1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

How do I get rid of Infostealer.Gampass & Downloader??

Discussion in 'Malware and Virus Removal Archive' started by dmcmillen, 2008/05/11.

  1. 2008/05/11
    dmcmillen

    dmcmillen Inactive Thread Starter

    Joined:
    2008/05/11
    Messages:
    10
    Likes Received:
    0
    I really could use some help here. My Norton weekly system scan on Friday found Infostealer.Gampass in an exe that I had run in the past week or so. I am surprised that Norton didn't tell me when I ran it. Anyway, I looked it up on Symantec which pointed me to the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run which indeed had 2 rundll32.exe entries of randomly named dll's which I am assuming are related to the Infostealer.Gampass. I have tried ending the 2 rundll32 processes and then deleting the 2 registry entries and the dll's and 2 other ini files in system32 named yaJluBeg.ini and yaJluBeg.ini2. But they just keep coming back -- 2 new registry entries with the same names with randomly generated dll names. With the 2 rundll32 processes gone, the 2 ini files come back immediately after deleting.

    Norton has also detected the Infostealer virus in a temporary internet file and deleted it. Then Norton detected the Downloader virus in several temporary internet files today, but was unable to delete them, and when I looked they were gone. I understand that Infostealer can also install Downloader. I'm not even sure that these files are related to Infostealer or Downloader.

    I am running XP SP2 and I use Firefox, IE and Maxthon. Firefox and IE are having problems and are not accessing certain sites (not even timing out). I think I caused this by getting in a hurry when I was running the exe and allowed SpySweeper to install the virus software.

    Anyway, I'm at a loss and would appreciate any help. Here's my HiJackThis log:

    David

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:09:17 PM, on 5/11/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\WINDOWS\system32\hasplms.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\System32\WFXSVC.EXE
    C:\WINDOWS\system32\Tablet.exe
    C:\WINDOWS\system32\WTablet\TabUserW.exe
    C:\WINDOWS\system32\Tablet.exe
    C:\WINDOWS\system32\wfxsnt40.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\PROGRA~1\WinFax\WFXSWTCH.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\Norton Save and Restore\Agent\NSRTray.exe
    C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
    C:\Program Files\Logitech\SetPoint\LBTWiz.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\Program Files\Dilberttest3\Screen Saver\FWLink.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Motherboard Monitor 5\MBM5.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
    C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~2\NSCSRVCE.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Trend Micro\HijackThis\ThisRenamed.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
    O2 - BHO: (no name) - {F2A1B404-457D-4D06-A46B-B514985EF98A} - C:\WINDOWS\system32\geBUlJay.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
    O4 - HKLM\..\Run: [Norton Save and Restore] "C:\Program Files\Norton Save and Restore\Agent\NSRTray.exe "
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [MXOBG] C:\Documents and Settings\David\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
    O4 - HKLM\..\Run: [MaxtorOneTouch] "C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe "
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe "
    O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe "
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe "
    O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe "
    O4 - HKLM\..\Run: [DeviceDiscovery] "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe "
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll "
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe "
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [9c7c1938] "rundll32.exe" "C:\WINDOWS\system32\pfftlgsm.dll ",b
    O4 - HKLM\..\Run: [BM9f4f2aa4] Rundll32.exe "C:\WINDOWS\system32\rgupnoxn.dll ",s
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKCU\..\Run: [Dilberttest3 web link] "C:\Program Files\Dilberttest3\Screen Saver\FWLink.exe "
    O4 - HKCU\..\Run: [Startup Manager] C:\Documents and Settings\David\Application Data\Systweak\ASO 2\smstartUp manager.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: MBM 5.lnk = C:\Program Files\Motherboard Monitor 5\MBM5.exe
    O4 - Global Startup: APC UPS Status.lnk = ?
    O4 - Global Startup: Bluetooth.lnk = ?
    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZU
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://symantec.atgnow.com/sdccommon/download/tgctlsi.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D2} - http://www.therealyellowpageslive.net/live/ezinit.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/SymAData.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe
    O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Save and Restore - Symantec Corporation - C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE
    O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

    --
    End of file - 17386 bytes
     
    Last edited: 2008/05/12
    dmcmillen,
    #1
  2. 2008/05/12
    dmcmillen

    dmcmillen Inactive Thread Starter

    Joined:
    2008/05/11
    Messages:
    10
    Likes Received:
    0
    Here's my Deckard dss.exe results

    Deckard's System Scanner v20071014.68
    Run by David on 2008-05-12 08:23:29
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------



    -- HijackThis (run as David.exe) -----------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:23:37 AM, on 5/12/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\WINDOWS\system32\hasplms.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\System32\WFXSVC.EXE
    C:\WINDOWS\system32\Tablet.exe
    C:\WINDOWS\system32\WTablet\TabUserW.exe
    C:\WINDOWS\system32\Tablet.exe
    C:\WINDOWS\system32\wfxsnt40.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\PROGRA~1\WinFax\WFXSWTCH.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\Norton Save and Restore\Agent\NSRTray.exe
    C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
    C:\Program Files\Logitech\SetPoint\LBTWiz.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\Program Files\Dilberttest3\Screen Saver\FWLink.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Motherboard Monitor 5\MBM5.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
    C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~2\NSCSRVCE.EXE
    C:\Program Files\Maxthon2\Maxthon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\Maxthon2\Modules\MXDOWN~1\MXDOWN~1.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\David\Desktop\dss.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\PROGRA~1\TRENDM~1\HIJACK~1\David.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
    O2 - BHO: (no name) - {F2A1B404-457D-4D06-A46B-B514985EF98A} - C:\WINDOWS\system32\geBUlJay.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
    O4 - HKLM\..\Run: [Norton Save and Restore] "C:\Program Files\Norton Save and Restore\Agent\NSRTray.exe "
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [MXOBG] C:\Documents and Settings\David\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
    O4 - HKLM\..\Run: [MaxtorOneTouch] "C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe "
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe "
    O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe "
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe "
    O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe "
    O4 - HKLM\..\Run: [DeviceDiscovery] "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe "
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll "
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe "
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [9c7c1938] rundll32.exe "C:\WINDOWS\system32\pfftlgsm.dll ",b
    O4 - HKLM\..\Run: [BM9f4f2aa4] Rundll32.exe "C:\WINDOWS\system32\rgupnoxn.dll ",s
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKCU\..\Run: [Dilberttest3 web link] "C:\Program Files\Dilberttest3\Screen Saver\FWLink.exe "
    O4 - HKCU\..\Run: [Startup Manager] C:\Documents and Settings\David\Application Data\Systweak\ASO 2\smstartUp manager.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: MBM 5.lnk = C:\Program Files\Motherboard Monitor 5\MBM5.exe
    O4 - Global Startup: APC UPS Status.lnk = ?
    O4 - Global Startup: Bluetooth.lnk = ?
    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZU
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://symantec.atgnow.com/sdccommon/download/tgctlsi.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D2} - http://www.therealyellowpageslive.net/live/ezinit.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/SymAData.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe
    O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Save and Restore - Symantec Corporation - C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE
    O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

    --
    End of file - 17385 bytes

    -- Files created between 2008-04-12 and 2008-05-12 -----------------------------

    2008-05-11 18:02:48 0 d-------- C:\Program Files\Trend Micro
    2008-05-11 17:52:24 1048665 --ahs---- C:\WINDOWS\system32\yaJlUBeg.ini2
    2008-05-11 08:47:27 133120 --a------ C:\WINDOWS\system32\dwpsbxji.dll
    2008-05-11 08:47:25 2048 --a------ C:\WINDOWS\system32\vuhfuuli.exe
    2008-05-11 08:44:44 116736 --a------ C:\WINDOWS\system32\pfftlgsm.dll
    2008-05-11 08:44:24 126976 --a------ C:\WINDOWS\system32\rgupnoxn.dll
    2008-05-11 08:41:46 126976 --a------ C:\WINDOWS\system32\qvjmeqon.dll
    2008-05-10 15:10:37 0 d-------- C:\Documents and Settings\David\.housecall6.6
    2008-05-10 11:31:34 0 d-------- C:\WINDOWS\David's Potential Bad Stuff
    2008-05-10 08:50:20 134656 --a------ C:\WINDOWS\system32\tlkbnpas.dll
    2008-05-10 08:44:20 2048 --a------ C:\WINDOWS\system32\sudoedhg.exe
    2008-05-09 08:44:21 133120 --a------ C:\WINDOWS\system32\qfvlrvls.dll
    2008-05-09 08:41:24 2048 --a------ C:\WINDOWS\system32\kbnmvlto.exe
    2008-05-09 08:40:36 123392 --a------ C:\WINDOWS\system32\arijbajm.dll
    2008-05-08 11:40:10 0 d-------- C:\Program Files\OJOsoft
    2008-05-08 11:06:17 396186 --a------ C:\WINDOWS\system32\geBUlJay.dll
    2008-05-08 11:03:15 32475 --a------ C:\WINDOWS\system32\mlJBqpOe.dll
    2008-05-08 11:03:05 32475 --a------ C:\WINDOWS\system32\awtuvSji.dll
    2008-05-08 11:02:13 32475 --a------ C:\WINDOWS\system32\hgGawVNe.dll
    2008-05-08 11:01:41 32475 --a------ C:\WINDOWS\system32\yayxuSjj.dll
    2008-04-29 21:47:56 0 d-------- C:\Program Files\ElcomSoft
    2008-04-29 21:45:59 719872 --a------ C:\WINDOWS\system32\devil.dll <Not Verified; Abysmal Software; Developer's Image Library (DevIL)>
    2008-04-29 21:45:59 349184 --a------ C:\WINDOWS\system32\avisynth.dll <Not Verified; The Public; Avisynth 2.5>
    2008-04-27 14:25:50 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
    2008-04-27 14:25:40 0 d-------- C:\Program Files\Common Files\Macrovision Shared
    2008-04-26 13:22:41 278 --a------ C:\ed9662bf09b5947.dat
    2008-04-26 13:22:34 278 --a------ C:\68a2ee5b10a5b81.dat
    2008-04-26 13:14:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Azureus
    2008-04-26 13:14:36 0 d-------- C:\Documents and Settings\David\Application Data\Azureus
    2008-04-26 13:05:57 0 d-------- C:\Program Files\Azureus
    2008-04-26 12:57:24 0 d-------- C:\Program Files\DIFX
    2008-04-26 12:56:55 0 d-------- C:\Program Files\Common Files\Aladdin Shared
    2008-04-26 12:56:04 0 d-------- C:\Documents and Settings\David\Application Data\Chief Architect Full Version 11
    2008-04-26 12:29:54 0 d-------- C:\Program Files\Chief Architect Inc


    -- Find3M Report ---------------------------------------------------------------

    2008-05-12 08:22:33 0 d-------- C:\Documents and Settings\David\Application Data\Skype
    2008-05-11 19:13:26 0 d-------- C:\Documents and Settings\David\Application Data\MxBoost
    2008-05-11 18:23:08 0 d-------- C:\Program Files\Common Files
    2008-05-11 18:22:52 0 d-------- C:\Documents and Settings\David\Application Data\WTablet
    2008-05-11 18:20:59 24 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000003-00000000-00000003-00001102-00000002-80271102}.dat
    2008-05-11 18:20:59 24 --a------ C:\WINDOWS\system32\DVCState-{00000003-00000000-00000003-00001102-00000002-80271102}.dat
    2008-05-11 17:20:17 0 d-------- C:\Program Files\Norton AntiVirus
    2008-05-11 17:01:38 0 d-------- C:\Documents and Settings\David\Application Data\Corel
    2008-05-11 17:01:14 2828 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
    2008-05-09 16:30:40 1080 --a------ C:\WINDOWS\AUTOLNCH.REG
    2008-05-08 19:01:27 0 d-------- C:\Program Files\Common Files\Symantec Shared
    2008-05-05 17:00:04 0 d-------- C:\Program Files\Java
    2008-04-27 14:25:58 0 d-------- C:\Program Files\Common Files\Adobe
    2008-04-27 14:25:57 0 d-------- C:\Documents and Settings\David\Application Data\Adobe
    2008-04-22 08:35:32 0 d-------- C:\Program Files\Apple Software Update
    2008-04-21 15:06:11 0 d-------- C:\Program Files\iTunes
    2008-04-21 15:05:11 0 d-------- C:\Program Files\iPod
    2008-04-21 15:02:06 0 d-------- C:\Program Files\QuickTime
    2008-04-15 10:26:23 0 d-------- C:\Program Files\Investintech.com Inc
    2008-04-10 18:41:51 0 d-------- C:\Program Files\MSECACHE
    2008-04-07 20:07:23 0 d-------- C:\Documents and Settings\David\Application Data\ATI MMC
    2008-04-02 10:49:59 0 d-------- C:\Program Files\TBFDropZone
    2008-04-02 10:29:10 0 d-------- C:\Documents and Settings\David\Application Data\Axosoft
    2008-03-31 13:30:07 0 --a------ C:\WINDOWS\system32\cid_store.dat
    2008-03-31 13:27:00 0 d-------- C:\Program Files\Maxthon2
    2008-03-31 09:57:00 0 d-------- C:\Documents and Settings\David\Application Data\U3
    2008-03-22 15:22:23 0 d-------- C:\Documents and Settings\David\Application Data\Google
    2008-03-22 15:21:31 0 d-------- C:\Program Files\Google
    2008-03-13 20:33:13 0 d-------- C:\Program Files\Western Digital Technologies
    2008-03-03 10:49:18 4163 --a------ C:\WINDOWS\mozver.dat


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F2A1B404-457D-4D06-A46B-B514985EF98A}]
    05/08/2008 11:06 AM 396186 --a------ C:\WINDOWS\system32\geBUlJay.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinFaxAppPortStarter "= "wfxsnt40.exe" [12/12/2002 07:45 AM C:\WINDOWS\system32\WFXSNT40.EXE]
    "WINDVDPatch "= "CTHELPER.EXE" [07/02/2002 06:56 PM C:\WINDOWS\system32\CTHELPER.EXE]
    "WFXSwtch "= "C:\PROGRA~1\WinFax\WFXSWTCH.exe" [12/12/2002 07:45 AM]
    "UpdReg "= "C:\WINDOWS\UpdReg.EXE" [05/11/2000 02:00 AM]
    "Symantec NetDriver Monitor "= "C:\PROGRA~1\SYMNET~1\SNDMon.exe" [10/07/2007 05:20 AM]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
    "SMPAutoStart "=" " []
    "Norton Save and Restore "= "C:\Program Files\Norton Save and Restore\Agent\NSRTray.exe" [04/11/2006 08:36 PM]
    "NeroCheck "= "C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
    "MXOBG "= "C:\Documents and Settings\David\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE" []
    "MaxtorOneTouch "= "C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" [12/22/2004 09:21 AM]
    "Logitech Hardware Abstraction Layer "= "KHALMNPR.EXE" [03/28/2006 05:38 PM C:\WINDOWS\KHALMNPR.Exe]
    "Logitech BT Wizard "= "LBTWiz.exe" []
    "Jet Detection "= "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [11/29/2001 02:00 AM]
    "InCD "= "C:\Program Files\Ahead\InCD\InCD.exe" [03/04/2003 06:09 PM]
    "HPDJ Taskbar Utility "= "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe" [03/26/2003 12:19 AM]
    "HP Software Update "= "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [02/17/2005 12:11 AM]
    "HP Lamp "= "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe" [04/27/2001 11:00 AM]
    "DeviceDiscovery "= "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [12/02/2002 08:56 PM]
    "ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [12/02/2005 05:45 PM]
    "ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [02/28/2003 10:00 PM]
    "UserFaultCheck "= "C:\WINDOWS\system32\dumprep 0 -u" []
    "ISUSPM Startup "= "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [04/17/2004 01:41 PM]
    "ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [04/13/2004 07:07 AM]
    "Symantec PIF AlertEng "= "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [03/12/2007 06:30 PM]
    "Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
    "QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
    "iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
    "Acrobat Assistant 8.0 "= "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [05/10/2007 10:46 PM]
    "@ "=" " []
    "MSConfig "= "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [08/04/2004 02:56 AM]
    "9c7c1938 "= "C:\WINDOWS\system32\pfftlgsm.dll" [05/11/2008 08:44 AM]
    "BM9f4f2aa4 "= "C:\WINDOWS\system32\rgupnoxn.dll" [05/11/2008 08:44 AM]
    "SpySweeper "= "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/2008 09:56 PM]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Dilberttest3 web link "= "C:\Program Files\Dilberttest3\Screen Saver\FWLink.exe" [01/31/2002 12:31 PM]
    "ATI Launchpad "=" " []
    "Startup Manager "= "C:\Documents and Settings\David\Application Data\Systweak\ASO 2\smstartUp manager.exe" []
    "Aim6 "=" " []
    "Skype "= "C:\Program Files\Skype\Phone\Skype.exe" [05/10/2007 04:09 PM]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    @=

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{A213B520-C6C2-11d0-AF9D-008029E1027E} "= C:\Program Files\WinFax\WfxSeh32.Dll [07/27/1998 04:54 AM 38400]
    "{FE24CD78-7C63-465D-8787-4EDF7FC79895} "= C:\Program Files\Logitech\Easy Synchronization\shellexecutehook.dll [09/05/2005 11:15 AM 69632]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
    c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 05/05/2006 08:27 AM 65536 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWlgn.DLL

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages "= msv1_0 C:\WINDOWS\system32\geBUlJay

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
    @= "Volume shadow copy "


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM9f4f2aa4]
    "Rundll32.exe" "C:\WINDOWS\system32\yhhmxxqw.dll ",s


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5302e3b-f14c-11dc-81cd-00c0f076ea9e}]
    AutoRun\command- H:\wd_windows_tools\setup.exe




    -- End of Deckard's System Scanner: finished at 2008-05-12 08:25:00 ------------
     
    dmcmillen,
    #2


  3. to hide this advert.

  4. 2008/05/12
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Hi David, and welcome to WindowsBBS :)

    Download ComboFix by sUBs from here, saving the file to your desktop.


    Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

    • Close all open programs and windows
    • Double click combofix.exe and follow the prompts.
    • It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
     
    noahdfear,
    #3
  5. 2008/05/13
    dmcmillen

    dmcmillen Inactive Thread Starter

    Joined:
    2008/05/11
    Messages:
    10
    Likes Received:
    0
    Notes & ComboFix Log

    Hi noahdfear,

    I really appreciate your help as a volunteer! Just a few notes & comments to bring you up to date as to what I've done and current status and I'll post the log file.

    - Yesterday, I ran ATF-Cleaner and emptied everything.

    - I disabled Spysweeper, Windows Firewall, and Norton Antivirus but forgot to disable script checking in Norton. When ComboFix ran, it hung on reboot with dll init failure on catchme.cfexe because of window shutting down. I hit hard reset and when ComboFix continued to run on reboot Norton detected the ComboFix scripts and with ComboFix using 100% cpu, I had to manually kill the Norton apps and ComboFix continued and gave log file.

    - ComboFix cleaned the GeBUljay sub-authentication from registry (HKLM\system\currentcontrolset\control\lsa) and removed ini files from system32 directory!!

    - On reboot & ComboFix completion ndrpfdth.ini and 2 new dlls (ntdfprdn & svtvfans) were now added to system32 dir and 2 new rundll32 processes existed (replacing the old ones) from 2 new registry startup entries in HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    - Same problems existed with Firefox and IE. (unable to get to some sites)

    - I killed the 2 rundll32 processes
    - I moved the bogus dll and ini files to quarantine dir
    - I deleted the 2 HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry entries (9c7c1938/ntdfprdn and BM9f4f2aa4/svtvfans). This time a new ini file did not get recreated in the system32 dir
    - I rebooted
    - BM9f4f2aa4/svtvfans is back in registry ..CurrentVersion\Run again (did not load because did not find file in system32 dir which I had moved)
    - No rundll processes exist and no new ini files
    - Firefox and IE working ok!

    So something is still creating the registry entry & file on shutdown or startup. I searched the registry for any other instances of these names and found none.

    I don't know whether this is part or all of the infopass.gampass or downloader viruses since Norton only detected the infopass virus in an exe that I knew I had run and detected the downloader virus in a couple of internet temp files while I was working, couldn't clean/delete and then they were gone when I went to look for.

    Let me know what I've got and what else I need to do. Thanks again for all your help!!

    David

    ComboFix 08-05-12.1 - David 2008-05-13 8:41:47.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.506 [GMT -5:00]
    Running from: C:\Documents and Settings\David\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Program Files\FunWebProducts
    C:\Program Files\MyWebSearch
    C:\Program Files\MyWebSearch\bar\History\search2
    C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
    C:\WINDOWS\cookies.ini
    C:\WINDOWS\pskt.ini
    C:\WINDOWS\system32\awtuvSji.dll
    C:\WINDOWS\system32\Cache
    C:\WINDOWS\system32\fgyxylcj.ini
    C:\WINDOWS\system32\geBUlJay.dll
    C:\WINDOWS\system32\hgGawVNe.dll
    C:\WINDOWS\system32\mlJBqpOe.dll
    C:\WINDOWS\system32\msgltffp.ini
    C:\WINDOWS\system32\ndrpfdth.ini
    C:\WINDOWS\system32\qomrifjo.ini
    C:\WINDOWS\system32\yaJlUBeg.ini
    C:\WINDOWS\system32\yaJlUBeg.ini2
    C:\WINDOWS\system32\yayxuSjj.dll

    .
    ((((((((((((((((((((((((( Files Created from 2008-04-13 to 2008-05-13 )))))))))))))))))))))))))))))))
    .

    2008-05-13 08:55 . 2008-05-13 08:55 22 --a------ C:\WINDOWS\pskt.ini
    2008-05-12 18:17 . 2008-05-12 18:17 8,774 --a------ C:\Registry Backup 05-12-08-1.reg
    2008-05-12 17:47 . 2008-05-12 17:48 134,102,134 --a------ C:\Registry Backup 05-12-08.reg
    2008-05-12 08:54 . 2008-05-12 08:54 132,096 --a------ C:\WINDOWS\system32\cmynqbtm.dll
    2008-05-12 08:51 . 2008-05-12 08:51 2,048 --a------ C:\WINDOWS\system32\qshnymyp.exe
    2008-05-12 08:48 . 2008-05-12 08:48 115,712 --a------ C:\WINDOWS\system32\htdfprdn.dll
    2008-05-12 08:45 . 2008-05-12 08:45 125,952 --a------ C:\WINDOWS\system32\svtvfans.dll
    2008-05-12 07:45 . 2008-05-12 07:45 <DIR> d-------- C:\Deckard
    2008-05-11 18:02 . 2008-05-11 18:02 <DIR> d-------- C:\Program Files\Trend Micro
    2008-05-11 08:47 . 2008-05-11 08:47 133,120 --a------ C:\WINDOWS\system32\dwpsbxji.dll
    2008-05-11 08:47 . 2008-05-11 08:47 2,048 --a------ C:\WINDOWS\system32\vuhfuuli.exe
    2008-05-11 08:44 . 2008-05-11 08:44 126,976 --a------ C:\WINDOWS\system32\rgupnoxn.dll
    2008-05-11 08:41 . 2008-05-11 08:41 126,976 --a------ C:\WINDOWS\system32\qvjmeqon.dll
    2008-05-10 15:11 . 2008-05-10 15:10 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
    2008-05-10 15:10 . 2008-05-10 15:14 <DIR> d-------- C:\Documents and Settings\David\.housecall6.6
    2008-05-10 11:31 . 2008-05-10 11:34 <DIR> d-------- C:\WINDOWS\David's Potential Bad Stuff
    2008-05-10 08:50 . 2008-05-10 08:50 134,656 --a------ C:\WINDOWS\system32\tlkbnpas.dll
    2008-05-10 08:44 . 2008-05-10 08:44 2,048 --a------ C:\WINDOWS\system32\sudoedhg.exe
    2008-05-09 08:44 . 2008-05-09 08:44 133,120 --a------ C:\WINDOWS\system32\qfvlrvls.dll
    2008-05-09 08:41 . 2008-05-09 08:41 2,048 --a------ C:\WINDOWS\system32\kbnmvlto.exe
    2008-05-09 08:40 . 2008-05-09 08:40 123,392 --a------ C:\WINDOWS\system32\arijbajm.dll
    2008-05-09 08:40 . 2008-05-13 08:56 109,803 --a------ C:\WINDOWS\BM9f4f2aa4.xml
    2008-05-08 11:40 . 2008-05-08 11:40 <DIR> d-------- C:\Program Files\OJOsoft
    2008-04-29 21:48 . 2008-04-29 21:49 1,123 --a------ C:\WINDOWS\APDFPRP.INI
    2008-04-29 21:47 . 2008-04-29 21:47 <DIR> d-------- C:\Program Files\ElcomSoft
    2008-04-29 21:45 . 2008-04-25 05:00 719,872 --a------ C:\WINDOWS\system32\devil.dll
    2008-04-29 21:45 . 2008-04-25 05:00 349,184 --a------ C:\WINDOWS\system32\avisynth.dll
    2008-04-27 14:25 . 2008-04-27 14:25 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
    2008-04-27 14:25 . 2008-04-27 14:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
    2008-04-26 13:22 . 2008-04-26 13:22 278 --a------ C:\ed9662bf09b5947.dat
    2008-04-26 13:22 . 2008-04-26 13:22 278 --a------ C:\68a2ee5b10a5b81.dat
    2008-04-26 13:14 . 2008-05-08 11:38 <DIR> d-------- C:\Documents and Settings\David\Application Data\Azureus
    2008-04-26 13:14 . 2008-04-26 13:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
    2008-04-26 13:05 . 2008-04-26 13:06 <DIR> d-------- C:\Program Files\Azureus
    2008-04-26 12:57 . 2008-04-26 12:57 <DIR> d-------- C:\Program Files\DIFX
    2008-04-26 12:56 . 2008-04-26 12:56 <DIR> d-------- C:\Program Files\Common Files\Aladdin Shared
    2008-04-26 12:56 . 2008-04-26 12:56 <DIR> d-------- C:\Documents and Settings\David\Application Data\Chief Architect Full Version 11
    2008-04-26 12:56 . 2007-03-06 21:39 694,272 --a------ C:\WINDOWS\system32\drivers\hardlock.sys
    2008-04-26 12:56 . 2007-03-15 14:48 535,807 --a------ C:\WINDOWS\system32\hasplms.exe
    2008-04-26 12:56 . 2007-03-15 14:48 535,807 --a------ C:\WINDOWS\system32\aksllmtp.exe
    2008-04-26 12:56 . 2007-03-12 20:48 351,744 --a------ C:\WINDOWS\system32\drivers\aksfridge.sys
    2008-04-26 12:29 . 2008-04-26 12:55 <DIR> d-------- C:\Program Files\Chief Architect Inc

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-05-13 13:56 --------- d-----w C:\Documents and Settings\David\Application Data\Skype
    2008-05-13 13:55 --------- d-----w C:\Documents and Settings\David\Application Data\WTablet
    2008-05-13 13:39 --------- d-----w C:\Documents and Settings\David\Application Data\MxBoost
    2008-05-13 13:18 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-05-13 12:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
    2008-05-11 22:20 --------- d-----w C:\Program Files\Norton AntiVirus
    2008-05-11 22:01 --------- d-----w C:\Documents and Settings\David\Application Data\Corel
    2008-05-05 22:00 --------- d-----w C:\Program Files\Java
    2008-04-27 19:25 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-04-22 13:35 --------- d-----w C:\Program Files\Apple Software Update
    2008-04-21 20:06 --------- d-----w C:\Program Files\iTunes
    2008-04-21 20:05 --------- d-----w C:\Program Files\iPod
    2008-04-21 20:02 --------- d-----w C:\Program Files\QuickTime
    2008-04-15 15:26 --------- d-----w C:\Program Files\Investintech.com Inc
    2008-04-10 23:41 --------- d-----w C:\Program Files\MSECACHE
    2008-04-08 01:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
    2008-04-08 01:07 --------- d-----w C:\Documents and Settings\David\Application Data\ATI MMC
    2008-04-02 15:49 --------- d-----w C:\Program Files\TBFDropZone
    2008-04-02 15:29 --------- d-----w C:\Documents and Settings\David\Application Data\Axosoft
    2008-03-31 18:27 --------- d-----w C:\Program Files\Maxthon2
    2008-03-31 14:57 --------- d-----w C:\Documents and Settings\David\Application Data\U3
    2008-03-22 20:21 --------- d-----w C:\Program Files\Google
    2008-03-14 01:33 --------- d-----w C:\Program Files\Western Digital Technologies
    2008-01-30 20:01 56,912 ----a-w C:\Documents and Settings\David\g2mdlhlpx.exe
    2003-04-10 13:50 722 ----a-w C:\Program Files\INSTALL.LOG
    2002-04-11 18:47 57,344 ----a-w C:\Documents and Settings\Microsoft Pointing Device\dplaunch.exe
    2006-10-17 01:04 13,386 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcdec.dll
    2006-12-08 02:13 92,746 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcext.dll
    2006-11-03 02:26 88 --sh--r C:\WINDOWS\system32\F117EB52BB.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Dilberttest3 web link "= "C:\Program Files\Dilberttest3\Screen Saver\FWLink.exe" [2002-01-31 12:31 31232]
    "ATI Launchpad "=" " []
    "Startup Manager "= "C:\Documents and Settings\David\Application Data\Systweak\ASO 2\smstartUp manager.exe" [ ]
    "Aim6 "=" " []
    "Skype "= "C:\Program Files\Skype\Phone\Skype.exe" [2007-05-10 16:09 23395880]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinFaxAppPortStarter "= "wfxsnt40.exe" [2002-12-12 07:45 45568 C:\WINDOWS\system32\WFXSNT40.EXE]
    "WINDVDPatch "= "CTHELPER.EXE" [2002-07-02 18:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
    "WFXSwtch "= "C:\PROGRA~1\WinFax\WFXSWTCH.exe" [2002-12-12 07:45 28160]
    "UpdReg "= "C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
    "Symantec NetDriver Monitor "= "C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-10-07 05:20 100056]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
    "SMPAutoStart "=" " []
    "Norton Save and Restore "= "C:\Program Files\Norton Save and Restore\Agent\NSRTray.exe" [2006-04-11 20:36 1582744]
    "NeroCheck "= "C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
    "MXOBG "= "C:\Documents and Settings\David\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE" [ ]
    "MaxtorOneTouch "= "C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" [2004-12-22 09:21 823296]
    "Logitech Hardware Abstraction Layer "= "KHALMNPR.EXE" [2006-03-28 17:38 94208 C:\WINDOWS\KHALMNPR.Exe]
    "Logitech BT Wizard "= "LBTWiz.exe" []
    "Jet Detection "= "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 02:00 28672]
    "InCD "= "C:\Program Files\Ahead\InCD\InCD.exe" [2003-03-04 18:09 1257472]
    "HPDJ Taskbar Utility "= "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 00:19 172032]
    "HP Software Update "= "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152]
    "HP Lamp "= "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe" [2001-04-27 11:00 53248]
    "DeviceDiscovery "= "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 20:56 40960]
    "ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-12-02 17:45 52896]
    "ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-02-28 22:00 315392]
    "UserFaultCheck "= "C:\WINDOWS\system32\dumprep 0 -u" [ ]
    "ISUSPM Startup "= "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 13:41 196608]
    "ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 07:07 69632]
    "Symantec PIF AlertEng "= "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]
    "Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
    "QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
    "iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
    "Acrobat Assistant 8.0 "= "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46 624248]
    "MSConfig "= "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 02:56 158208]
    "9c7c1938 "= "C:\WINDOWS\system32\htdfprdn.dll" [2008-05-12 08:48 115712]
    "BM9f4f2aa4 "= "C:\WINDOWS\system32\svtvfans.dll" [2008-05-12 08:45 125952]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{A213B520-C6C2-11d0-AF9D-008029E1027E} "= C:\Program Files\WinFax\WfxSeh32.Dll [1998-07-27 04:54 38400]
    "{FE24CD78-7C63-465D-8787-4EDF7FC79895} "= C:\Program Files\Logitech\Easy Synchronization\shellexecutehook.dll [2005-09-05 11:15 69632]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
    c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2006-05-05 08:27 65536 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWlgn.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.I420 "= i263_32.drv
    "VIDC.UYVY "= C:\WINDOWS\System32\msyuv.dll
    "VIDC.YUY2 "= ATIVYUY.DLL
    "aux "= ctwdm32.dll
    "msacm.ctmp3 "= C:\WINDOWS\System32\ctmp3.acm
    "VIDC.VCR2 "= ATIVCR2.DLL
    "VIDC.DRAW "= DVIDEO.DLL
    "VIDC.VCR1 "= ATIVCR1.DLL
    "VIDC.YV12 "= ATIYUV12.DLL
    "VIDC.YU12 "= ATIYUV12.DLL
    "vidc.MJPG "= m3jpeg32.dll
    "vidc.dmb1 "= m3jpeg32.dll
    "VIDC.I263 "= i263_32.drv
    "msacm.dvacm "= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM9f4f2aa4]
    --a------ 2004-08-04 02:56 33280 C:\WINDOWS\system32\rundll32.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "C:\\Program Files\\Messenger\\msmsgs.exe "=
    "C:\\Program Files\\Real\\RealOne Player\\realplay.exe "=
    "C:\\Program Files\\Internet Explorer\\iexplore.exe "=
    "C:\\Program Files\\AIM95\\aim.exe "=
    "C:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "C:\\Program Files\\QuickTime\\QuickTimePlayer.exe "=
    "C:\\Program Files\\Maxthon2\\Modules\\MxDownloader\\MxDownloadServer.exe "=
    "C:\\Program Files\\iTunes\\iTunes.exe "=
    "C:\\Program Files\\Azureus\\Azureus.exe "=
    "C:\\Program Files\\Skype\\Phone\\Skype.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "1947:TCP "= 1947:TCP:HASP SRM
    "1947:UDP "= 1947:UDP:HASP SRM

    R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\system32\DRIVERS\bsstor.sys [2002-06-06 00:07]
    R2 aksfridge;aksfridge;C:\WINDOWS\system32\drivers\aksfridge.sys [2007-03-12 20:48]
    R2 BsUDF;InCD UDF Driver;C:\WINDOWS\system32\drivers\BsUDF.sys [2003-03-04 17:31]
    R2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINDOWS\system32\DRIVERS\CINEMSUP.SYS [2002-01-08 11:16]
    R2 hasplms;HASP License Manager;C:\WINDOWS\system32\hasplms.exe -run []
    R2 Norton Save and Restore;Norton Save and Restore;C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe [2006-04-11 20:36]
    R2 Viewpoint Manager Service;Viewpoint Manager Service; "C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
    R2 wfxsvc;WinFax PRO;C:\WINDOWS\System32\WFXSVC.EXE [2000-09-28 23:58]
    R3 KTC111;Kingston EtherRx KNE111TX NDIS 5.0 Miniport Driver;C:\WINDOWS\system32\DRIVERS\KTC111.SYS [2001-08-17 13:12]
    R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 01:01]
    R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2006-02-14 14:18]
    R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2006-02-14 14:19]
    S3 ICDUSB2;Sony IC Recorder (P);C:\WINDOWS\system32\Drivers\ICDUSB2.sys [2002-11-28 21:23]
    S3 TAPBIND;TAPBIND;C:\WINDOWS\TEMP\_ISTMP1.DIR\_ISTMP0.DIR\TAPBIND1.SYS []

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5302e3b-f14c-11dc-81cd-00c0f076ea9e}]
    \Shell\AutoRun\command - H:\wd_windows_tools\setup.exe

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-05-07 17:56:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2008-05-10 15:11:46 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - David.job "
    - C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-05-13 08:54:14
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    C:\WINDOWS\system32\ndrpfdth.ini 754142 bytes

    scan completed successfully
    hidden files: 1

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\ati2evxx.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\WINDOWS\system32\hasplms.exe
    C:\Program Files\Logitech\SetPoint\LBTWiz.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton AntiVirus\IWP\NPFMNTOR.EXE
    C:\WINDOWS\system32\PSIService.exe
    C:\WINDOWS\system32\slserv.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\Tablet.exe
    C:\WINDOWS\system32\WTablet\TabUserW.exe
    C:\WINDOWS\system32\Tablet.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Motherboard Monitor 5\MBM5.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.exe
    C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~2\NSCSRVCE.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\Program Files\Messenger\msmsgs.exe
    .
    **************************************************************************
    .
    Completion time: 2008-05-13 9:15:12 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-05-13 14:15:04

    Pre-Run: 120,982,429,696 bytes free
    Post-Run: 120,870,957,056 bytes free

    277 --- E O F --- 2008-05-13 12:28:29
     
    dmcmillen,
    #4
  6. 2008/05/14
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Code:
    
File::
C:\WINDOWS\system32\cmynqbtm.dll
C:\WINDOWS\system32\qshnymyp.exe
C:\WINDOWS\system32\htdfprdn.dll
C:\WINDOWS\system32\svtvfans.dll
C:\WINDOWS\system32\dwpsbxji.dll
C:\WINDOWS\system32\vuhfuuli.exe
C:\WINDOWS\system32\rgupnoxn.dll
C:\WINDOWS\system32\qvjmeqon.dll
C:\WINDOWS\system32\tlkbnpas.dll
C:\WINDOWS\system32\sudoedhg.exe
C:\WINDOWS\system32\qfvlrvls.dll
C:\WINDOWS\system32\kbnmvlto.exe
C:\WINDOWS\system32\arijbajm.dll
C:\WINDOWS\BM9f4f2aa4.xml
Rootkit::
C:\WINDOWS\system32\ndrpfdth.ini
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "UserFaultCheck "=-
 "MSConfig "=-
 "9c7c1938 "=-
 "BM9f4f2aa4 "=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM9f4f2aa4]
Driver::
TAPBIND
    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.
     
    noahdfear,
    #5
  7. 2008/05/14
    dmcmillen

    dmcmillen Inactive Thread Starter

    Joined:
    2008/05/11
    Messages:
    10
    Likes Received:
    0
    Question??

    Dave,

    Thanks again for your help! I'm not sure whether you still want me to use the script as is because I have already moved all these system32 files to another directory and some of the registry entries are gone. Anyway, let me know what you want me to do.

    C:\WINDOWS\BM9f4f2aa4.xml is still there as well as C:\WINDOWS\BM9f4f2aa4.txt which I am posting below. Looks like a log of what it has been doing.

    The following are also gone:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSConfig "=-
    "9c7c1938 "=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM9f4f2aa4]
    Driver::

    C:\WINDOWS\BM9f4f2aa4.txt
    9.5.2008 - 8:40:42:312: Process attached explorer - 0 - 0
    9.5.2008 - 8:40:42:687: Start thread connector, thread id: - 2288 - 0
    9.5.2008 - 8:40:50:765: Start thread protector, thread id: - 3160 - 0
    9.5.2008 - 8:41:16:78: Stop thread protector, thread id: - 3160 - 0
    9.5.2008 - 8:41:20:562: Process detach - 0 - 0
    9.5.2008 - 8:41:29:265: Process attached explorer - 0 - 0
    9.5.2008 - 8:41:32:843: Start thread connector, thread id: - 3372 - 0
    9.5.2008 - 8:41:32:968: Start thread protector, thread id: - 588 - 0
    9.5.2008 - 15:26:28:250:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\arijbajm.dll
    St Addr 0x02910000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    9.5.2008 - 15:27:59:375:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\arijbajm.dll
    St Addr 0x02910000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    9.5.2008 - 15:29:47:421:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\arijbajm.dll
    St Addr 0x02910000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    9.5.2008 - 15:31:7:765:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\arijbajm.dll
    St Addr 0x02910000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    9.5.2008 - 15:33:30:578:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\arijbajm.dll
    St Addr 0x02910000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    9.5.2008 - 15:37:48:953:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\arijbajm.dll
    St Addr 0x02910000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    9.5.2008 - 15:38:58:156:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\arijbajm.dll
    St Addr 0x02910000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    10.5.2008 - 8:41:24:531: Process attached explorer - 0 - 0
    10.5.2008 - 8:41:26:625: Start thread connector, thread id: - 4996 - 0
    10.5.2008 - 8:41:26:625: Start thread protector, thread id: - 2224 - 0
    10.5.2008 - 8:41:38:375: Stop thread protector, thread id: - 588 - 0
    10.5.2008 - 8:41:38:375: Stop thread protector, thread id: - 2224 - 0
    10.5.2008 - 8:41:38:375: Stop thread connector, thread id: - 3372 - 0
    10.5.2008 - 8:41:38:546: Process detach - 0 - 0
    10.5.2008 - 8:41:39:453: Process detach - 0 - 0
    10.5.2008 - 8:41:48:468: Process attached explorer - 0 - 0
    10.5.2008 - 8:41:49:265: Start thread connector, thread id: - 4712 - 0
    10.5.2008 - 8:41:49:312: Start thread protector, thread id: - 4544 - 0
    10.5.2008 - 10:8:2:625:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\yhhmxxqw.dll
    St Addr 0x02910000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    11.5.2008 - 8:41:49:875: Process attached explorer - 0 - 0
    11.5.2008 - 8:41:58:703: Start thread connector, thread id: - 2660 - 0
    11.5.2008 - 8:41:58:765: Start thread protector, thread id: - 5920 - 0
    11.5.2008 - 8:42:6:156: Stop thread connector, thread id: - 2660 - 0
    11.5.2008 - 8:42:6:156: Stop thread protector, thread id: - 5920 - 0
    11.5.2008 - 8:42:7:218: Process detach - 0 - 0
    11.5.2008 - 8:42:10:125: Process attached explorer - 0 - 0
    11.5.2008 - 8:42:10:500: Start thread connector, thread id: - 6100 - 0
    11.5.2008 - 8:42:13:828: Start thread protector, thread id: - 4868 - 0
    11.5.2008 - 8:44:26:843: Process attached explorer - 0 - 0
    11.5.2008 - 8:44:32:687: Start thread connector, thread id: - 3684 - 0
    11.5.2008 - 8:44:32:734: Start thread protector, thread id: - 2972 - 0
    11.5.2008 - 8:44:44:453: Stop thread connector, thread id: - 6100 - 0
    11.5.2008 - 8:44:44:468: Stop thread protector, thread id: - 4868 - 0
    11.5.2008 - 8:44:44:468: Stop thread protector, thread id: - 2972 - 0
    11.5.2008 - 8:44:44:484: Process detach - 0 - 0
    11.5.2008 - 8:44:47:171: Process detach - 0 - 0
    11.5.2008 - 8:44:50:218: Process attached explorer - 0 - 0
    11.5.2008 - 8:44:50:703: Start thread connector, thread id: - 1064 - 0
    11.5.2008 - 8:44:53:437: Start thread protector, thread id: - 5408 - 0
    11.5.2008 - 11:11:33:109: Process attached explorer - 0 - 0
    11.5.2008 - 11:11:37:609: Start thread connector, thread id: - 3356 - 0
    11.5.2008 - 11:11:40:593: Start thread protector, thread id: - 3396 - 0
    11.5.2008 - 11:21:17:843:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\rgupnoxn.dll
    St Addr 0x044B0000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    11.5.2008 - 11:39:33:281:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\rgupnoxn.dll
    St Addr 0x044B0000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    11.5.2008 - 11:39:33:296:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\rgupnoxn.dll
    St Addr 0x044B0000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    11.5.2008 - 11:40:4:718:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\rgupnoxn.dll
    St Addr 0x044B0000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    11.5.2008 - 11:40:4:734:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\rgupnoxn.dll
    St Addr 0x044B0000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    11.5.2008 - 11:40:25:968:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\rgupnoxn.dll
    St Addr 0x044B0000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    11.5.2008 - 11:41:6:0:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\rgupnoxn.dll
    St Addr 0x044B0000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    11.5.2008 - 11:41:6:31:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\rgupnoxn.dll
    St Addr 0x044B0000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    11.5.2008 - 11:42:34:734:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\rgupnoxn.dll
    St Addr 0x044B0000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    11.5.2008 - 11:42:49:609:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\rgupnoxn.dll
    St Addr 0x044B0000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    11.5.2008 - 11:44:2:203:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\rgupnoxn.dll
    St Addr 0x044B0000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    11.5.2008 - 11:46:28:109:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\rgupnoxn.dll
    St Addr 0x044B0000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    11.5.2008 - 11:47:15:234:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\rgupnoxn.dll
    St Addr 0x044B0000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    11.5.2008 - 11:52:25:812:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\rgupnoxn.dll
    St Addr 0x044B0000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    11.5.2008 - 11:53:38:515:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\rgupnoxn.dll
    St Addr 0x044B0000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    11.5.2008 - 11:54:3:453:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\rgupnoxn.dll
    St Addr 0x044B0000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    11.5.2008 - 11:54:16:812:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\rgupnoxn.dll
    St Addr 0x044B0000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    11.5.2008 - 11:56:16:500:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\rgupnoxn.dll
    St Addr 0x044B0000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    11.5.2008 - 11:59:20:328:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\rgupnoxn.dll
    St Addr 0x044B0000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    11.5.2008 - 12:18:16:93:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\rgupnoxn.dll
    St Addr 0x044B0000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    11.5.2008 - 12:25:28:546:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\rgupnoxn.dll
    St Addr 0x044B0000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    11.5.2008 - 12:25:28:562:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\rgupnoxn.dll
    St Addr 0x044B0000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    11.5.2008 - 14:51:30:515:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\rgupnoxn.dll
    St Addr 0x044B0000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    11.5.2008 - 15:2:53:31:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\rgupnoxn.dll
    St Addr 0x044B0000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    11.5.2008 - 15:5:29:93:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\rgupnoxn.dll
    St Addr 0x044B0000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    11.5.2008 - 15:8:14:921:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\rgupnoxn.dll
    St Addr 0x044B0000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    11.5.2008 - 16:26:26:156: Process attached explorer - 0 - 0
    11.5.2008 - 16:26:30:250: Start thread connector, thread id: - 2656 - 0
    11.5.2008 - 16:26:30:359: Start thread protector, thread id: - 5020 - 0
    11.5.2008 - 16:32:22:500: Process attached explorer - 0 - 0
    11.5.2008 - 16:32:29:140: Start thread connector, thread id: - 3096 - 0
    11.5.2008 - 16:32:32:578: Start thread protector, thread id: - 3144 - 0
    11.5.2008 - 16:43:39:265:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\Explorer.EXE
    Module C:\WINDOWS\system32\rgupnoxn.dll
    St Addr 0x04100000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    11.5.2008 - 18:23:51:609: Process attached explorer - 0 - 0
    11.5.2008 - 18:23:59:421: Start thread connector, thread id: - 1144 - 0
    11.5.2008 - 18:23:59:703: Start thread protector, thread id: - 3316 - 0
    12.5.2008 - 7:33:8:531: Process attached explorer - 0 - 0
    12.5.2008 - 7:33:8:875: Start thread connector, thread id: - 4180 - 0
    12.5.2008 - 7:33:8:984: Start thread protector, thread id: - 4608 - 0
    12.5.2008 - 8:36:36:62: Process detach - 0 - 0
    12.5.2008 - 8:45:43:796: Process attached explorer - 0 - 0
    12.5.2008 - 8:45:44:984: Start thread connector, thread id: - 5096 - 0
    12.5.2008 - 8:45:44:984: Start thread protector, thread id: - 2280 - 0
    12.5.2008 - 8:45:51:609: Stop thread connector, thread id: - 5096 - 0
    12.5.2008 - 8:45:51:609: Stop thread protector, thread id: - 2280 - 0
    12.5.2008 - 8:45:52:640: Process detach - 0 - 0
    12.5.2008 - 8:45:57:578: Process attached explorer - 0 - 0
    12.5.2008 - 8:45:57:906: Start thread connector, thread id: - 4624 - 0
    12.5.2008 - 8:45:57:953: Start thread protector, thread id: - 4216 - 0
    12.5.2008 - 9:7:13:546: Process detach - 0 - 0
    12.5.2008 - 9:7:16:671: Process attached explorer - 0 - 0
    12.5.2008 - 9:7:17:15: Start thread connector, thread id: - 4020 - 0
    12.5.2008 - 9:7:17:640: Start thread protector, thread id: - 4180 - 0
    12.5.2008 - 9:12:23:843:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\explorer.exe
    Module C:\WINDOWS\system32\svtvfans.dll
    St Addr 0x10000000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    12.5.2008 - 9:20:46:484:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\explorer.exe
    Module C:\WINDOWS\system32\svtvfans.dll
    St Addr 0x10000000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    12.5.2008 - 9:34:10:671:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\explorer.exe
    Module C:\WINDOWS\system32\svtvfans.dll
    St Addr 0x10000000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    12.5.2008 - 9:34:30:437:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\explorer.exe
    Module C:\WINDOWS\system32\svtvfans.dll
    St Addr 0x10000000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    12.5.2008 - 9:36:25:687:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\explorer.exe
    Module C:\WINDOWS\system32\svtvfans.dll
    St Addr 0x10000000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    12.5.2008 - 9:36:59:156:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\explorer.exe
    Module C:\WINDOWS\system32\svtvfans.dll
    St Addr 0x10000000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    12.5.2008 - 9:37:55:218:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\explorer.exe
    Module C:\WINDOWS\system32\svtvfans.dll
    St Addr 0x10000000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    12.5.2008 - 9:49:6:843:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\explorer.exe
    Module C:\WINDOWS\system32\svtvfans.dll
    St Addr 0x10000000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    12.5.2008 - 9:49:38:437:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\explorer.exe
    Module C:\WINDOWS\system32\svtvfans.dll
    St Addr 0x10000000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    12.5.2008 - 10:19:56:750:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\explorer.exe
    Module C:\WINDOWS\system32\svtvfans.dll
    St Addr 0x10000000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    12.5.2008 - 10:21:47:593:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\explorer.exe
    Module C:\WINDOWS\system32\svtvfans.dll
    St Addr 0x10000000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    12.5.2008 - 10:27:23:984:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\explorer.exe
    Module C:\WINDOWS\system32\svtvfans.dll
    St Addr 0x10000000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    12.5.2008 - 10:28:40:312:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\explorer.exe
    Module C:\WINDOWS\system32\svtvfans.dll
    St Addr 0x10000000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    12.5.2008 - 10:29:20:453:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\explorer.exe
    Module C:\WINDOWS\system32\svtvfans.dll
    St Addr 0x10000000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    12.5.2008 - 10:37:49:328:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\explorer.exe
    Module C:\WINDOWS\system32\svtvfans.dll
    St Addr 0x10000000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    12.5.2008 - 10:42:30:250:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\explorer.exe
    Module C:\WINDOWS\system32\svtvfans.dll
    St Addr 0x10000000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    12.5.2008 - 10:55:24:31:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\explorer.exe
    Module C:\WINDOWS\system32\svtvfans.dll
    St Addr 0x10000000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    12.5.2008 - 10:55:54:734:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\explorer.exe
    Module C:\WINDOWS\system32\svtvfans.dll
    St Addr 0x10000000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    13.5.2008 - 7:24:28:640: Process attached explorer - 0 - 0
    13.5.2008 - 7:24:31:156: Start thread connector, thread id: - 3308 - 0
    13.5.2008 - 7:24:33:593: Start thread protector, thread id: - 2260 - 0
    13.5.2008 - 8:42:8:937: Process attached explorer - 0 - 0
    13.5.2008 - 8:42:9:250: Start thread connector, thread id: - 2264 - 0
    13.5.2008 - 8:55:6:984: Process attached explorer - 0 - 0
    13.5.2008 - 8:55:7:484: Start thread connector, thread id: - 1184 - 0
    13.5.2008 - 8:55:7:796: Start thread protector, thread id: - 1336 - 0
    13.5.2008 - 9:15:8:93: Process attached explorer - 0 - 0
    13.5.2008 - 9:15:8:390: Start thread connector, thread id: - 4340 - 0
    13.5.2008 - 9:15:8:390: Start thread protector, thread id: - 2880 - 0
    13.5.2008 - 9:49:25:234:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\explorer.exe
    Module C:\WINDOWS\system32\svtvfans.dll
    St Addr 0x00D70000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    13.5.2008 - 9:52:40:843:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\explorer.exe
    Module C:\WINDOWS\system32\svtvfans.dll
    St Addr 0x00D70000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    13.5.2008 - 9:53:0:656:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\explorer.exe
    Module C:\WINDOWS\system32\svtvfans.dll
    St Addr 0x00D70000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
    13.5.2008 - 10:14:24:375:
    *** BEGIN EXCEPTION REPORT ***
    EXE C:\WINDOWS\explorer.exe
    Module C:\WINDOWS\system32\svtvfans.dll
    St Addr 0x00D70000
    Address 0x77C47631
    Code 0xC0000005 (-1073741819)
    Flags 0X00000000 (0)
    Params 2
    Param1 0x00000000 (0)
    Param2 0x0001003F (65599)
    *** END *** - 0 - 0
     
    dmcmillen,
    #6
  8. 2008/05/14
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Since you've already dealt with the rest, use the following as described above to create a CFScript.txt and run it.

    Code:
    File::
C:\WINDOWS\BM9f4f2aa4.xml
Rootkit::
C:\WINDOWS\system32\ndrpfdth.ini
Driver::
TAPBIND
    Post the new log along with a fresh HijackThis log.
     
    noahdfear,
    #7
  9. 2008/05/14
    dmcmillen

    dmcmillen Inactive Thread Starter

    Joined:
    2008/05/11
    Messages:
    10
    Likes Received:
    0
    ComboFix Log (HiJackThis in next reply)

    Dave,

    Here's the ComboFix log. HijackThis is in next reply because of post length. Anything else I need to do or anything else pop out. It looks like this last round got it. What do you think?

    Also, what is the GrafBlumGroup stuff in the registry: hklm\system\currentcontrolset\control\lsa\GBG ???

    Can you recommend a good registry cleaner or any other tools you might think appropriate. I have used Advanced System Optimizer. And I currently use Norton AntiVirus, Spysweeper and the windows firewall.

    David

    ComboFix 08-05-12.1 - David 2008-05-14 12:45:19.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.530 [GMT -5:00]
    Running from: C:\Documents and Settings\David\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\David\Desktop\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    C:\WINDOWS\BM9f4f2aa4.xml
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\David\g2mdlhlpx.exe
    C:\WINDOWS\BM9f4f2aa4.xml
    C:\WINDOWS\pskt.ini

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_TAPBIND
    -------\Service_TAPBIND


    ((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
    .

    2008-05-14 09:49 . <DIR> C:\WINDOWS\LastGood.Tmp
    2008-05-12 18:17 . 2008-05-12 18:17 8,774 --a------ C:\Registry Backup 05-12-08-1.reg
    2008-05-12 17:47 . 2008-05-12 17:48 134,102,134 --a------ C:\Registry Backup 05-12-08.reg
    2008-05-12 07:45 . 2008-05-12 07:45 <DIR> d-------- C:\Deckard
    2008-05-11 18:02 . 2008-05-11 18:02 <DIR> d-------- C:\Program Files\Trend Micro
    2008-05-10 15:11 . 2008-05-10 15:10 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
    2008-05-10 15:10 . 2008-05-10 15:14 <DIR> d-------- C:\Documents and Settings\David\.housecall6.6
    2008-05-10 11:31 . 2008-05-14 10:42 <DIR> d-------- C:\David's Potential Bad Stuff
    2008-05-08 11:40 . 2008-05-08 11:40 <DIR> d-------- C:\Program Files\OJOsoft
    2008-04-29 21:48 . 2008-04-29 21:49 1,123 --a------ C:\WINDOWS\APDFPRP.INI
    2008-04-29 21:47 . 2008-04-29 21:47 <DIR> d-------- C:\Program Files\ElcomSoft
    2008-04-29 21:45 . 2008-04-25 05:00 719,872 --a------ C:\WINDOWS\system32\devil.dll
    2008-04-29 21:45 . 2008-04-25 05:00 349,184 --a------ C:\WINDOWS\system32\avisynth.dll
    2008-04-27 14:25 . 2008-04-27 14:25 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
    2008-04-27 14:25 . 2008-04-27 14:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
    2008-04-26 13:22 . 2008-04-26 13:22 278 --a------ C:\ed9662bf09b5947.dat
    2008-04-26 13:22 . 2008-04-26 13:22 278 --a------ C:\68a2ee5b10a5b81.dat
    2008-04-26 13:14 . 2008-05-08 11:38 <DIR> d-------- C:\Documents and Settings\David\Application Data\Azureus
    2008-04-26 13:14 . 2008-04-26 13:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
    2008-04-26 13:05 . 2008-04-26 13:06 <DIR> d-------- C:\Program Files\Azureus
    2008-04-26 12:57 . 2008-04-26 12:57 <DIR> d-------- C:\Program Files\DIFX
    2008-04-26 12:56 . 2008-04-26 12:56 <DIR> d-------- C:\Program Files\Common Files\Aladdin Shared
    2008-04-26 12:56 . 2008-04-26 12:56 <DIR> d-------- C:\Documents and Settings\David\Application Data\Chief Architect Full Version 11
    2008-04-26 12:56 . 2007-03-06 21:39 694,272 --a------ C:\WINDOWS\system32\drivers\hardlock.sys
    2008-04-26 12:56 . 2007-03-15 14:48 535,807 --a------ C:\WINDOWS\system32\hasplms.exe
    2008-04-26 12:56 . 2007-03-15 14:48 535,807 --a------ C:\WINDOWS\system32\aksllmtp.exe
    2008-04-26 12:56 . 2007-03-12 20:48 351,744 --a------ C:\WINDOWS\system32\drivers\aksfridge.sys
    2008-04-26 12:29 . 2008-04-26 12:55 <DIR> d-------- C:\Program Files\Chief Architect Inc

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-05-14 17:55 --------- d-----w C:\Documents and Settings\David\Application Data\Skype
    2008-05-14 17:54 --------- d-----w C:\Documents and Settings\David\Application Data\WTablet
    2008-05-14 17:44 --------- d-----w C:\Documents and Settings\David\Application Data\MxBoost
    2008-05-14 17:37 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-05-14 14:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
    2008-05-11 22:20 --------- d-----w C:\Program Files\Norton AntiVirus
    2008-05-11 22:01 --------- d-----w C:\Documents and Settings\David\Application Data\Corel
    2008-05-05 22:00 --------- d-----w C:\Program Files\Java
    2008-04-27 19:25 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-04-22 13:35 --------- d-----w C:\Program Files\Apple Software Update
    2008-04-21 20:06 --------- d-----w C:\Program Files\iTunes
    2008-04-21 20:05 --------- d-----w C:\Program Files\iPod
    2008-04-21 20:02 --------- d-----w C:\Program Files\QuickTime
    2008-04-15 15:26 --------- d-----w C:\Program Files\Investintech.com Inc
    2008-04-10 23:41 --------- d-----w C:\Program Files\MSECACHE
    2008-04-08 01:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
    2008-04-08 01:07 --------- d-----w C:\Documents and Settings\David\Application Data\ATI MMC
    2008-04-02 15:49 --------- d-----w C:\Program Files\TBFDropZone
    2008-04-02 15:29 --------- d-----w C:\Documents and Settings\David\Application Data\Axosoft
    2008-03-31 18:27 --------- d-----w C:\Program Files\Maxthon2
    2008-03-31 14:57 --------- d-----w C:\Documents and Settings\David\Application Data\U3
    2008-03-22 20:21 --------- d-----w C:\Program Files\Google
    2008-03-14 01:33 --------- d-----w C:\Program Files\Western Digital Technologies
    2003-04-10 13:50 722 ----a-w C:\Program Files\INSTALL.LOG
    2002-04-11 18:47 57,344 ----a-w C:\Documents and Settings\Microsoft Pointing Device\dplaunch.exe
    2006-10-17 01:04 13,386 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcdec.dll
    2006-12-08 02:13 92,746 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcext.dll
    2006-11-03 02:26 88 --sh--r C:\WINDOWS\system32\F117EB52BB.sys
    .

    ((((((((((((((((((((((((((((( snapshot@2008-05-13_ 9.04.51.82 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-01-23 04:56:21 554,008 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\dao360.dll
    + 2007-12-10 12:41:11 518,944 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexch40.dll
    + 2007-12-10 12:41:11 326,432 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexcl40.dll
    + 2007-12-10 12:41:11 1,516,568 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjet40.dll
    + 2007-12-10 12:41:11 355,112 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjetol1.dll
    + 2008-03-27 07:39:13 151,583 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjint40.dll
    + 2007-12-10 12:41:12 60,192 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjter40.dll
    + 2007-12-10 12:41:12 248,608 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjtes40.dll
    + 2007-12-10 12:41:12 219,936 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msltus40.dll
    + 2007-12-10 12:41:12 355,104 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mspbde40.dll
    + 2007-12-10 12:41:13 432,928 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd2x40.dll
    + 2007-12-10 12:41:13 322,336 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd3x40.dll
    + 2007-12-10 12:41:13 559,904 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrepl40.dll
    + 2007-12-10 12:41:13 264,992 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mstext40.dll
    + 2007-12-10 12:41:13 838,432 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswdat10.dll
    + 2007-12-10 12:41:14 621,344 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswstr10.dll
    + 2007-12-10 12:41:14 355,104 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msxbde40.dll
    + 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB950749\spmsg.dll
    + 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB950749\spuninst.exe
    + 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\spcustom.dll
    + 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\update.exe
    + 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\updspapi.dll
    - 2008-05-13 13:53:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    + 2008-05-14 17:52:45 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    + 2008-03-25 04:50:25 554,008 ------w C:\WINDOWS\system32\dllcache\dao360.dll
    + 2008-03-25 04:50:28 518,944 ------w C:\WINDOWS\system32\dllcache\msexch40.dll
    + 2008-03-25 04:50:30 326,432 ------w C:\WINDOWS\system32\dllcache\msexcl40.dll
    + 2008-03-25 04:50:34 1,516,568 ------w C:\WINDOWS\system32\dllcache\msjet40.dll
    - 2004-03-01 18:52:15 358,976 ------w C:\WINDOWS\system32\dllcache\msjetol1.dll
    + 2008-03-25 04:50:40 355,112 ------w C:\WINDOWS\system32\dllcache\msjetol1.dll
    + 2008-03-27 08:12:54 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
    + 2008-03-25 04:50:42 60,192 ------w C:\WINDOWS\system32\dllcache\msjter40.dll
    + 2008-03-25 04:50:42 248,608 ------w C:\WINDOWS\system32\dllcache\msjtes40.dll
    + 2008-03-25 04:50:44 219,936 ------w C:\WINDOWS\system32\dllcache\msltus40.dll
    + 2008-03-25 04:50:45 355,104 ------w C:\WINDOWS\system32\dllcache\mspbde40.dll
    + 2008-03-25 04:50:47 432,928 ------w C:\WINDOWS\system32\dllcache\msrd2x40.dll
    + 2008-03-25 04:50:49 322,336 ------w C:\WINDOWS\system32\dllcache\msrd3x40.dll
    + 2008-03-25 04:50:52 559,904 ------w C:\WINDOWS\system32\dllcache\msrepl40.dll
    + 2008-03-25 04:50:55 264,992 ------w C:\WINDOWS\system32\dllcache\mstext40.dll
    + 2008-03-25 04:50:57 838,432 ------w C:\WINDOWS\system32\dllcache\mswdat10.dll
    + 2008-03-25 04:50:58 621,344 ------w C:\WINDOWS\system32\dllcache\mswstr10.dll
    + 2008-03-25 04:50:58 355,104 ------w C:\WINDOWS\system32\dllcache\msxbde40.dll
    - 2008-05-13 13:54:16 224,479 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
    + 2008-05-14 17:54:55 224,478 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
    - 2004-08-04 07:56:43 512,029 ----a-w C:\WINDOWS\system32\msexch40.dll
    + 2008-03-25 04:50:28 518,944 ----a-w C:\WINDOWS\system32\msexch40.dll
    - 2004-08-04 07:56:43 319,517 ----a-w C:\WINDOWS\system32\msexcl40.dll
    + 2008-03-25 04:50:30 326,432 ----a-w C:\WINDOWS\system32\msexcl40.dll
    - 2004-08-04 07:56:43 1,507,356 ----a-w C:\WINDOWS\system32\msjet40.dll
    + 2008-03-25 04:50:34 1,516,568 ----a-w C:\WINDOWS\system32\msjet40.dll
    - 2004-03-01 18:52:15 358,976 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
    + 2008-03-25 04:50:40 355,112 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
    - 2004-08-04 07:56:43 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
    + 2008-03-27 08:12:54 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
    - 2004-08-04 07:56:43 53,279 ----a-w C:\WINDOWS\system32\msjter40.dll
    + 2008-03-25 04:50:42 60,192 ----a-w C:\WINDOWS\system32\msjter40.dll
    - 2004-08-04 07:56:43 241,693 ----a-w C:\WINDOWS\system32\msjtes40.dll
    + 2008-03-25 04:50:42 248,608 ----a-w C:\WINDOWS\system32\msjtes40.dll
    - 2004-08-04 07:56:43 213,023 ----a-w C:\WINDOWS\system32\msltus40.dll
    + 2008-03-25 04:50:44 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll
    - 2004-08-04 07:56:43 348,189 ----a-w C:\WINDOWS\system32\mspbde40.dll
    + 2008-03-25 04:50:45 355,104 ----a-w C:\WINDOWS\system32\mspbde40.dll
    - 2004-08-04 07:56:43 421,919 ----a-w C:\WINDOWS\system32\msrd2x40.dll
    + 2008-03-25 04:50:47 432,928 ----a-w C:\WINDOWS\system32\msrd2x40.dll
    - 2004-08-04 07:56:43 315,423 ----a-w C:\WINDOWS\system32\msrd3x40.dll
    + 2008-03-25 04:50:49 322,336 ----a-w C:\WINDOWS\system32\msrd3x40.dll
    - 2004-08-04 07:56:43 552,989 ----a-w C:\WINDOWS\system32\msrepl40.dll
    + 2008-03-25 04:50:52 559,904 ----a-w C:\WINDOWS\system32\msrepl40.dll
    - 2004-08-04 07:56:43 258,077 ----a-w C:\WINDOWS\system32\mstext40.dll
    + 2008-03-25 04:50:55 264,992 ----a-w C:\WINDOWS\system32\mstext40.dll
    - 2004-08-04 07:56:44 831,519 ----a-w C:\WINDOWS\system32\mswdat10.dll
    + 2008-03-25 04:50:57 838,432 ----a-w C:\WINDOWS\system32\mswdat10.dll
    - 2004-08-04 07:56:44 614,429 ----a-w C:\WINDOWS\system32\mswstr10.dll
    + 2008-03-25 04:50:58 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
    - 2004-08-04 07:56:44 348,189 ----a-w C:\WINDOWS\system32\msxbde40.dll
    + 2008-03-25 04:50:58 355,104 ----a-w C:\WINDOWS\system32\msxbde40.dll
    + 2008-05-14 17:53:27 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_c20.dat
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Dilberttest3 web link "= "C:\Program Files\Dilberttest3\Screen Saver\FWLink.exe" [2002-01-31 12:31 31232]
    "ATI Launchpad "=" " []
    "Startup Manager "= "C:\Documents and Settings\David\Application Data\Systweak\ASO 2\smstartUp manager.exe" [ ]
    "Aim6 "=" " []
    "Skype "= "C:\Program Files\Skype\Phone\Skype.exe" [2007-05-10 16:09 23395880]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinFaxAppPortStarter "= "wfxsnt40.exe" [2002-12-12 07:45 45568 C:\WINDOWS\system32\WFXSNT40.EXE]
    "WINDVDPatch "= "CTHELPER.EXE" [2002-07-02 18:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
    "WFXSwtch "= "C:\PROGRA~1\WinFax\WFXSWTCH.exe" [2002-12-12 07:45 28160]
    "UpdReg "= "C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
    "Symantec NetDriver Monitor "= "C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-10-07 05:20 100056]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
    "SMPAutoStart "=" " []
    "Norton Save and Restore "= "C:\Program Files\Norton Save and Restore\Agent\NSRTray.exe" [2006-04-11 20:36 1582744]
    "NeroCheck "= "C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
    "MXOBG "= "C:\Documents and Settings\David\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE" [ ]
    "MaxtorOneTouch "= "C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" [2004-12-22 09:21 823296]
    "Logitech Hardware Abstraction Layer "= "KHALMNPR.EXE" [2006-03-28 17:38 94208 C:\WINDOWS\KHALMNPR.Exe]
    "Logitech BT Wizard "= "LBTWiz.exe" []
    "Jet Detection "= "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 02:00 28672]
    "InCD "= "C:\Program Files\Ahead\InCD\InCD.exe" [2003-03-04 18:09 1257472]
    "HPDJ Taskbar Utility "= "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 00:19 172032]
    "HP Software Update "= "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152]
    "HP Lamp "= "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe" [2001-04-27 11:00 53248]
    "DeviceDiscovery "= "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 20:56 40960]
    "ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-12-02 17:45 52896]
    "ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-02-28 22:00 315392]
    "UserFaultCheck "= "C:\WINDOWS\system32\dumprep 0 -u" [ ]
    "ISUSPM Startup "= "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 13:41 196608]
    "ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 07:07 69632]
    "Symantec PIF AlertEng "= "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]
    "Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
    "QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
    "iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
    "Acrobat Assistant 8.0 "= "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46 624248]
    "SpySweeper "= "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 21:56 5367664]

    C:\Documents and Settings\David\Start Menu\Programs\Startup\
    MBM 5.lnk - C:\Program Files\Motherboard Monitor 5\MBM5.exe [2003-04-17 06:34:57 585216]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [2006-06-06 10:21:45 221295]
    Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-03-22 19:40:26 622653]
    Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-03-22 15:19:41 125624]
    Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2005-11-28 11:04:50 573440]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{A213B520-C6C2-11d0-AF9D-008029E1027E} "= C:\Program Files\WinFax\WfxSeh32.Dll [1998-07-27 04:54 38400]
    "{FE24CD78-7C63-465D-8787-4EDF7FC79895} "= C:\Program Files\Logitech\Easy Synchronization\shellexecutehook.dll [2005-09-05 11:15 69632]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
    c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2006-05-05 08:27 65536 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWlgn.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.I420 "= i263_32.drv
    "VIDC.UYVY "= C:\WINDOWS\System32\msyuv.dll
    "VIDC.YUY2 "= ATIVYUY.DLL
    "aux "= ctwdm32.dll
    "msacm.ctmp3 "= C:\WINDOWS\System32\ctmp3.acm
    "VIDC.VCR2 "= ATIVCR2.DLL
    "VIDC.DRAW "= DVIDEO.DLL
    "VIDC.VCR1 "= ATIVCR1.DLL
    "VIDC.YV12 "= ATIYUV12.DLL
    "VIDC.YU12 "= ATIYUV12.DLL
    "vidc.MJPG "= m3jpeg32.dll
    "vidc.dmb1 "= m3jpeg32.dll
    "VIDC.I263 "= i263_32.drv
    "msacm.dvacm "= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "C:\\Program Files\\Messenger\\msmsgs.exe "=
    "C:\\Program Files\\Real\\RealOne Player\\realplay.exe "=
    "C:\\Program Files\\Internet Explorer\\iexplore.exe "=
    "C:\\Program Files\\AIM95\\aim.exe "=
    "C:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "C:\\Program Files\\QuickTime\\QuickTimePlayer.exe "=
    "C:\\Program Files\\Maxthon2\\Modules\\MxDownloader\\MxDownloadServer.exe "=
    "C:\\Program Files\\iTunes\\iTunes.exe "=
    "C:\\Program Files\\Azureus\\Azureus.exe "=
    "C:\\Program Files\\Skype\\Phone\\Skype.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "1947:TCP "= 1947:TCP:HASP SRM
    "1947:UDP "= 1947:UDP:HASP SRM

    R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\system32\DRIVERS\bsstor.sys [2002-06-06 00:07]
    R2 aksfridge;aksfridge;C:\WINDOWS\system32\drivers\aksfridge.sys [2007-03-12 20:48]
    R2 BsUDF;InCD UDF Driver;C:\WINDOWS\system32\drivers\BsUDF.sys [2003-03-04 17:31]
    R2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINDOWS\system32\DRIVERS\CINEMSUP.SYS [2002-01-08 11:16]
    R2 hasplms;HASP License Manager;C:\WINDOWS\system32\hasplms.exe -run []
    R2 Norton Save and Restore;Norton Save and Restore;C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe [2006-04-11 20:36]
    R2 Viewpoint Manager Service;Viewpoint Manager Service; "C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
    R2 wfxsvc;WinFax PRO;C:\WINDOWS\System32\WFXSVC.EXE [2000-09-28 23:58]
    R3 KTC111;Kingston EtherRx KNE111TX NDIS 5.0 Miniport Driver;C:\WINDOWS\system32\DRIVERS\KTC111.SYS [2001-08-17 13:12]
    R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 01:01]
    R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2006-02-14 14:18]
    R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2006-02-14 14:19]
    S3 ICDUSB2;Sony IC Recorder (P);C:\WINDOWS\system32\Drivers\ICDUSB2.sys [2002-11-28 21:23]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5302e3b-f14c-11dc-81cd-00c0f076ea9e}]
    \Shell\AutoRun\command - H:\wd_windows_tools\setup.exe

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-05-14 17:56:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2008-05-10 15:11:46 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - David.job "
    - C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-05-14 12:53:21
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\Program Files\Logitech\SetPoint\LBTWiz.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\ati2evxx.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    C:\WINDOWS\system32\hasplms.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton AntiVirus\IWP\NPFMNTOR.EXE
    C:\WINDOWS\system32\PSIService.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.exe
    C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~2\NSCSRVCE.EXE
    C:\WINDOWS\system32\Tablet.exe
    C:\WINDOWS\system32\WTablet\TabUserW.exe
    C:\WINDOWS\system32\Tablet.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\Program Files\Messenger\msmsgs.exe
    .
    **************************************************************************
    .
    Completion time: 2008-05-14 13:05:17 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-05-14 18:04:55
    ComboFix2.txt 2008-05-13 14:15:13

    Pre-Run: 120,701,161,472 bytes free
    Post-Run: 120,695,013,376 bytes free

    340 --- E O F --- 2008-05-14 14:53:51



    See next reply for HiJackThis log
     
    dmcmillen,
    #8
  10. 2008/05/14
    dmcmillen

    dmcmillen Inactive Thread Starter

    Joined:
    2008/05/11
    Messages:
    10
    Likes Received:
    0
    HiJackThis Log

    Here's the HiJackThis log. I was unable to post in previous reply because of post length.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:09:18 PM, on 5/14/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\wfxsnt40.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\PROGRA~1\WinFax\WFXSWTCH.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\Norton Save and Restore\Agent\NSRTray.exe
    C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\Program Files\Logitech\SetPoint\LBTWiz.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\Program Files\Dilberttest3\Screen Saver\FWLink.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Motherboard Monitor 5\MBM5.exe
    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    C:\WINDOWS\system32\hasplms.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
    C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~2\NSCSRVCE.EXE
    C:\WINDOWS\System32\WFXSVC.EXE
    C:\WINDOWS\system32\Tablet.exe
    C:\WINDOWS\system32\WTablet\TabUserW.exe
    C:\WINDOWS\system32\Tablet.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
    O4 - HKLM\..\Run: [Norton Save and Restore] "C:\Program Files\Norton Save and Restore\Agent\NSRTray.exe "
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [MXOBG] C:\Documents and Settings\David\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
    O4 - HKLM\..\Run: [MaxtorOneTouch] "C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe "
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe "
    O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe "
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe "
    O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe "
    O4 - HKLM\..\Run: [DeviceDiscovery] "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe "
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll "
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe "
    O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
    O4 - HKCU\..\Run: [Dilberttest3 web link] "C:\Program Files\Dilberttest3\Screen Saver\FWLink.exe "
    O4 - HKCU\..\Run: [Startup Manager] C:\Documents and Settings\David\Application Data\Systweak\ASO 2\smstartUp manager.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: MBM 5.lnk = C:\Program Files\Motherboard Monitor 5\MBM5.exe
    O4 - Global Startup: APC UPS Status.lnk = ?
    O4 - Global Startup: Bluetooth.lnk = ?
    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZU
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://symantec.atgnow.com/sdccommon/download/tgctlsi.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D2} - http://www.therealyellowpageslive.net/live/ezinit.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/SymAData.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe
    O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Save and Restore - Symantec Corporation - C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE
    O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

    --
    End of file - 16906 bytes
     
    dmcmillen,
    #9
  11. 2008/05/14
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Looks good David. The LSA key and it's subkeys, values and data are responsible for, among other things, validating user logon. The GBG subkey is a default key. Best to leave that area of the registry alone. ;)

    I was for a long time a die-hard fan of RegSeeker, up to and including version 1.45. It's predecessor, version 1.52, had a number of bugs. There are a couple of folks (credible) that were updating a custom excludes file to help diffuse some of the bugs, and still recommend using it with version 1.55, although a number of the issues are reported as being addressed. I have used 1.55 a few times on various machines without incident, and without the custom excludes file.


    Lets clean up some temp files and get an online scan.


    Download ATF Cleaner by Atribune and save it to your Desktop.
    • Double click ATF-Cleaner.exe to run the program.
    • Check the boxes to the left of:

      • Windows Temp
      • Current User Temp
      • All Users Temp
      • Temporary Internet Files
      • Prefetch
      • Java Cache
      • Recycle bin

    • The rest are optional - if you want it to remove everything check "Select All ".
    • Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK then exit.
    Reboot


    Please do an online scan with Kaspersky WebScanner

    Click Scan Now and Accept the agreement. You will be promted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
      • Scan Options:
      • Scan Archives
        Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      • Select My Computer
    • This will program will start and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Now click on the Save as Text button:
    • Save the file to your desktop.

    Post the Kaspersky log and one more fresh HijackThis log.
     
    noahdfear,
    #10
  12. 2008/05/15
    dmcmillen

    dmcmillen Inactive Thread Starter

    Joined:
    2008/05/11
    Messages:
    10
    Likes Received:
    0
    1st part of Kapersky Log (HiJackThis to follow in next reply)

    Dave -- Sorry to split this up but size restriction is 35k chars. Most of what Kapersky caught was already quarantined. What was interesting was that while Kapersky was running, Norton deleted 7 of the files I had already quarantined in David's Potential Bad Stuff before or while Kapersky was processing.

    Also, the one file that I think started all this mess, the Chief Architect keygen rar -- the one that contains the caX1Key.exe file that has the virus (the one I ran) - Kapersky picks up as Backdoor.Win32.Hupigon.bebt and Norton picks up as Infostealer.Gampass???? And I know I scanned that file with Norton before I ran it, and it found nothing then (and I had the latest defintions).

    Anyway, what's your take on Kapersky vs Norton and why??

    What should I do about the viruses in the System Restore?? I had System Restore turned off and Deckard started it again.

    Again, thanks for all you help.

    David

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Thursday, May 15, 2008 4:30:44 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 15/05/2008
    Kaspersky Anti-Virus database records: 775174
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\
    G:\
    H:\

    Scan Statistics:
    Total number of scanned objects: 474309
    Number of viruses found: 31
    Number of infected objects: 242
    Number of suspicious objects: 2
    Duration of the scan process: 04:47:58

    Infected Object Name / Virus Name / Last Action
    C:\David's Potential Bad Stuff\arijbajm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rfg skipped
    C:\David's Potential Bad Stuff\jclyxygf.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rfh skipped
    C:\David's Potential Bad Stuff\qfvlrvls.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rff skipped
    C:\David's Potential Bad Stuff\tlkbnpas.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rfe skipped
    C:\David's Potential Bad Stuff\yhhmxxqw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rfd skipped
    C:\Deckard\System Scanner\20080512082324\backup\WINDOWS\temp\symlcsv1.exe Infected: Trojan-Clicker.Win32.Agent.aig skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-05-15_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
    C:\Documents and Settings\David\Application Data\Skype\david.mcmillen\call256.dbb Object is locked skipped
    C:\Documents and Settings\David\Application Data\Skype\david.mcmillen\callmember256.dbb Object is locked skipped
    C:\Documents and Settings\David\Application Data\Skype\david.mcmillen\chat512.dbb Object is locked skipped
    C:\Documents and Settings\David\Application Data\Skype\david.mcmillen\chat8192.dbb Object is locked skipped
    C:\Documents and Settings\David\Application Data\Skype\david.mcmillen\chatmember256.dbb Object is locked skipped
    C:\Documents and Settings\David\Application Data\Skype\david.mcmillen\chatmsg1024.dbb Object is locked skipped
    C:\Documents and Settings\David\Application Data\Skype\david.mcmillen\chatmsg2048.dbb Object is locked skipped
    C:\Documents and Settings\David\Application Data\Skype\david.mcmillen\chatmsg256.dbb Object is locked skipped
    C:\Documents and Settings\David\Application Data\Skype\david.mcmillen\chatmsg4096.dbb Object is locked skipped
    C:\Documents and Settings\David\Application Data\Skype\david.mcmillen\chatmsg512.dbb Object is locked skipped
    C:\Documents and Settings\David\Application Data\Skype\david.mcmillen\contactgroup256.dbb Object is locked skipped
    C:\Documents and Settings\David\Application Data\Skype\david.mcmillen\dyncontent\bundle.dat Object is locked skipped
    C:\Documents and Settings\David\Application Data\Skype\david.mcmillen\index2.dat Object is locked skipped
    C:\Documents and Settings\David\Application Data\Skype\david.mcmillen\profile256.dbb Object is locked skipped
    C:\Documents and Settings\David\Application Data\Skype\david.mcmillen\user1024.dbb Object is locked skipped
    C:\Documents and Settings\David\Application Data\Skype\david.mcmillen\voicemail256.dbb Object is locked skipped
    C:\Documents and Settings\David\Application Data\Webroot\Spy Sweeper\Logs\080515103144.ses Object is locked skipped
    C:\Documents and Settings\David\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/MS Home Solutions/Justin/14 Aug 2004 06:32 from Justin Allen:Event Incentives!!!.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
    C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Outlook\outlook.pst MailMSMaill: suspicious - 1 skipped
    C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\David\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\David\Local Settings\Temp\hpotdd000.log Object is locked skipped
    C:\Documents and Settings\David\Local Settings\Temp\Perflib_Perfdata_1160.dat Object is locked skipped
    C:\Documents and Settings\David\Local Settings\Temp\Perflib_Perfdata_288.dat Object is locked skipped
    C:\Documents and Settings\David\Local Settings\Temp\Perflib_Perfdata_4cc.dat Object is locked skipped
    C:\Documents and Settings\David\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
    C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\David\My Documents\Azureus Downloads\Chief.Architect.X1.Keygen\Chief.Architect.X1.Keygen.rar/caX1key.exe Infected: Backdoor.Win32.Hupigon.bebt skipped
    C:\Documents and Settings\David\My Documents\Azureus Downloads\Chief.Architect.X1.Keygen\Chief.Architect.X1.Keygen.rar RAR: infected - 1 skipped
    C:\Documents and Settings\David\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\David\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS004E32DF-8142-4B44-933B-1993539DD1A0.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS0147BC4D-1709-4193-AD99-1A0EB6F1EB2E.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS01D0B996-2887-4448-A42B-7E1470A22472.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS06533B0E-48F4-444F-AFCB-A0018DEC7742.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS0B47EF92-0C66-4502-8A72-48CA55604D8A.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS0C84C8EA-55FE-42A6-A197-15666FE347F9.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS0E399E16-159A-4FBC-8BC4-6EF8E100817E.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS12AAD975-2ED1-41CC-B082-0A22602E3110.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS15ADAAFC-1A66-4871-9832-6D2C792BC16A.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS17268E91-AE73-448A-AA78-69BA48CE8FA8.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS18C64BA1-D8BE-4CF6-86F2-812BC0E738D4.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS1C2E5F17-4199-4D97-B035-BBEF397CC345.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS22244F76-6F00-474D-A880-3A8014D57A7B.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS24CEF898-9B76-4442-ACFC-6279EB13C76A.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS25744030-DEBC-4755-8427-09C6D70C0844.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS2CEA1EF6-F9D8-44C6-844A-96379BF01D1A.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS31FB20F3-B3E2-4D32-95AB-0D2FA80EC2CF.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3833785B-763A-47D7-BE72-18C3753CB0AB.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3B119D69-A4E0-410E-98B1-62D1C68B8431.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3D961952-130B-48AC-BF0D-91899FAFA100.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS41944754-922A-485B-A121-2ACB895496C0.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS4708BEB4-DD50-436E-93D1-94A6EC1F5CA7.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS47F33C88-659D-4FCC-9D49-90C337F038F0.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS47F3FE82-C756-4F18-BA7D-17CD034C30F3.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS481E807F-163A-42A0-8C04-0551045ABB35.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS49B6AB0E-BD20-4826-BD05-899915383549.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS50924E85-50F1-42B8-AA52-2AF6F8590561.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS5D5123DD-FE5C-4DC4-9E76-30AB401217D4.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS5D528490-C3F1-461C-89EF-65398D345E74.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS5EAC9570-0129-4CE2-AD76-6FAD155005FC.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS5F847E31-30E5-4CB3-975D-9B8B51AF0ACC.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS5FF038AC-A0A0-49B9-B701-62F8785C45E7.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS60E3E865-FC5D-423D-89C7-AC3C2496A1C1.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS65CA0F5C-E7B3-4ACC-A47E-4FF93D9C5103.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS691C18BC-8628-423F-B995-E5526524926B.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS6AB4A759-234B-4CF9-9859-B8EAC1EE6623.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS6D329FED-17C5-42DD-B49D-1E0CECE5888A.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS761CDCAA-14C1-400E-878C-0CC6BD20BA79.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS7BFE6128-D2B5-4F21-B27F-D39CE5F15985.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS7DF1F0FF-D041-4DA1-A871-3314D8269A89.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS84D23307-9AA1-409A-9CE1-6750442BF7A3.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS8CF7BAA5-22E2-4653-94AB-C88EF2CF6841.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS92AB728C-B7CD-4732-9CA2-07535E934F31.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS939E6EB4-5316-4FF0-BA5C-DDFA3F9EA044.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS9554CD7D-F776-44B1-8FFF-790FF16060CC.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS96BE644D-B929-489C-B16A-7CD67771846F.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS9CCDFA42-A7CF-4155-B553-7F57F6771C08.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS9D37E06D-3B3F-480F-8EB7-827190E5F1F7.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS9DD0FD74-3036-4BE2-AD6F-A5A146F56948.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA233E8B9-C07C-4B35-88A4-C92476FDDED1.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA3A00AF6-81D0-4D95-9F96-4A92A57B6605.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA5ED92BD-BDC6-4372-BE36-D173053B72C8.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA61515F5-67A1-4013-8EE7-89D6775C52DE.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA9A1F63A-223F-4043-BABF-9B69DF454E55.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSAC3ECCDD-A757-4C6E-BC90-3E026D182DD8.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSADEBD182-B288-4A94-90D4-1154D9B5C218.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSB0B93B7A-8E0C-4227-810D-CD4F157315E4.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSB4860993-B41F-40D9-A41A-30927371CE32.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSB8C35859-6D48-44D6-A9E4-0E6870FC7A31.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBBF4F0DE-32D0-4613-9719-9D5751B92748.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBDDB3A17-04DC-42EB-96FA-5E8533643005.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSC22162D4-6819-4B67-AAE1-57BE501EC76F.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSC77F1570-EEE0-4B50-B4A2-3EDF80ABCD88.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSCA56294A-6017-4251-AC59-CBFD0FB96B51.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSCB34E138-954C-4DC2-B285-DD4D6EFB9C1B.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSCD1985D4-157B-495C-BCFF-89A1882D92E3.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSCDE29593-01AD-4335-88FF-1445C81D3383.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSCF971DDA-BD50-4EFB-B126-44D470B090F4.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD41FC548-F20A-48A8-968E-A2E3F39854EC.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD517D799-A93B-4ADE-B7C6-B621F0F51B82.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD794E730-D496-4A73-A584-F429FB4D4E08.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSDA76E1B8-6A9D-4078-A1FD-C7562CB1F651.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSDE385EC4-376B-4BB0-96DD-DFD21007A93E.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSE2770EC3-0125-4AFD-9AA5-B00BDA1DB0BB.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSE3FD7820-6F63-421E-BC0F-A3A7FE296776.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSE7E878BF-0401-40BF-96A6-05A7400C5885.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSE9FEE22D-F748-400B-9928-7F614AE9EC89.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSEBEDB26F-2037-4F22-B0B1-C77FE304E926.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSEBF558D9-2E64-4291-BED0-2BBE50BFDA82.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF05C276D-2289-43E8-A6E0-7C3E26C5F090.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF07FF9AA-5132-47E9-A26F-FBF22303FFC1.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF1A142AE-2FAB-4981-A592-8AA797BDAB6E.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF31DEFA7-B5AA-4360-8454-6337762E59FC.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF32E0E9D-E604-4D9E-B819-62CE3E2F9B00.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF48036AB-5FAF-40FE-AEE0-976C3474D9DA.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF65282A7-91C6-4089-8AB5-1649D5FF790A.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF6563949-4D16-4399-BF8A-BDF71EA8B245.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF78F2745-E61B-4F43-99DB-C50A955EC0F1.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSFF6FA473-2F19-451E-97F7-D0991806F349.tmp Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Download\MyFunCards\MyFunCardsSetup2.2.60.9.exe/mwsSetup.CommonCodebase.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.av skipped
    C:\Download\MyFunCards\MyFunCardsSetup2.2.60.9.exe CAB: infected - 1 skipped
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPPolicy.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPStart.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPStop.log Object is locked skipped

    See next reply for rest of log (due to size restriction)
     
    dmcmillen,
    #11
  13. 2008/05/15
    dmcmillen

    dmcmillen Inactive Thread Starter

    Joined:
    2008/05/11
    Messages:
    10
    Likes Received:
    0
    2nd part of Kapersky log

    Here's the 2nd part of Kapersky log

    C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
    C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
    C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
    C:\Program Files\Norton AntiVirus\Quarantine\0044493D.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\007412F4 Infected: Backdoor.Win32.Loony.d skipped
    C:\Program Files\Norton AntiVirus\Quarantine\024D6D62 Infected: Backdoor.Win32.Loony.d skipped
    C:\Program Files\Norton AntiVirus\Quarantine\0266063A Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\02B054B7.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\04D77A24.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\052553DD.scr Infected: Backdoor.Win32.Loony.l skipped
    C:\Program Files\Norton AntiVirus\Quarantine\05990147.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\06242DE4.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\06412300.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\06D45016.scr Infected: Backdoor.Win32.Loony.m skipped
    C:\Program Files\Norton AntiVirus\Quarantine\07277974.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\073006F4.tmp Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\074058E2.tmp Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\074D00D4.tmp Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\077722A5.tmp Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\07854A97.tmp Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\07887493.tmp Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\084F791C.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\08BA02D5.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\08E378F0.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\09B6002D.tmp Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\09B60526.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\0A340E7D.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\0A6D2F63.tmp Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\0A812B4E.tmp Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\0AAE771C.tmp Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\0AD66EF0.tmp Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\0AEC14D7.tmp Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\0B0764BB.tmp Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\0B182C4F.scr Infected: Backdoor.Win32.Loony.m skipped
    C:\Program Files\Norton AntiVirus\Quarantine\0B482C73.tmp Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\0B4B566F.tmp Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\0B5B091A.exe Infected: not-virus:BadJoke.Win16.Stupid.a skipped
    C:\Program Files\Norton AntiVirus\Quarantine\0B5B091A.tmp Infected: not-virus:BadJoke.Win16.Stupid.a skipped
    C:\Program Files\Norton AntiVirus\Quarantine\0B7C2CF6.exe Infected: not-virus:BadJoke.Win16.Stupid.a skipped
    C:\Program Files\Norton AntiVirus\Quarantine\0B832032.tmp Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\0B961C1C.tmp Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\0D08689D.scr Infected: Backdoor.Win32.Loony.l skipped
    C:\Program Files\Norton AntiVirus\Quarantine\0DBA0EA7.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\0E7561F3 Infected: Backdoor.Win32.Loony.d skipped
    C:\Program Files\Norton AntiVirus\Quarantine\11B469E2.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\11BA62E0.scr Infected: Backdoor.Win32.Loony.l skipped
    C:\Program Files\Norton AntiVirus\Quarantine\12CA4ABE.scr Infected: P2P-Worm.Win32.SpyBot.fu skipped
    C:\Program Files\Norton AntiVirus\Quarantine\12EE452E.scr Infected: Backdoor.Win32.Loony.m skipped
    C:\Program Files\Norton AntiVirus\Quarantine\14100514.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\14DF03A9.scr Infected: P2P-Worm.Win32.SpyBot.gl skipped
    C:\Program Files\Norton AntiVirus\Quarantine\15920E99 Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\15B111F7.scr Infected: Backdoor.Win32.IRCBot.gen skipped
    C:\Program Files\Norton AntiVirus\Quarantine\16012992.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\166E785C Infected: Backdoor.Win32.Loony.d skipped
    C:\Program Files\Norton AntiVirus\Quarantine\16712258 Infected: Backdoor.Win32.Loony.d skipped
    C:\Program Files\Norton AntiVirus\Quarantine\16FA26CC.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\17317882.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\17BE6258 Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\17C77913.scr Infected: Backdoor.Win32.Loony.l skipped
    C:\Program Files\Norton AntiVirus\Quarantine\17FD6830.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\1852622C Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\1929238F Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\1B4A00D5.tmp Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\1BAC4DC3.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\1D3D640A Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\1D4425E1.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\1E1A78C8.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\1ED1484F.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\1EF46DAC Infected: Backdoor.Win32.Loony.d skipped
    C:\Program Files\Norton AntiVirus\Quarantine\1F4C0D11.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\1F764BAD.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\203427B7.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\20CB3312.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\20CE5D0E.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\20FB5002.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\20FC28DC.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\21506212.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\21540C0E.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\2157360A.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\215A6007.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\21613400.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\216707F9.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\216E5BF1.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\21742FEA.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\217B03E3.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\218157DC.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\218501D8.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\218B55D1.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\21FA6957.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\21FD1353.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\220A4D6A.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\220C562F Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\224E186A Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\2285779E.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\25CF0068.scr Infected: Backdoor.Win32.Loony.m skipped
    C:\Program Files\Norton AntiVirus\Quarantine\26153D8F Infected: Backdoor.Win32.Loony.d skipped
    C:\Program Files\Norton AntiVirus\Quarantine\27921F6E Infected: Backdoor.Win32.Loony.d skipped
    C:\Program Files\Norton AntiVirus\Quarantine\27AD4BDE.scr Infected: Backdoor.Win32.Loony.l skipped
    C:\Program Files\Norton AntiVirus\Quarantine\27BA2371.scr Infected: P2P-Worm.Win32.SpyBot.gl skipped
    C:\Program Files\Norton AntiVirus\Quarantine\28D561E0.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\28F30929.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\290D2FCE.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\293B57E7.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\297F4640.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\29E44030.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\2AB11591 Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\2B414AC3.scr Infected: Backdoor.Win32.Litmus.203 skipped
    C:\Program Files\Norton AntiVirus\Quarantine\2BB67848.scr Infected: Backdoor.Win32.Loony.l skipped
    C:\Program Files\Norton AntiVirus\Quarantine\2C9123D9 Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\2D510BEE.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\2D875957.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\2FE37A5A Infected: Backdoor.Win32.Loony.d skipped
    C:\Program Files\Norton AntiVirus\Quarantine\305A5835 Infected: Backdoor.Win32.Loony.d skipped
    C:\Program Files\Norton AntiVirus\Quarantine\30F201FF.scr Infected: Backdoor.Win32.Litmus.203 skipped
    C:\Program Files\Norton AntiVirus\Quarantine\31B96ABA Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\32AB71AF.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\34651DDE.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\3488517D Infected: not-a-virus:Server-Proxy.Win32.CCProxy.52 skipped
    C:\Program Files\Norton AntiVirus\Quarantine\34CB13E6.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\351134E6 Infected: Backdoor.Win32.Thredsys.22 skipped
    C:\Program Files\Norton AntiVirus\Quarantine\35195E88.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\36154EDF.scr Infected: Backdoor.Win32.Loony.l skipped
    C:\Program Files\Norton AntiVirus\Quarantine\373721A4.scr Infected: Backdoor.Win32.Hackarmy.gen skipped
    C:\Program Files\Norton AntiVirus\Quarantine\38246427.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\38520100.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\3979007E.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\3A020BE5 Infected: Email-Worm.Win32.Gibe.b skipped
    C:\Program Files\Norton AntiVirus\Quarantine\3A4B4717.scr Infected: Backdoor.Win32.Loony.l skipped
    C:\Program Files\Norton AntiVirus\Quarantine\3ACD2EC9 Infected: Backdoor.Win32.Loony.d skipped
    C:\Program Files\Norton AntiVirus\Quarantine\3B68319B.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\3BA0193E Infected: Backdoor.Win32.Loony.d skipped
    C:\Program Files\Norton AntiVirus\Quarantine\3CC6715A.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\3D0E2A72.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\3FC61AB1.scr Infected: Backdoor.Win32.Loony.m skipped
    C:\Program Files\Norton AntiVirus\Quarantine\3FD81EFC.scr Infected: Backdoor.Win32.Loony.l skipped
    C:\Program Files\Norton AntiVirus\Quarantine\40FE61B8.scr Infected: Backdoor.Win32.Loony.l skipped
    C:\Program Files\Norton AntiVirus\Quarantine\41425319.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\4182278D.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\41A346B9.scr Infected: Backdoor.Win32.Loony.l skipped
    C:\Program Files\Norton AntiVirus\Quarantine\422745BB.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\44964037.scr Infected: Backdoor.Win32.Hackarmy.gen skipped
    C:\Program Files\Norton AntiVirus\Quarantine\44A11FB8.scr Infected: Backdoor.Win32.Loony.l skipped
    C:\Program Files\Norton AntiVirus\Quarantine\44A45A08 Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\45FB2B68 Infected: Backdoor.Win32.SubSeven.22 skipped
    C:\Program Files\Norton AntiVirus\Quarantine\463C70F3 Infected: Backdoor.Win32.Loony.d skipped
    C:\Program Files\Norton AntiVirus\Quarantine\4665081F.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\46E1144D.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\47802C4C.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\489F1B10.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\4A170416.scr Infected: Backdoor.Win32.IRCBot.gen skipped
    C:\Program Files\Norton AntiVirus\Quarantine\4C667836.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rkn skipped
    C:\Program Files\Norton AntiVirus\Quarantine\4C793281.tmp Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\4D401666.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\4D410616 Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\4F4E05B5.tmp Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\4FCA309A Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\50FA617A.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\51045F6F.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\51BF531D Infected: Backdoor.Win32.Loony.d skipped
    C:\Program Files\Norton AntiVirus\Quarantine\52B36EEF.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\52FB24E8 Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\55E46FC4.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\56B11086.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\56CC6142.tmp Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\585476B9.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\586F7B11.scr Infected: Backdoor.Win32.Loony.l skipped
    C:\Program Files\Norton AntiVirus\Quarantine\58B41282.scr Infected: Backdoor.Win32.IRCBot.gen skipped
    C:\Program Files\Norton AntiVirus\Quarantine\59046158 Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\59070B54 Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\590A3550 Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\59103DCE.scr Infected: Backdoor.Win32.Loony.l skipped
    C:\Program Files\Norton AntiVirus\Quarantine\59430DAB Infected: Trojan.Win32.Delf.n skipped
    C:\Program Files\Norton AntiVirus\Quarantine\59697AA7 Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\597248CF.scr Infected: Backdoor.Win32.Loony.l skipped
    C:\Program Files\Norton AntiVirus\Quarantine\59923C3A.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\5B5A6C98 Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\5B9D3458 Infected: Email-Worm.Win32.Gibe.b skipped
    C:\Program Files\Norton AntiVirus\Quarantine\5BC90791.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\5CCD4DA2.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\5F254FC7.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\5FC1212E Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\603251BC Infected: Backdoor.Win32.Hupigon.bebt skipped
    C:\Program Files\Norton AntiVirus\Quarantine\608B595A.exe Infected: Backdoor.Win32.Hupigon.bebt skipped
    C:\Program Files\Norton AntiVirus\Quarantine\618D6E33 Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\61F013B5 Infected: Email-Worm.Win32.Sobig.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\628C3E2B Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\62DE2395.scr Infected: Backdoor.Win32.Loony.l skipped
    C:\Program Files\Norton AntiVirus\Quarantine\647374D1.tmp Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\6530221A Infected: Backdoor.Win32.Bifrose.bco skipped
    C:\Program Files\Norton AntiVirus\Quarantine\65916F38 Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\661113FB.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\66143DF7.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\661767F3.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\663722F5.scr Infected: Backdoor.Win32.SdBot.ld skipped
    C:\Program Files\Norton AntiVirus\Quarantine\673C3268.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\678F457A.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\68457B45.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\684E24F7 Infected: Backdoor.Win32.Loony.d skipped
    C:\Program Files\Norton AntiVirus\Quarantine\684F793A.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\685C212C.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\68776957.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\6A44020E.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\6C6A1A5A.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\6C6D4457.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\6CB56008.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\6E1A28F0.scr Infected: Backdoor.Win32.Loony.l skipped
    C:\Program Files\Norton AntiVirus\Quarantine\6F0335E7.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\6FDA7039 Infected: Backdoor.Win32.Loony.d skipped
    C:\Program Files\Norton AntiVirus\Quarantine\6FDF1C22.scr Infected: Backdoor.Win32.Loony.l skipped
    C:\Program Files\Norton AntiVirus\Quarantine\717B5418 Infected: Backdoor.Win32.Loony.d skipped
    C:\Program Files\Norton AntiVirus\Quarantine\71E3255B.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\72FC0331.scr Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\748F58CA.scr Infected: Backdoor.Win32.Loony.m skipped
    C:\Program Files\Norton AntiVirus\Quarantine\758B25BD.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\75E055DC.scr Infected: Backdoor.Win32.Litmus.203 skipped
    C:\Program Files\Norton AntiVirus\Quarantine\76866E78.scr Infected: P2P-Worm.Win32.SpyBot.gl skipped
    C:\Program Files\Norton AntiVirus\Quarantine\7A1E37F4.exe Infected: Backdoor.Win32.Jokerdoor skipped
    C:\Program Files\Norton AntiVirus\Quarantine\7A9371E5.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\7CF60777.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\7D465956.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\7DCA2E38 Infected: Backdoor.Win32.Loony.d skipped
    C:\Program Files\Norton AntiVirus\Quarantine\7DF548DB.tmp Infected: Backdoor.Win32.Small.ct skipped
    C:\Program Files\Norton AntiVirus\Quarantine\7E45294E.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Norton AntiVirus\Quarantine\7F447945.scr Infected: Backdoor.Win32.Loony.c skipped
    C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped
    C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
    C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped
    C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\awtuvSji.dll.vir Infected: Trojan.Win32.Zapchast.gb skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\hgGawVNe.dll.vir Infected: Trojan.Win32.Zapchast.gb skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\mlJBqpOe.dll.vir Infected: Trojan.Win32.Zapchast.gb skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\yayxuSjj.dll.vir Infected: Trojan.Win32.Zapchast.gb skipped
    C:\QooBox\Quarantine\catchme2008-05-13_ 84719.51.zip/geBUlJay.dll Infected: Trojan.Win32.Zapchast.gb skipped
    C:\QooBox\Quarantine\catchme2008-05-13_ 84719.51.zip ZIP: infected - 1 skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{8C188258-6E32-4F28-BE88-EB824AE47E76}\RP3\A0000108.dll Infected: Trojan.Win32.Zapchast.gb skipped
    C:\System Volume Information\_restore{8C188258-6E32-4F28-BE88-EB824AE47E76}\RP3\A0000109.dll Infected: Trojan.Win32.Zapchast.gb skipped
    C:\System Volume Information\_restore{8C188258-6E32-4F28-BE88-EB824AE47E76}\RP3\A0000110.dll Infected: Trojan.Win32.Zapchast.gb skipped
    C:\System Volume Information\_restore{8C188258-6E32-4F28-BE88-EB824AE47E76}\RP3\A0000111.dll Infected: Trojan.Win32.Zapchast.gb skipped
    C:\System Volume Information\_restore{8C188258-6E32-4F28-BE88-EB824AE47E76}\RP6\A0002364.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rkn skipped
    C:\System Volume Information\_restore{8C188258-6E32-4F28-BE88-EB824AE47E76}\RP6\change.log Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\EventCache\{731A9B82-F3AB-452E-A1F1-2B79BC0A2342}.bin Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\Temp\hlktmp Object is locked skipped
    C:\WINDOWS\Temp\Perflib_Perfdata_a78.dat Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

    Scan process completed.
     
    dmcmillen,
    #12
  14. 2008/05/15
    dmcmillen

    dmcmillen Inactive Thread Starter

    Joined:
    2008/05/11
    Messages:
    10
    Likes Received:
    0
    HiJackThis Log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:45:03 PM, on 5/15/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\wfxsnt40.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\PROGRA~1\WinFax\WFXSWTCH.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\Norton Save and Restore\Agent\NSRTray.exe
    C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
    C:\Program Files\Logitech\SetPoint\LBTWiz.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\hasplms.exe
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\Program Files\Dilberttest3\Screen Saver\FWLink.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\WINDOWS\system32\slserv.exe
    C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Motherboard Monitor 5\MBM5.exe
    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    C:\WINDOWS\System32\WFXSVC.EXE
    C:\WINDOWS\system32\Tablet.exe
    C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
    C:\WINDOWS\system32\Tablet.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~2\NSCSRVCE.EXE
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
    O4 - HKLM\..\Run: [Norton Save and Restore] "C:\Program Files\Norton Save and Restore\Agent\NSRTray.exe "
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [MXOBG] C:\Documents and Settings\David\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
    O4 - HKLM\..\Run: [MaxtorOneTouch] "C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe "
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe "
    O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe "
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe "
    O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe "
    O4 - HKLM\..\Run: [DeviceDiscovery] "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe "
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll "
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe "
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKCU\..\Run: [Dilberttest3 web link] "C:\Program Files\Dilberttest3\Screen Saver\FWLink.exe "
    O4 - HKCU\..\Run: [Startup Manager] C:\Documents and Settings\David\Application Data\Systweak\ASO 2\smstartUp manager.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: MBM 5.lnk = C:\Program Files\Motherboard Monitor 5\MBM5.exe
    O4 - Global Startup: APC UPS Status.lnk = ?
    O4 - Global Startup: Bluetooth.lnk = ?
    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZU
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://symantec.atgnow.com/sdccommon/download/tgctlsi.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D2} - http://www.therealyellowpageslive.net/live/ezinit.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/SymAData.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe
    O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Save and Restore - Symantec Corporation - C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE
    O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

    --
    End of file - 17165 bytes
     
    dmcmillen,
    #13
  15. 2008/05/15
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Delete the following, as well as all other files I previously mentioned which you had moved to your Potential Bad Stuff folder.

    C:\Download\MyFunCards\MyFunCardsSetup2.2.60.9.exe
    C:\David's Potential Bad Stuff\arijbajm.dll
    C:\David's Potential Bad Stuff\jclyxygf.dll
    C:\David's Potential Bad Stuff\qfvlrvls.dll
    C:\David's Potential Bad Stuff\tlkbnpas.dll
    C:\David's Potential Bad Stuff\yhhmxxqw.dll
    C:\Documents and Settings\David\My Documents\Azureus Downloads\Chief.Architect.X1.Keygen\Chief.Architect.X1.Keygen.rar


    Remove all items in Norton's Quarantine.

    Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing the infected files there as well. The C:\Deckard's folder will also be removed. You can delete any logs that were created/saved too.


    You can again turn off System Restore now if you do not wish to have it enabled.


    Run ATF Cleaner once again, making sure to empty the recycle bin as at least 1 of the options. Reboot when done.

    A re-scan with Kaspersky wouldn't hurt, if you want to verify everything is now clean.


    It's not at all uncommon for AVs to name infections differently. As for comparison of NAV and KAS ........ you would find KAS to be much less resource hungry, and it's detection database every bit as good as NAV, if not better.
     
    noahdfear,
    #14
  16. 2008/05/17
    dmcmillen

    dmcmillen Inactive Thread Starter

    Joined:
    2008/05/11
    Messages:
    10
    Likes Received:
    0
    Looks like we're clean!

    Hi Dave,

    Thank you so much for all your help. This is kinda like a root canal without novocaine. Everything looks clean now. Fyi, ComboFix uninstall did not get rid of restore point(s), but I did that manually.

    The only 'problems' I'm having now (that I know of) is performance related on boot up. After everything has loaded and boot appears to be complete, there's another 3 or 4 minutes of intense cpu and disk activity by ssu.exe (Spysweeper), lucoms~1.exe (Symantec LiveUpdate), LUCallBackProxy.exe (usually more than 1 process -- Symantec Update), and MS processes csrss.exe (client/server) and services.exe. Mostly it's the Symantec and Spysweeper stuff. That's one reason I'm interested in the Kaspersky anti-virus, although I also run Norton's Save and Restore so I would still be stuck with their auto update process.

    Anyway, I would appreciate any thoughts you might have on that.

    Otherwise, I think I'm good to go and again thanks for all your time and effort.

    David
     
    dmcmillen,
    #15
  17. 2008/05/17
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Try running Live Update manually and reboot when done. If there's no difference, disable SpySweeper from starting with Windows. Let me know how it goes.
     
    noahdfear,
    #16

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...