYS [2005-12-20 14976]
S3 NSTATION;NSTATION;C:\WINDOWS\system32\drivers\nstation.sys [2003-01-24 13152]
S3 SynasUSB;SynasUSB;C:\WINDOWS\system32\drivers\SynasUSB.sys [2002-11-25 16896]
S3 US122;US122 Driver;C:\WINDOWS\system32\Drivers\US122.sys [2004-07-30 217472]
S3 US122DL;US122 Firmware Downloader;C:\WINDOWS\system32\Drivers\US122DL.sys [2004-07-30 17277]
S3 Us122WdmService;US122 Wdm Audio;C:\WINDOWS\system32\Drivers\US122Wdm.sys [2004-07-30 86648]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67ac1d0c-1047-11da-a151-0013200144d9}]
\Shell\AutoRun\command - H:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-10 23:56:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\SYSTEM32\FXSSVC.EXE
C:\Program Files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-09-11 0:08:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-11 04:07:59
ComboFix2.txt 2008-09-10 12:21:21

Pre-Run: 47,515,549,696 bytes free
Post-Run: 47,509,176,320 bytes free

238 --- E O F --- 2008-09-10 11:35:17

 

here is the newest hijack this log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:13 AM, on 9/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\nerds.de\LoopBe1\loopBeMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - @@
7E362-828A-4B5A-BCAF-5B79BFDFEA60} - (no file)
O2 - BHO: (no name) - p@
5F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - *@
BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - (no file)
O2 - BHO: (no name) - ¨

¨

0-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~3.DLL
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe "
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe "
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: LoopBe1 Monitor.lnk = C:\Program Files\nerds.de\LoopBe1\loopBeMon.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) -
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165113812250
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: dlbu_device - Dell - C:\WINDOWS\system32\dlbucoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 7629 bytes

 

Hi
Please delete the CFScript you have on your desktop.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

KillAll::
File::
C:\WINDOWS\SYSTEM32\sysrest32.exe 

Please post the CF log.

Thanks
Geri

 

new combofix log

ComboFix 08-09-10.02 - David Tonning 2008-09-11 7:01:33.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1641 [GMT -4:00]Running from: C:\Documents and Settings\David Tonning\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\David Tonning\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\sysrest32.exe

.
((((((((((((((((((((((((( Files Created from 2008-08-11 to 2008-09-11 )))))))))))))))))))))))))))))))
.

2008-09-08 19:27 . 2008-09-08 19:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-24 13:49 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll
2008-08-24 13:49 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthport.sys
2008-08-24 13:49 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-08-24 13:39 . 2008-08-24 13:39 <DIR> d-------- C:\WINDOWS\EHome
2008-08-24 13:30 . 2008-04-13 20:12 7,680 --a------ C:\WINDOWS\SYSTEM32\spdwnwxp.exe
2008-08-24 13:09 . 2008-08-25 19:57 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot_bak
2008-08-24 09:56 . 2008-08-24 09:56 <DIR> d-------- C:\Program Files\Kjaerhus Audio
2008-08-24 09:56 . 2008-08-24 09:56 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-08-24 09:56 . 2008-08-24 09:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-08-17 15:18 . 2008-08-24 09:50 <DIR> d-------- C:\Documents and Settings\David Tonning\.housecall6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-24 16:53 --------- d-----w C:\Program Files\Common Files\Scanner
2008-08-24 13:59 --------- d-----w C:\Program Files\Dvd-cloner
2008-08-24 13:56 --------- d-----w C:\Program Files\Common Files\Real
2008-08-24 13:56 --------- d-----w C:\Program Files\Apple Software Update
2008-08-01 01:05 --------- d-----w C:\Program Files\Toontrack
2005-12-29 01:46 533 -c--a-w C:\Program Files\INSTALL.LOG
2005-01-21 00:53 45,056 -c----r C:\Program Files\SetAttrib.exe
2004-11-30 07:23 40,960 -c----r C:\Program Files\delete.exe
2002-07-26 22:02 153,088 -c--a-w C:\Program Files\UNWISE.EXE
2006-01-16 02:58 8 -csh--r C:\WINDOWS\SYSTEM32\B08EB01652.sys
2006-01-16 02:58 4,184 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

------- Sigcheck -------

2008-04-13 20:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe
2004-08-04 06:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\SYSTEM32\SVCHOST.EXE

2008-04-13 20:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ws2_32.dll
2004-08-04 06:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\SYSTEM32\WS2_32.DLL

2008-04-13 20:12 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
2004-08-04 06:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\SYSTEM32\WINLOGON.EXE

2008-04-13 15:20 182656 1df7f42665c94b825322fae71721130d C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys
2004-08-04 06:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\SYSTEM32\DRIVERS\NDIS.SYS

2008-04-13 14:53 36608 3bb22519a194418d5fec05d800a19ad0 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ip6fw.sys
2004-08-04 06:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\SYSTEM32\DLLCACHE\ip6fw.sys
2004-08-04 06:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\SYSTEM32\DRIVERS\IP6FW.SYS

2008-04-13 20:12 108544 0e776ed5f7cc9f94299e70461b7b8185 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\services.exe
2004-08-04 06:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\SYSTEM32\SERVICES.EXE

2008-04-13 20:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe
2004-08-04 06:00 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\SYSTEM32\LSASS.EXE

2008-04-13 20:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe
2004-08-04 06:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\SYSTEM32\CTFMON.EXE
2004-08-04 06:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\SYSTEM32\DLLCACHE\ctfmon.exe

2008-04-13 20:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
2004-08-04 06:00 24576 39b1ffb03c2296323832acbae50d2aff C:\WINDOWS\SYSTEM32\USERINIT.EXE
.
((((((((((((((((((((((((((((( snapshot@2008-09-10_ 8.20.49.45 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-30 11:18:51 17,272 ------w C:\WINDOWS\SYSTEM32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w C:\WINDOWS\SYSTEM32\spmsg.dll
- 2006-10-19 02:47:20 295,936 ------w C:\WINDOWS\SYSTEM32\wmpeffects.dll
+ 2008-06-24 22:12:58 295,936 ------w C:\WINDOWS\SYSTEM32\wmpeffects.dll
+ 2008-09-11 11:10:42 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_6e4.dat
+ 2008-04-15 17:54:19 1,724,416 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.3352_x-ww_81af8e88\GdiPlus.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr "= "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VX3000 "= "C:\WINDOWS\vVX3000.exe" [2007-04-10 709992]
"H2O "= "C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 385024]
"EverioService "= "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe" [2006-11-22 151552]
"LifeCam "= "C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
LoopBe1 Monitor.lnk - C:\Program Files\nerds.de\LoopBe1\loopBeMon.exe [2005-04-20 225280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.MI-SC4 "= MI-SC4.acm
"Midi1 "= gmidi.dll
"Midi2 "= KORGUMDD.DRV

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a--c--- 2007-01-10 01:59 115816 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a--c--- 2004-08-04 06:00 15360 C:\WINDOWS\SYSTEM32\CTFMON.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-04-03 18:29 165784 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Photo AIO Printer 942]
--a--c--- 2004-08-31 15:18 294912 C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellMCM]
--a--c--- 2004-07-27 15:08 262144 C:\Program Files\Dell Photo AIO Printer 942\memcard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2007-03-15 11:09 460784 C:\Program Files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2004-12-06 02:05 127035 C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2004-10-12 17:54 57344 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
--a------ 2005-10-23 01:00 385024 C:\Program Files\Syncrosoft\POS\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a--c--- 2005-09-20 09:32 77824 C:\WINDOWS\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a--c--- 2005-09-20 09:36 114688 C:\WINDOWS\SYSTEM32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a--c--- 2005-09-20 09:35 94208 C:\WINDOWS\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2007-09-26 14:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaFace Integration]
--a--c--- 2003-08-18 17:46 53248 C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a--c--- 2005-03-12 07:25 11776 C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a--c--- 2005-03-12 07:25 110592 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a--c--- 2007-01-14 03:11 771704 C:\Program Files\Norton AntiVirus\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a--c--- 2004-10-14 16:42 1404928 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2006-11-09 15:07 49263 C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-05-21 21:25 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
--a--c--- 2007-03-07 10:58 1773568 C:\Program Files\support.com\bin\tgcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EW Message Server]
--a--c--- 2003-01-24 16:00 45056 C:\WINDOWS\SYSTEM32\Msg32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartTranzPortApplet]
--a--c--- 2005-02-14 16:14 180224 C:\WINDOWS\SYSTEM32\TranzPortApplet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SymAppCore "=2 (0x2)
"Symantec Core LC "=3 (0x3)
"Roger Wilco Base Station "=2 (0x2)
"RichVideo "=2 (0x2)
"NetSvc "=3 (0x3)
"LiveUpdate "=3 (0x3)
"KodakCCS "=3 (0x3)
"ISPwdSvc "=3 (0x3)
"iPod Service "=3 (0x3)
"IDriverT "=3 (0x3)
"gusvc "=3 (0x3)
"DSBrokerService "=3 (0x3)
"dlbu_device "=3 (0x3)
"CLTNetCnService "=2 (0x2)
"ccSetMgr "=2 (0x2)
"ccEvtMgr "=2 (0x2)
"Automatic LiveUpdate Scheduler "=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\WINDOWS\\SYSTEM32\\USMT\\MIGWIZ.EXE "=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\eJamming\\eJammingAUDiiO\\eJammingAUDiiO.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=
"C:\\Program Files\\BitTorrent\\bittorrent.exe "=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe "=
"C:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe "=
"C:\\Program Files\\CyberLink\\PCM4Everio\\EverioService.exe "=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe "=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8995:TCP "= 8995:TCP:BitComet 8995 TCP
"8995:UDP "= 8995:UDP:BitComet 8995 UDP
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009

R2 MSCamSvc;MSCamSvc;C:\Program Files\Microsoft LifeCam\MSCamS32.exe [2007-05-17 271720]
R3 CEUSBAUD;DigiTech USB MIDI Driver;C:\WINDOWS\system32\Drivers\CEUSBAUD.sys [2003-11-01 17920]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 33792]
R3 TranzPort;TranzPort Driver;C:\WINDOWS\system32\Drivers\TranzPort.sys [2005-02-18 55992]
R3 TranzPortWdmService;TranzPort Wdm Audio;C:\WINDOWS\system32\Drivers\TranzPortWdm.sys [2004-12-08 86776]
S3 FILESPY;FILESPY;C:\WINDOWS\system32\drivers\FILESPY.sys [2003-01-24 27060]
S3 KORGUMDS;KORG USB-MIDI Driver for Windows XP;C:\WINDOWS\system32\Drivers\KORGUMDS.SYS [2005-12-20 14976]
S3 NSTATION;NSTATION;C:\WINDOWS\system32\drivers\nstation.sys [2003-01-24 13152]
S3 SynasUSB;SynasUSB;C:\WINDOWS\system32\drivers\SynasUSB.sys [2002-11-25 16896]
S3 US122;US122 Driver;C:\WINDOWS\system32\Drivers\US122.sys [2004-07-30 217472]
S3 US122DL;US122 Firmware Downloader;C:\WINDOWS\system32\Drivers\US122DL.sys [2004-07-30 17277]
S3 Us122WdmService;US122 Wdm Audio;C:\WINDOWS\system32\Drivers\US122Wdm.sys [2004-07-30 86648]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67ac1d0c-1047-11da-a151-0013200144d9}]
\Shell\AutoRun\command - H:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-11 07:19:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\SYSTEM32\FXSSVC.EXE
C:\Program Files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-09-11 7:32:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-11 11:32:30
ComboFix2.txt 2008-09-11 04:08:06
ComboFix3.txt 2008-09-10 12:21:21

Pre-Run: 47,445,352,448 bytes free
Post-Run: 47,436,836,864 bytes free

237 --- E O F --- 2008-09-11 07:01:45

 

Hi
OK Good, now lets get a on-line scan.

Please let me know how things are running.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.


Now the scan.

Please do an online scan with Kaspersky WebScanner

Click on "Accept" If your pop "“up blocker blocks any windows from opening.

Click Run on the window that opens.
Windows Vista users you must open the web browser using the Run as Administrator command.

• The program will launch and then begin downloading the latest definition files:
• Under Scan on the left side.Click on My Computer
• This will start the program and scan your system.
• Click the "Scan Report" On the left side.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
• Save the text file to your desktop.
• Copy and paste that information in your next post.

Please post the Kaspersky results.

Thanks
Geri

 

kasper scan

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, September 12, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, September 12, 2008 11:58:26
Records in database: 1216568
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
I:\
J:\
K:\

Scan statistics:
Files scanned: 196016
Threat name: 17
Infected objects: 68
Suspicious objects: 0
Duration of the scan: 03:26:22


File name / Threat name / Threats count
C:\Documents and Settings\David Tonning\.housecall6.6\Quarantine\omfge.class-2b3d7713-55f7b0e0.class.bac_a03684 Infected: Trojan-Downloader.Java.OpenStream.y 1
C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\278016E0d01 Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\672CC238d01 Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\696F24F5d01 Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\929B6473d01 Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\9F6E93C0d01 Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\B3FB50B7d01 Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\C3FD3025d01 Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\C81F1BC2d01 Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\D366BD92d01 Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\E154C9C6d01 Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\E891C9F9d01 Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Program Files\BitTorrent\uninst.exe Infected: Trojan.Win32.Shutdowner.ate 1
C:\Program Files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys(3)\WebSys.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll Infected: not-a-virus:AdWare.Win32.MyWay.v 1
C:\Qoobox\Quarantine\C\Program Files\AAV\aav.exe.vir Infected: not-a-virus:FraudTool.Win32.SpywarePreventer.r 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\788877\788877.dll.vir Infected: not-a-virus:AdWare.Win32.E404.dp 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\tdssserv.sys.vir Infected: Backdoor.Win32.Agent.qqh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\lphcre5j0e7a9.exe.vir Infected: Backdoor.Win32.Frauder.dk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\sysrest32.exe.vir Infected: Trojan.Win32.KillAV.agz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tdssadw.dll.vir Infected: Rootkit.Win32.Clbd.jj 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tdssl.dll.vir Infected: Trojan-Downloader.Win32.Small.acri 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tdsslog.dll.vir Infected: Backdoor.Win32.Agent.rfv 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tdssmain.dll.vir Infected: Backdoor.Win32.Agent.rfw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tdssserf.dll.vir Infected: Trojan-Downloader.Win32.FraudLoad.vbxt 1
C:\Qoobox\Quarantine\catchme2008-09-10_234530.98.zip Infected: Rootkit.Win32.Agent.cmh 5
C:\Qoobox\Quarantine\catchme2008-09-10_234530.98.zip Infected: Email-Worm.Win32.Zhelatin.vl 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCA3BA3BV.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCA44S35J.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCA48BS8S.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCA4UU5BN.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCA55F5KH.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCA5RW9JU.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCA6SYUJ4.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCA8PQORK.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCABV73NR.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCABWOCEZ.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCADFL28L.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCADWRBXD.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCAHZ156G.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCAIL8FYG.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCAKSX03D.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCALUJ2CF.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCAM9610S.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCAMXFZER.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCANEGPA0.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCAQ05BI9.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCATSYEZJ.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCAXB8VS8.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\ac[10].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\ac[11].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\ac[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\ac[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\ac[3].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\ac[4].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\ac[5].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\ac[6].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\ac[7].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\ac[8].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\ac[9].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\E9DPJC3E\ac[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S7NLTH2O\ac[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S7NLTH2O\ac[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

The selected area was scanned.

 

Hi
Please do this.

Download Malwarebytes' Anti-Malware (MBAM) from here or here and save the file to your desktop.

Double click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select 'Perform Quick Scan', then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Post the entire report in your next reply along with a fresh HijackThis log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Go to: Start
Click on: Run
Copy and Paste this in the run box:

msiexec.exe /x{78d944d7-a97b-4004-ab0a-b5ad06839940}

Hit enter, click yes if it prompts


Please clear your Firefox Cache.
Open Firefox
Click on Tools.
Click on Clear Private Data
Put a check in the Cache box
Click Clear Private Data Now.
OK any prompts.


Empty the housecall6.6 Quarantine folder.


This is showing infected.
C:\Program Files\BitTorrent\uninst.exe Infected: Trojan.Win32.Shutdowner.ate 1

P2P software ( Limewire, BitTorrent uTorrent etc… ) We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

References for the risk of these programs are here,
here and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at Windowsbbs Malware and Virus removal.

These are showinwing as Risk tools, do you know what they are and do you use them?
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz
C:\Program Files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys(3)\WebSys.mmz

Now please post the MBAM log and a new Kaspersky scan.

Thanks
Geri

 

Geri,
I ran the malware as you told me, and I got to the end, everything went smoothly. I restarted as it suggested, and it starts back up fine, but i cannot access the start menu. I click on it, but nothing happens, I was trying to copy that instruction you gave me for the run option. Is there another way to open the "run" process?

 

Hi
That's strange.

Open Task manager Ctrl > Alt > Delete.
Click on File
Click on New Task (Run)
Browse to C:/Program Files/Malwarebytes' Anti-Malware > mbam,exe
Click Open
Click OK.

Then run MBAM.

Geri

 

Geri,
The MBAM ran fine and I saved the log, but when I went to run the MSIEXEC.EXE,I could not. I restarted the computer two times and as it is opening windows, several programs try to open and then after they are done and I close them, the task bar is visible but does not respond. I can access any of the programs in the desktop, but nothing in the taskbar.

 

I am currently at work, so I will have to follow up with this after 5 PM today. Geri I really appreciate all this help, I told my brother, whom has used the same sites I have, and he found 17 viruses in the shared files he has. We are done with that program. Lesson learned I would say.

 

Geri, this is the seccond MBAM, I stiil cannot get the task bar to respond

Malwarebytes' Anti-Malware 1.28
Database version: 1144
Windows 5.1.2600 Service Pack 2

9/13/2008 5:41:24 PM
mbam-log-2008-09-13 (17-41-24).txt

Scan type: Quick Scan
Objects scanned: 51162
Time elapsed: 5 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

Hi
Please go here and run # 164 on the left hand side. "Restore Taskbar to Default Functionality "
To use the VBS Files: Download .vbs file and save it to your hard drive (you may want to right click and use Save Target As). Double
click the vbs file. You will be prompted when the script is done.
http://www.kellys-korner-xp.com/xp_tweaks.htm

Let me know if that helps.

Thanks
Geri

 

The taskbar reset worked fine, it would not run the msiexec program, it said it could not find it. I copied and pasted it exactly. The malware came back and said it was all clear, but the kaspersky scan is below. I deleted some of the files I have had trouble with from the bittorrent stuff, but it appears there are still some there.

KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, September 13, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, September 13, 2008 23:20:00
Records in database: 1221843


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\
F:\
G:\
I:\
J:\
K:\

Scan statistics
Files scanned 195302
Threat name 15
Infected objects 66
Suspicious objects 0
Duration of the scan 03:18:56

File name Threat name Threats count
C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\278016E0d01 Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\672CC238d01 Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\696F24F5d01 Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\929B6473d01 Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\9F6E93C0d01 Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\B3FB50B7d01 Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\C3FD3025d01 Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\C81F1BC2d01 Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\D366BD92d01 Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\E154C9C6d01 Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\E891C9F9d01 Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Program Files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys(3)\WebSys.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1

C:\Qoobox\Quarantine\C\Program Files\AAV\aav.exe.vir Infected: not-a-virus:FraudTool.Win32.SpywarePreventer.r 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\788877\788877.dll.vir Infected: not-a-virus:AdWare.Win32.E404.dp 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\tdssserv.sys.vir Infected: Backdoor.Win32.Agent.qqh 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\lphcre5j0e7a9.exe.vir Infected: Backdoor.Win32.Frauder.dk 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\sysrest32.exe.vir Infected: Trojan.Win32.KillAV.agz 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\tdssadw.dll.vir Infected: Rootkit.Win32.Clbd.jj 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\tdssl.dll.vir Infected: Trojan-Downloader.Win32.Small.acri 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\tdsslog.dll.vir Infected: Backdoor.Win32.Agent.rfv 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\tdssmain.dll.vir Infected: Backdoor.Win32.Agent.rfw 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\tdssserf.dll.vir Infected: Trojan-Downloader.Win32.FraudLoad.vbxt 1

C:\Qoobox\Quarantine\catchme2008-09-10_234530.98.zip Infected: Rootkit.Win32.Agent.cmh 5

C:\Qoobox\Quarantine\catchme2008-09-10_234530.98.zip Infected: Email-Worm.Win32.Zhelatin.vl 1

C:\RECYCLER\S-1-5-21-3791265235-4017911181-3869940563-1007\Dc1.bac_a03684 Infected: Trojan-Downloader.Java.OpenStream.y 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCA3BA3BV.htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCA44S35J.htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCA48BS8S.htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCA4UU5BN.htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCA55F5KH.htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCA5RW9JU.htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCA6SYUJ4.htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCA8PQORK.htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCABV73NR.htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCABWOCEZ.htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCADFL28L.htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCADWRBXD.htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCAHZ156G.htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCAIL8FYG.htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCAKSX03D.htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCALUJ2CF.htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCAM9610S.htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCAMXFZER.htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCANEGPA0.htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCAQ05BI9.htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCATSYEZJ.htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\acCAXB8VS8.htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\ac[10].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\ac[11].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\ac[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\ac[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\ac[3].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\ac[4].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\ac[5].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\ac[6].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\ac[7].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\ac[8].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9\ac[9].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\E9DPJC3E\ac[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S7NLTH2O\ac[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S7NLTH2O\ac[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

The selected area was scanned.

 

Hi
OK did you clear your Firefox cache?

Please do this.


Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  Code:

  C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\278016E0d01
  C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\672CC238d01
  C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\696F24F5d01
  C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\929B6473d01
  C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\9F6E93C0d01
  C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\B3FB50B7d01
  C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\C3FD3025d01
  C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\C81F1BC2d01
  C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\D366BD92d01
  C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\E154C9C6d01 
  C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\E891C9F9d01
  C:\Program Files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys(3)\WebSys.mmz
  C:\Program Files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz
  C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9
  C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\E9DPJC3E
  C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S7NLTH2O
  

• Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move " window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Thanks
Geri

 

C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\278016E0d01 moved successfully.
C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\672CC238d01 moved successfully.
C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\696F24F5d01 moved successfully.
C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\929B6473d01 moved successfully.
C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\9F6E93C0d01 moved successfully.
C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\B3FB50B7d01 moved successfully.
C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\C3FD3025d01 moved successfully.
C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\C81F1BC2d01 moved successfully.
C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\D366BD92d01 moved successfully.
C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\E154C9C6d01 moved successfully.
C:\Documents and Settings\David Tonning\Local Settings\Application Data\Mozilla\Firefox\Profiles\672rpasw.default\Cache\E891C9F9d01 moved successfully.
C:\Program Files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys(3)\WebSys.mmz moved successfully.
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz moved successfully.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2QEWN9M9 moved successfully.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\E9DPJC3E moved successfully.
File/Folder C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09142008_013706