Kaspersky Scan Results, what next?

Hi Dave,
Wanted to thank you . there was a member you helped two days ago names "rhojjati ". I was having the same exact issues he was, and followed your advice. My control panel came back and the spyware waning(pop-up) dissapeared. When I ran the Kaspersky Scan, it still found three viruses, (after running Deckards,Combofix, and HijackThis) I would like to show you the results of that san and would appreciate if you could tell me what I should do next. I appreciate the way you help people in plain english and are not at all difficult to understand. I was quite impressed with your abilities.
Please let me know what my next should be:
Here is the partial report, I will send the rest in a seperate email to you:
Tuesday, September 18, 2007 10:24:02 AM
Operating System: Microsoft Windows XP Home Edition, (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 18/09/2007
Kaspersky Anti-Virus database records: 420258


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
G:\

Scan Statistics
Total number of scanned objects 29403
Number of viruses found 3
Number of infected objects 27
Number of suspicious objects 0
Duration of the scan process 00:33:02

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Denise Buzzelli\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Denise Buzzelli\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Denise Buzzelli\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Denise Buzzelli\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Denise Buzzelli\Local Settings\History\History.IE5\MSHist012007091820070 919\index.dat Object is locked skipped

C:\Documents and Settings\Denise Buzzelli\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Denise Buzzelli\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Denise Buzzelli\NTUSER.DAT.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped

.


DeniseB

 

Kaspersky Scan Results, continued

C:\System Volume Information\_restore{9B3A9E55-0B5E-4984-8035-0717AC161956}\RP226\A0028263.ini Infected: Trojan.Win32.Qhost.my skipped

C:\System Volume Information\_restore{9B3A9E55-0B5E-4984-8035-0717AC161956}\RP226\A0028270.exe Infected: Packed.Win32.PolyCrypt.d skipped

C:\System Volume Information\_restore{9B3A9E55-0B5E-4984-8035-0717AC161956}\RP226\A0028271.exe Infected: Packed.Win32.PolyCrypt.d skipped

C:\System Volume Information\_restore{9B3A9E55-0B5E-4984-8035-0717AC161956}\RP226\A0028272.exe Infected: Packed.Win32.PolyCrypt.d skipped

C:\System Volume Information\_restore{9B3A9E55-0B5E-4984-8035-0717AC161956}\RP226\A0028292.exe Infected: Packed.Win32.PolyCrypt.d skipped

C:\System Volume Information\_restore{9B3A9E55-0B5E-4984-8035-0717AC161956}\RP226\A0028293.exe Infected: Packed.Win32.PolyCrypt.d skipped

C:\System Volume Information\_restore{9B3A9E55-0B5E-4984-8035-0717AC161956}\RP226\A0028294.exe Infected: Packed.Win32.PolyCrypt.d skipped

C:\System Volume Information\_restore{9B3A9E55-0B5E-4984-8035-0717AC161956}\RP226\A0028321.exe Infected: Packed.Win32.PolyCrypt.d skipped

C:\System Volume Information\_restore{9B3A9E55-0B5E-4984-8035-0717AC161956}\RP226\A0028322.exe Infected: Packed.Win32.PolyCrypt.d skipped

C:\System Volume Information\_restore{9B3A9E55-0B5E-4984-8035-0717AC161956}\RP226\A0028323.exe Infected: Packed.Win32.PolyCrypt.d skipped

C:\System Volume Information\_restore{9B3A9E55-0B5E-4984-8035-0717AC161956}\RP226\A0028425.exe Infected: Packed.Win32.PolyCrypt.d skipped

C:\System Volume Information\_restore{9B3A9E55-0B5E-4984-8035-0717AC161956}\RP226\A0028426.exe Infected: Packed.Win32.PolyCrypt.d skipped

C:\System Volume Information\_restore{9B3A9E55-0B5E-4984-8035-0717AC161956}\RP226\A0028427.exe Infected: Packed.Win32.PolyCrypt.d skipped

C:\System Volume Information\_restore{9B3A9E55-0B5E-4984-8035-0717AC161956}\RP226\A0028444.exe Infected: Packed.Win32.PolyCrypt.d skipped

C:\System Volume Information\_restore{9B3A9E55-0B5E-4984-8035-0717AC161956}\RP226\A0028445.exe Infected: Packed.Win32.PolyCrypt.d skipped

C:\System Volume Information\_restore{9B3A9E55-0B5E-4984-8035-0717AC161956}\RP226\A0028447.exe Infected: Packed.Win32.PolyCrypt.d skipped

C:\System Volume Information\_restore{9B3A9E55-0B5E-4984-8035-0717AC161956}\RP227\A0028465.exe Infected: Packed.Win32.PolyCrypt.d skipped

C:\System Volume Information\_restore{9B3A9E55-0B5E-4984-8035-0717AC161956}\RP227\A0028466.exe Infected: Packed.Win32.PolyCrypt.d skipped

C:\System Volume Information\_restore{9B3A9E55-0B5E-4984-8035-0717AC161956}\RP227\A0028467.exe Infected: Packed.Win32.PolyCrypt.d skipped

C:\System Volume Information\_restore{9B3A9E55-0B5E-4984-8035-0717AC161956}\RP227\A0028546.exe Infected: Packed.Win32.PolyCrypt.d skipped

C:\System Volume Information\_restore{9B3A9E55-0B5E-4984-8035-0717AC161956}\RP227\A0028547.exe Infected: Packed.Win32.PolyCrypt.d skipped

C:\System Volume Information\_restore{9B3A9E55-0B5E-4984-8035-0717AC161956}\RP227\A0028548.exe Infected: Packed.Win32.PolyCrypt.d skipped

C:\System Volume Information\_restore{9B3A9E55-0B5E-4984-8035-0717AC161956}\RP229\A0028584.exe Infected: Packed.Win32.PolyCrypt.d skipped

C:\System Volume Information\_restore{9B3A9E55-0B5E-4984-8035-0717AC161956}\RP229\A0028591.exe Infected: Packed.Win32.PolyCrypt.d skipped

C:\System Volume Information\_restore{9B3A9E55-0B5E-4984-8035-0717AC161956}\RP229\A0028592.exe Infected: Packed.Win32.PolyCrypt.d skipped

C:\System Volume Information\_restore{9B3A9E55-0B5E-4984-8035-0717AC161956}\RP229\A0028593.exe Infected: Packed.Win32.PolyCrypt.d skipped

C:\System Volume Information\_restore{9B3A9E55-0B5E-4984-8035-0717AC161956}\RP229\A0028595.sys Infected: Trojan.Win32.Kolweb.q skipped

C:\System Volume Information\_restore{9B3A9E55-0B5E-4984-8035-0717AC161956}\RP229\change.log Object is locked skipped

C:\WINDOWS\Debug\oakley.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.lo g Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Cookies\i ndex.dat Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_1cc.dat Object is locked skipped

C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed


DeniseB

 

Welcome to WindowsBBS Denise

Appears that the only infections remain within the System Restore points, according to Kaspersky. Let's clean those up, then do another scan just to see if there are leftovers Kaspersky won't even look at.

Download ATF Cleaner by Atribune and save it to your Desktop.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Recycle bin


The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Reboot


If you're satisfied that the computer is working properly, clear the System Restore points. They are infected.

Clear past system restore points and create a new one.
Right click My Computer and select Properties. On the System Restore tab, check the box to turn System Restore off. Click Apply. Now, uncheck the box and click Apply. Click OK, then OK to close the System Properties dialog.

Verify a new restore point was created.
Click Start>All Programs>Accessories>System Tools>System Restore
Select 'Restore my computer to an earlier time', then click next.
You should have a newly created System Checkpoint available. If so, click Cancel. If not, click Back and select 'Create a restore point' then click Next. Give the restore point a name and click next.


Note: You must be logged onto an account with administrator privileges to complete the following.

Download Deckard's System Scanner (dss.exe) to your desktop.
Close all applications and windows.
Double-click on dss.exe to run it and follow the prompts.
When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post the contents of main.txt only for now.

 

Dave, Thanks.
I did all that you told me and the original problem has vanished. Deckards didnt' find anything this time. Now I have having a new problem to which I have posted a new thread regarding internet explorer. Someone is on it already... but if you have anything to suggest I would appreciate it.

IE6.0 Version
Takes over 3 minutes to load.
After I exit IE, I try to shut down my system and I get a window that Says END PROGRAM:IEXPLERE.exe program not responding. IT will not let me END NOW and it just runs through and then repeats. I can't turn my computer off without using the button on the tower.

IE is v6.0 has not recently been upgraded.
MY subscription to ZOne Alarm expired, and I just renewed that a few days ago.
I installed AVAST! for Virus protecton but noticed it slowed everything down so I uninstalled it. Haven't replaced it yet.

I recently ran
Deckards, Combo Fix ( didn't see the recent post on not to use this), Hijack This. And deleted all the files as instructed.

Have spybot and ATF cleaner installed now...they find no problems.
I have a DSL connection.


I am awaiting a response from (Charles.. I think??) after answering the above questions for him.

Thanks for your help, you're great.

Denise

 

Deckards doesn't 'find' anything. It is a reporting tool only. Can I see the most recent maint.txt please? It will be in a subfolder of C:\Deckard that derives it's name from the date and time of the scan.

I'll follow along with Charles as well.

 

Scan results

Dave, sorry... here ya go:


Deckard's System Scanner v20070905.67
Run by Denise * on 2007-09-21 07:28:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as Denise *.exe) -------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:29:10 AM, on 9/21/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Denise *\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\DENISE~1.EXE

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe "
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Send Image to Photo Library - file://C:\Documents and Settings\Denise *\Application Data\MGI\PhotoSuite4\Temp\MGI00000.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: *.totalvid.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\hadjajr.ini
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5127 bytes

-- Files created between 2007-08-21 and 2007-09-21 -----------------------------

2007-09-18 20:58:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-09-18 11:11:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-18 09:34:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-09-18 09:34:35 0 d-------- C:\WINDOWS\System32\Kaspersky Lab
2007-09-18 08:58:43 0 d-------- C:\Program Files\Trend Micro
2007-09-17 22:51:36 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-09-17 22:04:19 0 d-------- C:\Program Files\Alwil Software
2007-09-17 21:15:06 39424 --a------ C:\WINDOWS\System32\vtr.dll <Not Verified; ; IEHelper Module>
2007-09-09 21:41:19 0 d-------- C:\WINDOWS\PIXTRAN
2007-09-09 21:41:19 0 d-------- C:\Program Files\BrownTech


-- Find3M Report ---------------------------------------------------------------

2007-09-21 06:57:47 4212 ---h----- C:\WINDOWS\System32\zllictbl.dat
2007-09-20 22:52:52 24 --a------ C:\WINDOWS\System32\DVCStateBkp-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
2007-09-20 22:52:52 24 --a------ C:\WINDOWS\System32\DVCState-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
2007-09-18 20:58:48 0 d-------- C:\Program Files\Apple Software Update
2007-08-27 16:53:00 0 d-------- C:\Documents and Settings\Denise *\Application Data\Canon
2007-08-17 23:27:31 0 d-------- C:\Program Files\Common Files
2007-07-30 16:13:39 0 d-------- C:\Program Files\iTunes
2007-07-30 16:13:26 0 d-------- C:\Program Files\iPod
2007-07-30 16:11:26 0 d-------- C:\Program Files\QuickTime
2007-07-29 19:14:16 0 d-------- C:\Documents and Settings\Denise *\Application Data\U3
2007-07-21 14:19:40 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-07-21 14:18:53 0 d-------- C:\Program Files\Disney Interactive


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OpwareSE2 "= "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [05/08/2003 11:00 AM]
"WINDVDPatch "= "CTHELPER.EXE" [02/07/2002 08:01 PM C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg "= "C:\WINDOWS\UpdReg.EXE" [05/11/2000 01:00 AM]
"Jet Detection "= "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [10/04/2001 01:00 AM]
"NvCplDaemon "= "C:\WINDOWS\System32\NvCpl.dll" [06/01/2006 05:22 PM]
"nwiz "= "nwiz.exe" [06/01/2006 05:22 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter "= "C:\WINDOWS\System32\NvMcTray.dll" [06/01/2006 05:22 PM]
"WorksFUD "= "C:\Program Files\Microsoft Works\wkfud.exe" [10/04/2001 09:34 PM]
"Microsoft Works Portfolio "= "C:\Program Files\Microsoft Works\WksSb.exe" [08/22/2001 06:52 PM]
"Microsoft Works Update Detection "= "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [08/16/2001 01:41 AM]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07/16/2006 07:27 PM]
"LVCOMS "= "C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE" [09/20/2002 03:16 PM]
"LogitechGalleryRepair "= "C:\Program Files\Logitech\ImageStudio\ISStart.exe" [09/11/2002 12:58 PM]
"LogitechImageStudioTray "= "C:\Program Files\Logitech\ImageStudio\LogiTray.exe" [09/11/2002 12:57 PM]
"QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [06/29/2007 06:24 AM]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [07/10/2007 09:18 AM]
"ZoneAlarm Client "= "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [06/21/2007 09:54 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08/31/2007 04:46 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 11:05:26 PM]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [5/28/2007 10:39:06 PM]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [8/6/2001 8:06:54 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls "=C:\WINDOWS\System32\hadjajr.ini




-- End of Deckard's System Scanner: finished at 2007-09-21 07:29:43 ------------

 

If you still have ComboFix.exe, delete it. This is a newer version I want you to use.

Download ComboFix by sUBs from here, saving the file to your Desktop.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

Combo Fx Log

Dave, this is the ComboFIx Log..... Isn't the Hijackthis log part of Deckards above?? Or do I need to run something separate... I can't remember..... please advise


ComboFix 07-09-21.2 - "Denise *" 2007-09-21 20:43:27.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.0.1252.1.1033.18.84 [GMT -4:00]
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-08-22 to 2007-09-22 )))))))))))))))))))))))))))))))
.

2007-09-21 10:06 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2007-09-21 10:06 1,897,984 --a--c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2007-09-21 07:28 <DIR> d-------- C:\Deckard
2007-09-18 20:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-09-18 11:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-18 09:34 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-18 09:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-18 09:03 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-18 08:58 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-17 22:04 <DIR> d-------- C:\Program Files\Alwil Software
2007-09-17 21:15 39,424 --a------ C:\WINDOWS\system32\vtr.dll
2007-09-09 21:41 <DIR> d-------- C:\WINDOWS\PIXTRAN
2007-09-09 21:41 <DIR> d-------- C:\Program Files\BrownTech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-18 20:58 --------- d-------- C:\Program Files\Apple Software Update
2007-09-18 09:19 134144 --a------ C:\WINDOWS\regedit.exe
2007-08-27 16:53 --------- d-------- C:\DOCUME~1\DENISE~1\APPLIC~1\Canon
2007-07-30 16:13 --------- d-------- C:\Program Files\iTunes
2007-07-30 16:13 --------- d-------- C:\Program Files\iPod
2007-07-30 16:11 --------- d-------- C:\Program Files\QuickTime
2007-07-29 19:14 --------- d-------- C:\DOCUME~1\DENISE~1\APPLIC~1\U3
2007-06-21 21:54 1086952 --a------ C:\WINDOWS\system32\zpeng24.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OpwareSE2 "= "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 11:00]
"WINDVDPatch "= "CTHELPER.EXE" [2002-02-07 20:01 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg "= "C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"Jet Detection "= "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 01:00]
"NvCplDaemon "= "C:\WINDOWS\System32\NvCpl.dll" [2006-06-01 17:22]
"nwiz "= "nwiz.exe" [2006-06-01 17:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter "= "C:\WINDOWS\System32\NvMcTray.dll" [2006-06-01 17:22]
"WorksFUD "= "C:\Program Files\Microsoft Works\wkfud.exe" [2001-10-04 21:34]
"Microsoft Works Portfolio "= "C:\Program Files\Microsoft Works\WksSb.exe" [2001-08-22 18:52]
"Microsoft Works Update Detection "= "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 01:41]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-16 19:27]
"LVCOMS "= "C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE" [2002-09-20 15:16]
"LogitechGalleryRepair "= "C:\Program Files\Logitech\ImageStudio\ISStart.exe" [2002-09-11 12:58]
"LogitechImageStudioTray "= "C:\Program Files\Logitech\ImageStudio\LogiTray.exe" [2002-09-11 12:57]
"QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"ZoneAlarm Client "= "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-05-28 22:39:06]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-06 20:06:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls "=C:\WINDOWS\System32\hadjajr.ini

R1 ATMhelpr;ATMhelpr;C:\WINDOWS\System32\drivers\ATMhelpr.sys
R3 BCMModem;BCM V.90 56K Modem;C:\WINDOWS\System32\DRIVERS\BCMDM.sys
R3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\System32\DRIVERS\CamDrL21.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-19 00:58:49 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-21 20:46:27
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-21 20:47:28
.
--- E O F ---

 

HijackThis is a separate application that you need to scan and save a log with.

 

Dave, can you give me the download link for Hijack This again please?

 

It's located in your C:\Program Files\Trend Micro\HijackThis folder, and should be available on the Start>All Programs menu.

Also available here

 

Here you go .. thanks for your patience....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:16:36 PM, on 9/21/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe "
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Send Image to Photo Library - file://C:\Documents and Settings\Denise Buzzelli\Application Data\MGI\PhotoSuite4\Temp\MGI00000.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: *.totalvid.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\hadjajr.ini
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5124 bytes

 

Did you add *totalvid.com to your Internet Explorer trusted zone? This explicitly allows all content from any link within the totalvid.com domain.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
C:\WINDOWS\system32\vtr.dll

Rootkit::
C:\WINDOWS\System32\hadjajr.ini

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
 "appinit_dlls "=-

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

 

Dave, I Don't know what Totalvid is so... no that was definetly not intentional.

Here is the report:
ComboFix 07-09-21.2 - "Denise *" 2007-09-21 22:02:50.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.0.1252.1.1033.18.83 [GMT -4:00]
Command switches used :: C:\Documents and Settings\Denise *\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\vtr.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\vtr.dll

.
((((((((((((((((((((((((( Files Created from 2007-08-22 to 2007-09-22 )))))))))))))))))))))))))))))))
.

2007-09-21 10:06 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2007-09-21 10:06 1,897,984 --a--c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2007-09-21 07:28 <DIR> d-------- C:\Deckard
2007-09-18 20:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-09-18 11:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-18 09:34 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-18 09:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-18 09:03 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-18 08:58 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-17 22:04 <DIR> d-------- C:\Program Files\Alwil Software
2007-09-09 21:41 <DIR> d-------- C:\WINDOWS\PIXTRAN
2007-09-09 21:41 <DIR> d-------- C:\Program Files\BrownTech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-18 20:58 --------- d-------- C:\Program Files\Apple Software Update
2007-09-18 09:19 134144 --a------ C:\WINDOWS\regedit.exe
2007-08-27 16:53 --------- d-------- C:\DOCUME~1\DENISE~1\APPLIC~1\Canon
2007-07-30 16:13 --------- d-------- C:\Program Files\iTunes
2007-07-30 16:13 --------- d-------- C:\Program Files\iPod
2007-07-30 16:11 --------- d-------- C:\Program Files\QuickTime
2007-07-29 19:14 --------- d-------- C:\DOCUME~1\DENISE~1\APPLIC~1\U3
2007-06-21 21:54 1086952 --a------ C:\WINDOWS\system32\zpeng24.dll
.

((((((((((((((((((((((((((((( snapshot_2007-09-21_204701.76 )))))))))))))))))))))))))))))))))))))))))
.
---h--w 4,212 2007-09-22 02:06:39 C:\WINDOWS\system32\zllictbl.dat
----a-w 16,384 2007-09-22 02:06:27 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-09-22 02:06:27 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 98,304 2007-09-22 02:06:27 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
---h--w 4,212 2007-09-22 00:30:16 C:\WINDOWS\system32\zllictbl.dat
----a-w 16,384 2007-09-22 00:30:04 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-09-22 00:30:04 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 98,304 2007-09-22 00:30:04 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@ "=" " []
"OpwareSE2 "= "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 11:00]
"WINDVDPatch "= "CTHELPER.EXE" [2002-02-07 20:01 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg "= "C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"Jet Detection "= "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 01:00]
"NvCplDaemon "= "C:\WINDOWS\System32\NvCpl.dll" [2006-06-01 17:22]
"nwiz "= "nwiz.exe" [2006-06-01 17:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter "= "C:\WINDOWS\System32\NvMcTray.dll" [2006-06-01 17:22]
"WorksFUD "= "C:\Program Files\Microsoft Works\wkfud.exe" [2001-10-04 21:34]
"Microsoft Works Portfolio "= "C:\Program Files\Microsoft Works\WksSb.exe" [2001-08-22 18:52]
"Microsoft Works Update Detection "= "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 01:41]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-16 19:27]
"LVCOMS "= "C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE" [2002-09-20 15:16]
"LogitechGalleryRepair "= "C:\Program Files\Logitech\ImageStudio\ISStart.exe" [2002-09-11 12:58]
"LogitechImageStudioTray "= "C:\Program Files\Logitech\ImageStudio\LogiTray.exe" [2002-09-11 12:57]
"QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"ZoneAlarm Client "= "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-05-28 22:39:06]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-06 20:06:54]

R1 ATMhelpr;ATMhelpr;C:\WINDOWS\System32\drivers\ATMhelpr.sys
R3 BCMModem;BCM V.90 56K Modem;C:\WINDOWS\System32\DRIVERS\BCMDM.sys
R3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\System32\DRIVERS\CamDrL21.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-19 00:58:49 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-21 22:07:58
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-21 22:09:46 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-21 22:09
C:\ComboFix2.txt ... 2007-09-21 21:56
C:\ComboFix3.txt ... 2007-09-21 20:47
.
--- E O F ---


Hijack This:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:52 PM, on 9/21/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe "
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Send Image to Photo Library - file://C:\Documents and Settings\Denise *\Application Data\MGI\PhotoSuite4\Temp\MGI00000.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: *.totalvid.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5118 bytes

 

Dave, by the way, should I be getting floating "VIBRANT ADS" while on Windows BBS? It only happens on your site.... just wondering if that's normal.
Thanks

 

Looks great!

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose "Yes" at the Warning prompt.
• Expand the "Tools" menu.
• Click "Resident ".
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• In the File menu click "Exit" to exit Spybot Search & Destroy.

Reboot.

Scan again with HijackThis and place a check next to the following entry, then click Fix Checked.

O15 - Trusted Zone: *.totalvid.com


Close HijackThis.

Delete all of the following tools we have used, and the files/folders they created.

C:\Deckard
C:\ComboFix
C:\QOOBOX
C:\WINDOWS\nircmd.exe
combofix.exe
dss.exe
all combofix logs

Run ATF cleaner as previously instructed.

Reboot.

You can re-enable TeaTimer now.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC now button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Select the appropriate Yes or No to receiving marketing information
• Click the Free Online Scan button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the ActiveScan report.

If the scan is clean, clear your System restore points again, then go straight to Windows Update and start applying all critical updates and service packs. Your system is extremely behind, leaving it wide open to a host of exploits.

 

Ok, I deleted Deckards and Qoobox, and the file for Nrcmd, some txt combofix files form my c drive, but I can't locate COmbofix at all anywhere in my c drive to delete it, and I can't find combofix.exe or dss.exe in windows.
Will deleting them from my desktop do the trick?


by the way..... did you see my post above about the Vibrant Ad?

 

Yes, they are on the desktop. Don't worry about it if you don't have a C:\combofix folder. Just move on.

Just saw your question about ads. Those are normal until/unless you become a contributing member. Those ads help pay for upkeep of the site.

 

Panda

I tried going to panda, it will not let me click on "Scan your PC now. The button is there but it's inactive. I tried right-clicking on it but it won't give me the option to open the link....suggestions?