Au_.exe (SmitfraudC I believe)

I recently found AU_.EXE running in my background processes. No wonder why Firefox did not start correctly


I ended au_.exe before the hijackthis scan. I bet the experts will still figure it out.
I restarted after that scan and cannot find au_.exe on the process list. Firefox Starts better now. I bet it is still crawling around in my computer somewhere.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:13 PM, on 4/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Skyhook Wireless\Wi-Fi Service\WPSScannerSvc.exe
C:\WINDOWS\system32\oodtray.exe
C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
C:\Program Files\Plustek\OpticBook 3600 Plus\Am32Plus.exe
C:\Program Files\V-Stream Multimedia\TV88X Utilities\C8XRCtl.exe
C:\Program Files\Trayit\trayit!.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Microsoft IntelliPoint\IPoint.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\taskmgr.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SACert Class - {740FE5FB-65F1-46C5-9E54-A19C8A8D7AC2} - C:\WINDOWS\system32\SoftAheadCert.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand203000018.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKCU\..\Run: [L08AXLRD_439702729] "C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" -m
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Copernic Desktop Search 2] "C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - Startup: trayit!.exe.lnk = C:\Program Files\Trayit\trayit!.exe
O4 - Startup: TrayIt!.lnk = C:\Program Files\Trayit\trayit!.exe
O4 - Global Startup: Action Express (OpticBook 3600 Plus).lnk = ?
O4 - Global Startup: TV Remote Control.lnk = C:\Program Files\V-Stream Multimedia\TV88X Utilities\C8XRCtl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.toastedspam.com
O15 - Trusted Zone: http://*.toastedspam.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://www.youtube.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1182711802990
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1182711885729
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WPS Scanner Service (WPSScannerSvc) - Skyhook Wireless - C:\Program Files\Skyhook Wireless\Wi-Fi Service\WPSScannerSvc.exe

--
End of file - 10370 bytes

 

Hi sniper,

Please post a log from Deckard's System Scanner.

 

Deckard

Deckard's System Scanner v20071014.68
Run by Fred on 2008-04-12 22:13:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
55: 2008-04-13 02:13:51 UTC - RP393 - Deckard's System Scanner Restore Point
54: 2008-04-12 16:26:23 UTC - RP392 - Installed Cloudmark Desktop for Microsoft Outlook
53: 2008-04-12 03:48:45 UTC - RP391 - Removed Cloudmark Desktop for Microsoft Outlook Express
52: 2008-04-12 00:17:54 UTC - RP390 - Installed Cloudmark Desktop for Microsoft Outlook Express
51: 2008-04-12 00:12:05 UTC - RP389 - Removed SPAMfighter.


-- First Restore Point --
1: 2008-02-20 23:43:54 UTC - RP339 - Installed Opera 9.26


Performed disk cleanup.



-- HijackThis (run as Fred.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:09 PM, on 4/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Skyhook Wireless\Wi-Fi Service\WPSScannerSvc.exe
C:\WINDOWS\system32\oodtray.exe
C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
C:\Program Files\Plustek\OpticBook 3600 Plus\Am32Plus.exe
C:\Program Files\V-Stream Multimedia\TV88X Utilities\C8XRCtl.exe
C:\Program Files\Trayit\trayit!.exe
C:\Program Files\Trayit\trayit!.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Microsoft IntelliPoint\IPoint.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Fred\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Fred.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SACert Class - {740FE5FB-65F1-46C5-9E54-A19C8A8D7AC2} - C:\WINDOWS\system32\SoftAheadCert.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand203000018.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKCU\..\Run: [L08AXLRD_439702729] "C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" -m
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Copernic Desktop Search 2] "C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - Startup: trayit!.exe.lnk = C:\Program Files\Trayit\trayit!.exe
O4 - Startup: TrayIt!.lnk = C:\Program Files\Trayit\trayit!.exe
O4 - Global Startup: Action Express (OpticBook 3600 Plus).lnk = ?
O4 - Global Startup: TV Remote Control.lnk = C:\Program Files\V-Stream Multimedia\TV88X Utilities\C8XRCtl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.toastedspam.com
O15 - Trusted Zone: http://*.toastedspam.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://www.youtube.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1182711802990
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1182711885729
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WPS Scanner Service (WPSScannerSvc) - Skyhook Wireless - C:\Program Files\Skyhook Wireless\Wi-Fi Service\WPSScannerSvc.exe

--
End of file - 10409 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20070904-232232-160 O4 - HKLM\..\Run: [Power TTS Reader] C:\Program Files\Power Text To Speech Reader\speaktext.exe /minimize
backup-20070904-232232-190 O4 - HKCU\..\Run: [E07AXLRD_226080817] "C:\Program Files\Microsoft Encarta\Encarta Premium DVD 2007\EDICT.EXE" -m
backup-20070904-232232-359 O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
backup-20070904-232232-558 O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
backup-20070904-232232-795 O4 - HKCU\..\Run: [VistaStartMenu] "C:\Program Files\Vista Start Menu\VistaStartMenu.exe "
backup-20070904-232232-827 O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

-- File Associations -----------------------------------------------------------

.ini - NotepadX.exe - DefaultIcon - C:\Documents and Settings\Fred\Notepad X.exe
.ini - NotepadX.exe - shell\open\command - "C:\Documents and Settings\Fred\Notepad X.exe" "%1 "
.js - JSFile - shell\open\command - "c:\program files\uniblue\spyeraser\spyeraser.exe" "%1" .js1
.reg - regfile - shell\open\command - "c:\program files\uniblue\spyeraser\spyeraser.exe" "%1" .reg
.txt - NotepadX.exe - DefaultIcon - C:\Documents and Settings\Fred\Notepad X.exe
.txt - NotepadX.exe - shell\open\command - "C:\Documents and Settings\Fred\Notepad X.exe" "%1 "
.vbs - VBSFile - shell\open\command - "c:\program files\uniblue\spyeraser\spyeraser.exe" "%1" .vb1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BootScreen - c:\windows\\systemroot\system32\drivers\vidstub.sys (file missing)
R0 sisidex - c:\windows\system32\drivers\sisidex.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R0 sisperf (Add Performance Filter Driver) - c:\windows\system32\drivers\sisperf.sys <Not Verified; Silicon Integrated Systems Corp.; SiS Filer Driver>
R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
R3 Wpsnuio (WPS NDIS Usermode I/O Protocol) - c:\windows\system32\drivers\wpsnuio.sys <Not Verified; Skyhook Wireless; WPS NDIS User Mode I/O Driver>

S3 HCW88TUNE (Hauppauge WinTV 88x Tuner) - c:\windows\system32\drivers\hcw88tun.sys <Not Verified; Hauppauge Computer Works, Inc.; hcw88tun.sys>
S3 hcw88vid (Hauppauge WinTV 88x Video) - c:\windows\system32\drivers\hcw88vid.sys <Not Verified; Hauppauge Computer Works, Inc; hcw88vid.sys>
S3 HCW88XBAR (Hauppauge WinTV 88x Crossbar) - c:\windows\system32\drivers\hcw88bar.sys <Not Verified; Hauppauge Computer Works, Inc.; hcw88bar.sys>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 nhksrv (Netropa NHK Server) - c:\program files\netropa\multimedia keyboard\nhksrv.exe
R2 WPSScannerSvc (WPS Scanner Service) - c:\program files\skyhook wireless\wi-fi service\wpsscannersvc.exe <Not Verified; Skyhook Wireless; Wi-Fi Scanner Service>

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-12 22:01:25 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-04-12 21:58:18 284 --a------ C:\WINDOWS\Tasks\ViStart 2490.job
2008-04-11 10:00:31 276 --a------ C:\WINDOWS\Tasks\0923 - Go To Sleep.job


-- Files created between 2008-03-12 and 2008-04-12 -----------------------------

2008-04-12 20:56:13 0 dr-h----- C:\Documents and Settings\Fred\Recent
2008-04-12 12:26:28 0 d-------- C:\Program Files\Cloudmark
2008-04-11 20:04:58 0 d-------- C:\Documents and Settings\Fred\Application Data\SpamPal
2008-04-11 17:07:42 0 d-------- C:\Documents and Settings\Fred\Application Data\SPAMfighter
2008-04-11 17:06:10 0 d-------- C:\Program Files\SPAMfighter
2008-04-09 20:42:15 0 d-------- C:\Program Files\Mozilla Firefox 3 Beta 5
2008-04-09 19:21:38 0 d-------- C:\Program Files\Opera 9.5 beta
2008-04-06 21:54:39 0 d-------- C:\Program Files\Trayit
2008-04-06 19:19:40 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-06 19:19:36 0 d-------- C:\Documents and Settings\Fred\Application Data\Thunderbird
2008-04-06 19:19:21 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-03-19 20:59:51 0 d-------- C:\Program Files\LocationPlugin
2008-03-19 20:53:31 0 d-------- C:\Program Files\Common Files\AOL
2008-03-19 20:53:18 0 d-------- C:\Program Files\AIM6
2008-03-14 23:40:35 0 d-------- C:\Documents and Settings\Fred\Application Data\Ahead


-- Find3M Report ---------------------------------------------------------------

2008-04-12 21:59:01 0 d-------- C:\Program Files\Symantec AntiVirus
2008-04-12 20:34:21 0 d-------- C:\Documents and Settings\Fred\Application Data\uTorrent
2008-04-12 12:26:59 0 d-------- C:\Documents and Settings\Fred\Application Data\Cloudmark
2008-04-12 12:26:29 0 d-------- C:\Program Files\Common Files\Cloudmark
2008-04-11 20:12:30 0 d-------- C:\Program Files\Common Files
2008-04-09 20:30:34 0 d-------- C:\Documents and Settings\Fred\Application Data\Mozilla
2008-04-09 19:32:42 0 d-------- C:\Documents and Settings\Fred\Application Data\Opera
2008-03-19 22:03:11 0 d-------- C:\Program Files\SpywareBlaster
2008-03-19 21:02:56 0 d-------- C:\Program Files\BuddyList Ops
2008-03-19 21:00:59 0 d-------- C:\Program Files\LWAway
2008-03-19 21:00:50 0 d-------- C:\Program Files\Buddy Icon Maker
2008-03-19 21:00:46 0 d-------- C:\Program Files\Colorizer
2008-03-19 21:00:20 0 d-------- C:\Program Files\AvPropPlugin
2008-03-19 21:00:15 0 d-------- C:\Program Files\Facebook Plugin
2008-03-19 20:59:53 0 d-------- C:\Program Files\Skyhook Wireless
2008-03-19 20:59:03 0 d-------- C:\Program Files\AIM Music Link
2008-03-19 20:58:53 0 d-------- C:\Program Files\AIM FightList
2008-03-18 01:03:32 0 d-------- C:\Program Files\AIM
2008-03-10 22:25:00 0 d-------- C:\Program Files\Copernic Desktop Search 2
2008-03-06 13:36:01 0 d-------- C:\Program Files\Thoosje Sidebar V2.3
2008-03-03 03:44:32 2543 --a------ C:\WINDOWS\unins000.dat
2008-03-03 03:35:54 691545 --a------ C:\WINDOWS\unins000.exe
2008-03-01 15:07:52 0 d-------- C:\Documents and Settings\Fred\Application Data\U3
2008-02-27 03:02:14 0 d-------- C:\Documents and Settings\Fred\Application Data\Softarium.com
2008-02-25 11:49:17 0 d-------- C:\Program Files\ViStart
2008-02-21 21:10:15 0 d-------- C:\Documents and Settings\Fred\Application Data\Smart Recorder


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OODefragTray "= "C:\WINDOWS\system32\oodtray.exe" [05/11/2007 02:08 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"L08AXLRD_439702729 "= "C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.exe" [05/21/2007 07:00 AM]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"Copernic Desktop Search 2 "= "C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" [03/03/2008 04:45 PM]
"Aim6 "=" " []

C:\Documents and Settings\Fred\Start Menu\Programs\Startup\
trayit!.exe.lnk - C:\Program Files\Trayit\trayit!.exe [1/19/2004 12:36:54 PM]
TrayIt!.lnk - C:\Program Files\Trayit\trayit!.exe [1/19/2004 12:36:54 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Action Express (OpticBook 3600 Plus).lnk - C:\Program Files\Plustek\OpticBook 3600 Plus\Am32Plus.exe [6/26/2007 10:52:24 PM]
TV Remote Control.lnk - C:\Program Files\V-Stream Multimedia\TV88X Utilities\C8XRCtl.exe [6/30/2007 12:01:57 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoUserNameInStartMenu "=0 (0x0)
"NoRecentDocsHistory "=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Remote Control.lnk]
backup=C:\WINDOWS\pss\Remote Control.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E07AXLRD_125632199]
"C:\Program Files\Microsoft Encarta\Encarta Premium DVD 2007\EDICT.EXE" -m

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Simp]
C:\Program Files\Secway\SimpLite-ICQ-AIM 2.2\SimpLite-ICQ-AIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViStart]
C:\Program Files\ViStart\ViStart

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"UnlockerAssistant "= "C:\Program Files\Unlocker\UnlockerAssistant.exe "
"Power TTS Reader "=C:\Program Files\Power Text To Speech Reader\speaktext.exe /minimize


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5bdc4251-e7c1-11dc-bc14-0040ca5864f8}]
AutoRun\command- H:\setupSNK.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 babe.the-killer.bz
127.0.0.1 www.babe.the-killer.bz
127.0.0.1 babe.k-lined.com
127.0.0.1 www.babe.k-lined.com
127.0.0.1 did.i-used.cc
127.0.0.1 www.did.i-used.cc
127.0.0.1 coolwwwsearch.com
127.0.0.1 www.coolwwwsearch.com
127.0.0.1 coolwebsearch.com
127.0.0.1 www.coolwebsearch.com

8393 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-12 22:17:37 ------------

 

Did you install Notepad X.exe?
You should fix some file associations.

Highlight and copy the bolded command below.

"%userprofile%\desktop\dss.exe" /daft

• Click Start>Run and paste the command in, then hit enter.
• An interface of Deckards file association fix will open.
• Click Scan.
• Check the box next to the following, then click Fix.
  • .js
  • .reg
  • .vbs
• Exit when complete.

We'll leave the others pending your response to Notepad X

Create and post a new HjckThis log the next time you see AU_.exe running.

 

I did install Notepad X awhile ago.

I cant seem to get "%userprofile%\desktop\dss.exe" /daft that to work

 

• Right click dss.exe on the desktop and select Create Shortcut
• A shortcut should appear on the desktop
• Right click the shortcut and select Properties
• In the first address window labled 'Target' (Shortcut tab), place your cursor at the end of the line, behind dss.exe " (make sure the line is not highlighted)
• Now hit the spacebar 1 time, then type /daft
• The path should now read "C:\Documents and Settings\Fred\Desktop\dss.exe" /daft
• Click OK, then double click the shortcut

 

ok got it

 

Lets go ahead and see if an online scan picks up anything. Please do an online scan with Kaspersky WebScanner

Click Scan Now and Accept the agreement. You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.

Post the Kaspersky log here.

 

Found somethin

While scanning with Kaspersky, NAV detected 2 counts of http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2004-021914-2822-99
It says it deleted them.
I am still scanning with Kaspersky

 

I bet I have smitfraud. It keeps coming up as autoprotect in nav

 

Good thing to run the scan

KASPERSKY ONLINE SCANNER REPORT
Sunday, April 13, 2008 10:21:39 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 13/04/2008
Kaspersky Anti-Virus database records: 701099

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\

Scan Statistics
Total number of scanned objects 60268
Number of viruses found 2
Number of infected objects 8
Number of suspicious objects 0
Duration of the scan process 02:15:04

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Administrator\Application Data\desktop.ini Object is locked skipped

C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\brndlog.bak Object is locked skipped

C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\brndlog.txt Object is locked skipped

C:\Documents and Settings\Administrator\Application Data\Microsoft\Protect\CREDHIST Object is locked skipped

C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\desktop.ini Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\History\desktop.ini Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\desktop.ini Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2DQVQFEB\body[1] Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2DQVQFEB\desktop.ini Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2DQVQFEB\guest_disabled[1] Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2DQVQFEB\localtext[1] Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2DQVQFEB\mainpage[1] Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2DQVQFEB\nusrmgr[1] Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2DQVQFEB\pwcreate[1] Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6A3GVNGE\chg_common[1] Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6A3GVNGE\desktop.ini Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6A3GVNGE\mainpage[1] Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6A3GVNGE\nusrmgr[1] Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6A3GVNGE\nusrmgr[2] Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6A3GVNGE\pw_common[1] Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6CM3D8XG\desktop.ini Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6CM3D8XG\helpdoc[1] Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6CM3D8XG\mainpage2[1] Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6CM3D8XG\popup[1] Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6CM3D8XG\users[1] Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\79Z8EPXS\classic[1] Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\79Z8EPXS\desktop.ini Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\79Z8EPXS\passwordpage2[1] Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\79Z8EPXS\popup[1] Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\79Z8EPXS\selectable[1] Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\79Z8EPXS\users32[1] Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\desktop.ini Object is locked skipped

C:\Documents and Settings\Administrator\ntuser.dat Object is locked skipped

C:\Documents and Settings\Administrator\NTUSER.dat.LOG Object is locked skipped

C:\Documents and Settings\Administrator\ntuser.ini Object is locked skipped

C:\Documents and Settings\Administrator\SendTo\Compressed (zipped) Folder.ZFSendToTarget Object is locked skipped

C:\Documents and Settings\Administrator\SendTo\Desktop (create shortcut).DeskLink Object is locked skipped

C:\Documents and Settings\Administrator\SendTo\desktop.ini Object is locked skipped

C:\Documents and Settings\Administrator\SendTo\Mail Recipient.MAPIMail Object is locked skipped

C:\Documents and Settings\Administrator\Start Menu\desktop.ini Object is locked skipped

C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\desktop.ini Object is locked skipped

C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk Object is locked skipped

C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk Object is locked skipped

C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk Object is locked skipped

C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk Object is locked skipped

C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Command Prompt.lnk Object is locked skipped

C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\desktop.ini Object is locked skipped

C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Entertainment\desktop.ini Object is locked skipped

C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Notepad.lnk Object is locked skipped

C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk Object is locked skipped

C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Synchronize.lnk Object is locked skipped

C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Tour Windows XP.lnk Object is locked skipped

C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Windows Explorer.lnk Object is locked skipped

C:\Documents and Settings\Administrator\Start Menu\Programs\desktop.ini Object is locked skipped

C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.lnk Object is locked skipped

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini Object is locked skipped

C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Media Player.lnk Object is locked skipped

C:\Documents and Settings\Administrator\Templates\amipro.sam Object is locked skipped

C:\Documents and Settings\Administrator\Templates\excel.xls Object is locked skipped

C:\Documents and Settings\Administrator\Templates\excel4.xls Object is locked skipped

C:\Documents and Settings\Administrator\Templates\lotus.wk4 Object is locked skipped

C:\Documents and Settings\Administrator\Templates\powerpnt.ppt Object is locked skipped

C:\Documents and Settings\Administrator\Templates\presenta.shw Object is locked skipped

C:\Documents and Settings\Administrator\Templates\quattro.wb2 Object is locked skipped

C:\Documents and Settings\Administrator\Templates\sndrec.wav Object is locked skipped

C:\Documents and Settings\Administrator\Templates\winword.doc Object is locked skipped

C:\Documents and Settings\Administrator\Templates\winword2.doc Object is locked skipped

C:\Documents and Settings\Administrator\Templates\wordpfct.wpd Object is locked skipped

C:\Documents and Settings\Administrator\Templates\wordpfct.wpg Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-06242007-180613.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\Jordy\Application Data\acccore\nss\cert8.db Object is locked skipped

C:\Documents and Settings\Jordy\Application Data\acccore\nss\key3.db Object is locked skipped

C:\Documents and Settings\Jordy\Application Data\Microsoft\Outlook\Outlook.NK2 Object is locked skipped

C:\Documents and Settings\Jordy\Application Data\Microsoft\Outlook\Outlook.srs Object is locked skipped

C:\Documents and Settings\Jordy\Application Data\Microsoft\Templates\NormalEmail.dotm Object is locked skipped

C:\Documents and Settings\Jordy\Application Data\Opera\Opera 9.5 beta\mail\indexer\indexer.ax Object is locked skipped

C:\Documents and Settings\Jordy\Application Data\Opera\Opera 9.5 beta\mail\indexer\indexer.bx Object is locked skipped

C:\Documents and Settings\Jordy\Application Data\Opera\Opera 9.5 beta\mail\indexer\m2_id Object is locked skipped

C:\Documents and Settings\Jordy\Application Data\Opera\Opera 9.5 beta\mail\indexer\message_id Object is locked skipped

C:\Documents and Settings\Jordy\Application Data\Opera\Opera 9.5 beta\mail\lexicon\lexicon.ax Object is locked skipped

C:\Documents and Settings\Jordy\Application Data\Opera\Opera 9.5 beta\mail\lexicon\lexicon.bx Object is locked skipped

C:\Documents and Settings\Jordy\Application Data\Opera\Opera 9.5 beta\mail\omailbase.dat Object is locked skipped

C:\Documents and Settings\Jordy\Application Data\Opera\Opera 9.5 beta\profile\vps\0000\adoc.bx Object is locked skipped

C:\Documents and Settings\Jordy\Application Data\Opera\Opera 9.5 beta\profile\vps\0000\md.dat Object is locked skipped

C:\Documents and Settings\Jordy\Application Data\Opera\Opera 9.5 beta\profile\vps\0000\url.ax Object is locked skipped

C:\Documents and Settings\Jordy\Application Data\Opera\Opera 9.5 beta\profile\vps\0000\w.ax Object is locked skipped

C:\Documents and Settings\Jordy\Application Data\Opera\Opera 9.5 beta\profile\vps\0000\wb.vx Object is locked skipped

C:\Documents and Settings\Jordy\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Jordy\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped

C:\Documents and Settings\Jordy\Local Settings\Application Data\AOL OCP\AIM\Storage\data\devilsnight228\localStorage\common.cls Object is locked skipped

C:\Documents and Settings\Jordy\Local Settings\Application Data\DesktopSearch2\Index\MainChunk\ChunkSCLF.dat Object is locked skipped

C:\Documents and Settings\Jordy\Local Settings\Application Data\DesktopSearch2\Index\MainChunk\DocumentsFD.dat Object is locked skipped

C:\Documents and Settings\Jordy\Local Settings\Application Data\DesktopSearch2\Index\MainChunk\DocumentsID.dat Object is locked skipped

C:\Documents and Settings\Jordy\Local Settings\Application Data\DesktopSearch2\Index\MainChunk\DocumentsSD.dat Object is locked skipped

C:\Documents and Settings\Jordy\Local Settings\Application Data\DesktopSearch2\Index\MainChunk\KeywordsDBT.dat Object is locked skipped

C:\Documents and Settings\Jordy\Local Settings\Application Data\DesktopSearch2\Index\MainChunk\KeywordsDL.dat Object is locked skipped

C:\Documents and Settings\Jordy\Local Settings\Application Data\DesktopSearch2\Index\MainChunk\KeywordsIBT.dat Object is locked skipped

C:\Documents and Settings\Jordy\Local Settings\Application Data\DesktopSearch2\Index\MainChunk\KeywordsP.dat Object is locked skipped

C:\Documents and Settings\Jordy\Local Settings\Application Data\DesktopSearch2\Index\MainChunk\KeywordsSBT.dat Object is locked skipped

C:\Documents and Settings\Jordy\Local Settings\Application Data\DesktopSearch2\Logs\20080412.log Object is locked skipped

C:\Documents and Settings\Jordy\Local Settings\Application Data\DesktopSearch2\Queue\MainChunk\IndexingQueueDf.dat Object is locked skipped

C:\Documents and Settings\Jordy\Local Settings\Application Data\DesktopSearch2\Queue\MainChunk\IndexingQueueTt.dat Object is locked skipped

C:\Documents and Settings\Jordy\Local Settings\Application Data\DesktopSearch2\Queue\MainChunk\IndexingQueueUt.dat Object is locked skipped

C:\Documents and Settings\Jordy\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped

C:\Documents and Settings\Jordy\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped

C:\Documents and Settings\Jordy\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Object is locked skipped

C:\Documents and Settings\Jordy\Local Settings\Application Data\Microsoft\Outlook\~Outlook.pst.tmp Object is locked skipped

C:\Documents and Settings\Jordy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Jordy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Jordy\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Jordy\Local Settings\History\History.IE5\MSHist012008041220080413\index.dat Object is locked skipped

C:\Documents and Settings\Jordy\Local Settings\Temp\Perflib_Perfdata_9e8.dat Object is locked skipped

C:\Documents and Settings\Jordy\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Jordy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Jordy\Local Settings\Temporary Internet Files\Content.Word\~WRS{620AEF79-DC17-4C26-8BAC-80DD7219000A}.tmp Object is locked skipped

C:\Documents and Settings\Jordy\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Jordy\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped

C:\Program Files\Sygate\SPF\debug.log Object is locked skipped

C:\Program Files\Sygate\SPF\rawlog.log Object is locked skipped

C:\Program Files\Sygate\SPF\seclog.log Object is locked skipped

C:\Program Files\Sygate\SPF\syslog.log Object is locked skipped

C:\Program Files\Sygate\SPF\tralog.log Object is locked skipped

C:\Program Files\Symantec AntiVirus\SAVRT\0482NAV~.TMP Object is locked skipped

C:\Program Files\Symantec AntiVirus\SAVRT\0709NAV~.TMP Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{527E9A09-FC1B-414B-A1A4-90ED4A785EEC}\RP393\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{F36D1038-393E-4FAD-8107-B59EC0EEB8D9}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped

C:\WINDOWS\system32\config\OSession.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\TMP00000039463CAF05EC24C3B7 Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\Held Files\Kept Files\vtp6(2)\Vista Transformation Pack 6.0.exe/WISE0030.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped

D:\Held Files\Kept Files\vtp6(2)\Vista Transformation Pack 6.0.exe/WISE0053.BIN/WISE0005.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped

D:\Held Files\Kept Files\vtp6(2)\Vista Transformation Pack 6.0.exe/WISE0053.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped

D:\Held Files\Kept Files\vtp6(2)\Vista Transformation Pack 6.0.exe WiseSFX: infected - 3 skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

D:\System Volume Information\_restore{527E9A09-FC1B-414B-A1A4-90ED4A785EEC}\RP393\change.log Object is locked skipped

D:\System Volume Information\_restore{62D2C7F9-F5FE-40BA-AAE5-015A4202F1D5}\RP66\A0020929.exe/data.rar/aawcrack.exe/data0005 Infected: Trojan-Downloader.Win32.VB.awj skipped

D:\System Volume Information\_restore{62D2C7F9-F5FE-40BA-AAE5-015A4202F1D5}\RP66\A0020929.exe/data.rar/aawcrack.exe Infected: Trojan-Downloader.Win32.VB.awj skipped

D:\System Volume Information\_restore{62D2C7F9-F5FE-40BA-AAE5-015A4202F1D5}\RP66\A0020929.exe/data.rar Infected: Trojan-Downloader.Win32.VB.awj skipped

D:\System Volume Information\_restore{62D2C7F9-F5FE-40BA-AAE5-015A4202F1D5}\RP66\A0020929.exe RarSFX: infected - 3 skipped

Scan process completed.

 

NAV must have successfully nuked whatever it was. Only thing showing infected in that log happens to be in System Restore points.

aawcrack.exe/data0005 Infected: Trojan-Downloader.Win32.VB.awj

Clear your Restore points, and stay away from cracked software

Clear past system restore points and create a new one.
Right click My Computer and select Properties. On the System Restore tab, check the box to turn System Restore off. Click Apply. Now, uncheck the box and click Apply. Click OK, then OK to close the System Properties dialog.

Verify a new restore point was created.
Click Start>All Programs>Accessories>System Tools>System Restore
Select 'Restore my computer to an earlier time', then click next.
You should have a newly created System Checkpoint available. If so, click Cancel. If not, click Back and select 'Create a restore point' then click Next. Give the restore point a name and click next.