Solved PC Antispyware problem

[Resolved]PC Antispyware problem

I need help cleaning up my system after it became infected with PC Antispyware and whatever else has come in on its coat tails. I stupidly OK'd the installation of a video driver or some such thing to view some information I was searching for. I have run:

1. Malwarebytes' Anti-Malware several times and am intending to post the next to last log (the last one showed no problems, but there were still problems). Then, I ran

2. AVG Antispyware in Safe mode, and quarantined numerous infected files; unfortunately I did not obtain a log. Then, I ran

3. ATF Cleaner as instructed in other threads (under main, select "all "). Next, I ran

4. OTScanIt with the default settings and, under Additional Scans, I had checked "Reg-BotCheck" and "File - Additional Folder Scan ". I intend to post the log from that. Next, I think (I'm not sure of the exact order now), I ran

5. SmitfraudFix in Safe mode: I typed "2" and pressed "Enter ", answered Yes to clean the registry, etc., until the system was ready to reboot. I have that report to post as well. Then, I ran

6. HijackThis for a log, which I will post. Finally, I ran

7. Kaspersky Online Scanner, and will post THAT log; the scan found 8 viruses.

I would very much appreciate some help cleaning this system since I do not have a handle on this. I guess I'll post all these logs in a second post to see if that might keep things a little neater.

 

Logs & Reports to date

1. mbam-log-4-12-2008 (00-52-30).txt

Malwarebytes' Anti-Malware 1.11
Database version: 615

Scan type: Quick Scan
Objects scanned: 95184
Time elapsed: 26 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 11
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\fjtqpdck.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\SYSTEM32\khfgeDTM.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\SYSTEM32\qrlcueda.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{aac041b3-8671-4c17-8478-3496101b0c25} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{aac041b3-8671-4c17-8478-3496101b0c25} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\fjtqpdck.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\kcdpqtjf.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\khfgeDTM.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\MTDegfhk.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\MTDegfhk.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\qrlcueda.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\adeuclrq.ini (Trojan.Vundo) -> Quarantined and deleted successfully.

2 & 3: No AVG Spyware log to post at present; and no ATF Cleaner log

4. OTScanIt.Txt

*** WAY to big a file to paste to a single post ***

Suggestions?

5. SmitFraudFix-rapport_041108.txt

SmitFraudFix v2.221

Scan done at 1:48:43.04, Sat 04/12/2008
Run from C:\Downloads\Anti-Spyware\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.116.99 85.255.112.133
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.116.99 85.255.112.133
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=85.255.116.99 85.255.112.133

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End

6. hijackthis.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:41:13 PM, on 4/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Norton Ghost 12.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe "
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [d4b169e1] rundll32.exe "C:\WINDOWS\system32\tlfmfccx.dll ",b
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Open with ScanSoft PDF Converter 4.0 - res://C:\Program Files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.99 85.255.112.133
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.99 85.255.112.133
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

--
End of file - 9383 bytes

7. Kaspersky Online Scanner report.txt

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, April 12, 2008 3:42:51 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/04/2008
Kaspersky Anti-Virus database records: 700383
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
S:\

Scan Statistics:
Total number of scanned objects: 155929
Number of viruses found: 8
Number of infected objects: 13
Number of suspicious objects: 3
Duration of the scan process: 02:07:36

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_5b150187-0f05-4c72-917c-77c8e6964ac4 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ee6dddd0c7fe09abe3ead472936878c8_5b150187-0f05-4c72-917c-77c8e6964ac4 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\LOGS\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\ccSubSDK\submissions.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\volatile.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{095BCEBF-7126-40A7-A65B-1269767538AB}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{51A3F730-1D16-4CD1-96D1-BAE81FADF262}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{BF2472E0-4AAD-4600-8769-B5F4B2D07F83}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-04-12_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\index.qbs Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{370E23D4-8891-4A1B-A0CF-EA5D502A0EB0}.ldb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{370E23D4-8891-4A1B-A0CF-EA5D502A0EB0}.sds Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\6D81F478.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\C4FC91A8.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\Del_ME\Alleg_Rg.ttf Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\Del_ME\BernFash.ttf Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\Del_ME\BRADHITC.TTF Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\Del_ME\BROADW.TTF Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\Del_ME\BRUSHSCI.TTF Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\Del_ME\CURLZ___.TTF Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\Del_ME\EDDA.TTF Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\Del_ME\Eng111Vi.ttf Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\Del_ME\FREESCPT.TTF Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\Del_ME\Jokerman.TTF Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\Del_ME\KUNSTLER.TTF Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\Del_ME\SCRIPTBL.TTF Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\Del_ME\SNAP____.TTF Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\Del_ME\TEMPSITC.TTF Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\Del_ME\TypoUpri.ttf Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\Del_ME\VINERITC.TTF Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\Del_ME\VLADIMIR.TTF Object is locked skipped
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\David\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.67069 Infected: Trojan.Win32.Agent.jqa skipped
C:\Documents and Settings\David\Application Data\Symantec\NPMDataStore\CIMStore.xml Object is locked skipped
C:\Documents and Settings\David\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Identities\{B32D48CA-91FC-4570-8853-6AD2EA99D834}\Microsoft\Outlook Express\Deleted Items.dbx/[From "HSBC Bank" <auto_remailer.id9285-7796402bib@hsbc.com>][Date Mon, 24 Mar 2008 23:45:29 -0400]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\David\Local Settings\Application Data\Identities\{B32D48CA-91FC-4570-8853-6AD2EA99D834}\Microsoft\Outlook Express\Deleted Items.dbx/[From "HSBC Bank" <auto_remailer.id9285-7796402bib@hsbc.com>][Date Mon, 24 Mar 2008 23:45:29 -0400]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\David\Local Settings\Application Data\Identities\{B32D48CA-91FC-4570-8853-6AD2EA99D834}\Microsoft\Outlook Express\Deleted Items.dbx Mail MS Outlook 5: suspicious - 2 skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\David\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\History\History.IE5\MSHist012008041220080413\index.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temp\Perflib_Perfdata_d50.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\David\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\David\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Downloads\Anti-Spyware\setupxv.exe/SpywareBot/SpywareBot.exe Infected: not-a-virus:FraudTool.Win32.SpywareBot.a skipped
C:\Downloads\Anti-Spyware\setupxv.exe/SpywareBot/SpywareBotSrv.srv.exe Infected: not-a-virus:FraudTool.Win32.AntiSpyware.b skipped
C:\Downloads\Anti-Spyware\setupxv.exe 7-Zip: infected - 2 skipped
C:\Downloads\Anti-Spyware\setupxv.exe UPX: infected - 2 skipped
C:\Downloads\Anti-Spyware\setupxv.exe PE_Patch.UPX: infected - 2 skipped
C:\Downloads\Anti-Spyware\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Downloads\Anti-Spyware\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Downloads\Anti-Spyware\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Downloads\Anti-Spyware\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Downloads\MediaTubeCodec_ver1.919.0(2).exe Infected: Trojan-Downloader.Win32.Zlob.kxe skipped
C:\Downloads\Utilities\astlog\astlog.exe Infected: not-a-virusSWTool.Win32.Asterisk.a skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Intel(R) 537EP V9x DF PCI Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E644D52D-50FE-413B-A127-74C531B20762}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Media Ce.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\JETA316.tmp Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_68c.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000004-00000000-00000002-00001102-00000004-20061102}.CDF Object is locked skipped
D:\Recorded TV\TempRec\TempSBE\MSDVRMM_1421815329_1048576_42 Object is locked skipped
D:\Recorded TV\TempRec\TempSBE\MSDVRMM_1421815329_720896_38 Object is locked skipped
D:\Recorded TV\TempRec\TempSBE\SBE1.tmp Object is locked skipped
D:\Recorded TV\TempRec\TempSBE\SBE2.tmp Object is locked skipped
D:\Recorded TV\TempRec\{9BE6129B-557D-461B-BB7D-DB00821AE806}.TmpSBE Object is locked skipped
D:\Recorded TV\TempRec\{B28C6346-2885-4ED3-9BD1-FE10978A0A1B}.TmpSBE Object is locked skipped
D:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_5b150187-0f05-4c72-917c-77c8e6964ac4 Object is locked skipped
G:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll Infected: not-a-virus:AdWare.Win32.MyWay.v skipped
G:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
K:\RECYCLED\NPROTECT\NPROTECT.LOG Object is locked skipped
S:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
S:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<

That's it!

 

Hi dhartson
Welcome to Windowsbbs.

Please don't run any more tools unless asked to do so.
Thanks.

Please download Deckard's System Scanner (dss.exe) and save it to your Desktop.
Note: You must be logged onto an account with administrator privileges to complete the following.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy and then paste the contents of main.txt and extra.txt in your next reply.

Please post the "main.txt" log only for now.


Download ComboFix from [color= "Red"]Here[/color] to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.


Please post the dss log and the Combofix log.

Thanks
Geri

 

Reply (a)

Thank you! The instructions were a little in conflict but I figured that some were boilerplate and that you only want the DSS main.txt and ComboFix logs right now. Due to their size, I have put them on two different posts.

DSS' main.txt:

Deckard's System Scanner v20071014.68
Run by David on 2008-04-13 17:00:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as David.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:00:03 PM, on 4/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Downloads\Anti-Spyware\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\David.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: (no name) - {63AB48C9-01A8-495C-8194-A715DB8A37A2} - C:\WINDOWS\system32\ssQkLEuV.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8ABD9C55-9485-4001-8B3D-2F5712F43B17} - C:\WINDOWS\system32\rqRLbcYQ.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Norton Ghost 12.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe "
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [d4b169e1] rundll32.exe "C:\WINDOWS\system32\ubwfwnyw.dll ",b
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Open with ScanSoft PDF Converter 4.0 - res://C:\Program Files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.99 85.255.112.133
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.99 85.255.112.133
O20 - Winlogon Notify: pmkhf - C:\WINDOWS\system32\pmkhf.dll (file missing)
O20 - Winlogon Notify: ssQkLEuV - C:\WINDOWS\SYSTEM32\ssQkLEuV.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

--
End of file - 11325 bytes

-- Files created between 2008-03-13 and 2008-04-13 -----------------------------

2008-04-13 12:09:32 85568 --a------ C:\WINDOWS\system32\ubwfwnyw.dll
2008-04-12 22:03:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-12 15:56:28 0 dr-h----- C:\Documents and Settings\David\Recent
2008-04-12 12:46:51 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-12 12:46:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-12 12:46:50 0 d-------- C:\WINDOWS\LastGood
2008-04-12 12:40:39 0 d-------- C:\Program Files\Trend Micro
2008-04-12 12:06:32 86592 -----n--- C:\WINDOWS\system32\tlfmfccx.dll
2008-04-12 12:03:32 180410 --ahs---- C:\WINDOWS\system32\QYcbLRqr.ini2
2008-04-12 12:03:30 272384 --a------ C:\WINDOWS\system32\rqRLbcYQ.dll
2008-04-12 01:40:32 0 d-------- C:\Documents and Settings\David\Application Data\Grisoft
2008-04-10 00:45:38 0 d-------- C:\Documents and Settings\David\Application Data\Malwarebytes
2008-04-10 00:45:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-10 00:45:25 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-10 00:38:00 0 d-------- C:\Documents and Settings\David\Application Data\TmpRecentIcons
2008-04-09 22:39:29 4096 --a------ C:\WINDOWS\userconfig9x.dll
2008-04-09 22:39:29 4096 --a------ C:\WINDOWS\system32winlogonpc.exe
2008-04-09 22:39:29 4096 --a------ C:\WINDOWS\system32mwin32.exe
2008-04-09 22:39:29 4096 --a------ C:\WINDOWS\system32hoproxy.dll
2008-04-09 22:39:29 4096 --a------ C:\WINDOWS\FVProtect.exe
2008-04-09 22:39:29 4096 --a------ C:\WINDOWS\a.bat
2008-04-09 22:39:28 4096 --a------ C:\WINDOWS\system32taack.exe
2008-04-09 22:39:28 4096 --a------ C:\WINDOWS\system32taack.dat
2008-04-09 22:39:28 4096 --a------ C:\WINDOWS\system32sncntr.exe
2008-04-09 22:39:28 4096 --a------ C:\WINDOWS\system32hxiwlgpm.exe
2008-04-09 22:39:28 4096 --a------ C:\WINDOWS\system32hxiwlgpm.dat
2008-04-09 22:39:25 4096 --a------ C:\WINDOWS\system32psoft1.exe
2008-04-09 22:39:24 4096 --a------ C:\WINDOWS\system32psof1.exe
2008-04-09 22:39:23 4096 --a------ C:\WINDOWS\system32ssurf022.dll
2008-04-09 22:39:23 4096 --a------ C:\WINDOWS\system32ps1.exe
2008-04-09 22:39:23 4096 --a------ C:\WINDOWS\system32netode.exe
2008-04-09 22:39:23 4096 --a------ C:\WINDOWS\system32mtr2.exe
2008-04-09 22:39:23 4096 --a------ C:\WINDOWS\system32msnbho.dll
2008-04-09 22:39:23 4096 --a------ C:\WINDOWS\system32msgp.exe
2008-04-09 22:39:23 4096 --a------ C:\WINDOWS\system32medup020.dll
2008-04-09 22:39:23 4096 --a------ C:\WINDOWS\system32medup012.dll
2008-04-09 22:39:23 4096 --a------ C:\WINDOWS\system32bsva-egihsg52.exe
2008-04-09 22:39:22 4096 --a------ C:\WINDOWS\system32temp#01.exe
2008-04-09 22:39:22 4096 --a------ C:\WINDOWS\system32ssvchost.exe
2008-04-09 22:39:22 4096 --a------ C:\WINDOWS\system32ssvchost.com
2008-04-09 22:39:22 4096 --a------ C:\WINDOWS\system32regm64.dll
2008-04-09 22:39:22 4096 --a------ C:\WINDOWS\system32regc64.dll
2008-04-09 22:39:22 4096 --a------ C:\WINDOWS\system32msvchost.exe
2008-04-09 22:39:22 4096 --a------ C:\WINDOWS\system32h@tkeysh@@k.dll
2008-04-09 22:39:22 4096 --a------ C:\WINDOWS\system32dpcproxy.exe
2008-04-09 22:39:21 4096 --a------ C:\WINDOWS\system32thun32.dll
2008-04-09 22:39:21 4096 --a------ C:\WINDOWS\system32thun.dll
2008-04-09 22:39:21 4096 --a------ C:\WINDOWS\system32Rundl1.exe
2008-04-09 22:39:21 4096 --a------ C:\Documents and Settings\David\DesktopFWebdEditor.exe
2008-04-09 22:39:21 4096 --a------ C:\Documents and Settings\David\Desktopfilemanagerclient.exe
2008-04-09 22:39:20 4096 --a------ C:\WINDOWS\winsystem.exe
2008-04-09 22:39:20 4096 --a------ C:\WINDOWS\system32WINWGPX.EXE
2008-04-09 22:39:20 4096 --a------ C:\WINDOWS\system32winsystem.exe
2008-04-09 22:39:20 4096 --a------ C:\WINDOWS\system32vcatchpi.dll
2008-04-09 22:39:20 4096 --a------ C:\WINDOWS\system32vbsys2.dll
2008-04-09 22:39:20 4096 --a------ C:\WINDOWS\system32sysreq.exe
2008-04-09 22:39:20 4096 --a------ C:\WINDOWS\system32newsd32.exe
2008-04-09 22:39:20 4096 --a------ C:\WINDOWS\system32mssecu.exe
2008-04-09 22:39:20 4096 --a------ C:\WINDOWS\system32emesx.dll
2008-04-09 22:39:20 4096 --a------ C:\WINDOWS\system32bdn.com
2008-04-09 22:39:20 4096 --a------ C:\WINDOWS\system32awtoolb.dll
2008-04-09 22:39:20 4096 --a------ C:\WINDOWS\system32anticipator.dll
2008-04-09 22:39:20 4096 --a------ C:\WINDOWS\system32akttzn.exe
2008-04-09 22:39:20 4096 --a------ C:\Documents and Settings\David\Desktopfwebd.exe
2008-04-09 22:38:39 0 d-------- C:\Documents and Settings\All Users\Application Data\nezutere
2008-04-09 22:37:01 37888 --a------ C:\WINDOWS\system32\ssQkLEuV.dll
2008-03-26 14:03:10 0 --a------ C:\Documents and Settings\David\BK_SANS_001035c
2008-03-26 14:02:47 0 --a------ C:\Documents and Settings\David\BK_SANS_001035b


-- Find3M Report ---------------------------------------------------------------

2008-04-13 16:57:00 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-12 15:55:01 0 d-------- C:\Program Files\Yahoo!
2008-04-12 14:54:01 0 d-------- C:\Program Files\LAIEL
2008-04-12 01:48:49 4532 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-10 23:35:58 0 d-------- C:\Program Files\Qimage
2008-04-07 02:23:05 0 d-------- C:\Program Files\Norton SystemWorks
2008-04-02 18:51:18 0 d-------- C:\Documents and Settings\David\Application Data\Vso
2008-04-01 00:30:39 4184 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-26 02:27:38 0 d-------- C:\Program Files\Thumbs7
2008-03-21 13:25:29 0 d-------- C:\Documents and Settings\David\Application Data\Real
2008-03-15 13:38:21 0 d-------- C:\Program Files\EPSON Print CD
2008-03-15 13:02:02 0 d-------- C:\Documents and Settings\David\Application Data\AccurateRip
2008-03-15 12:48:18 0 d-------- C:\Program Files\dvd43
2008-03-11 23:44:32 0 d-------- C:\Documents and Settings\David\Application Data\DivX
2008-02-27 11:11:09 0 d-------- C:\Program Files\Quick View Plus
2008-02-27 11:11:03 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-24 13:08:13 0 d-------- C:\Documents and Settings\David\Application Data\Adobe
2008-02-14 17:26:48 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-13 11:01:40 67344 --a------ C:\Documents and Settings\David\Application Data\GDIPFONTCACHEV1.DAT
2008-02-13 01:09:37 0 d-------- C:\Program Files\QuickTime
2008-02-08 01:30:53 25992 --a------ C:\WINDOWS\system32\pgdfgsvc.exe <Not Verified; Sysinternals - www.sysinternals.com; Page File Defragmenter>
2008-01-24 18:30:56 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-23 03:58:34 3058 --a------ C:\WINDOWS\mozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
10/04/2007 01:06 PM 1135968 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
08/24/2007 08:51 PM 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63AB48C9-01A8-495C-8194-A715DB8A37A2}]
04/09/2008 10:37 PM 37888 --a------ C:\WINDOWS\system32\ssQkLEuV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
02/06/2008 12:34 AM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ABD9C55-9485-4001-8B3D-2F5712F43B17}]
04/12/2008 12:03 PM 272384 --a------ C:\WINDOWS\system32\rqRLbcYQ.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} "= C:\Program Files\Winamp Toolbar\winamptb.dll [10/04/2007 01:06 PM 1135968]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} "= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [08/24/2007 08:51 PM 316784]

[-HKEY_CLASSES_ROOT\CLSID\{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [04/01/2005 04:16 PM]
"UpdReg "= "C:\WINDOWS\UpdReg.EXE" [05/10/2000 11:00 PM]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [01/28/2008 04:54 PM]
"SSBkgdUpdate "= "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [09/30/2003 12:14 AM]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [11/02/2004 08:24 PM]
"nwiz "= "nwiz.exe" [04/01/2005 04:16 PM C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [04/01/2005 04:16 PM]
"Norton Ghost 12.0 "= "C:\Program Files\Norton Ghost\Agent\VProTray.exe" [01/10/2008 05:43 AM]
"Logitech Utility "= "Logi_MwX.Exe" [05/16/2003 07:50 AM C:\WINDOWS\LOGI_MWX.EXE]
"KernelFaultCheck "= "C:\WINDOWS\system32\dumprep 0 -k" []
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [01/15/2008 04:22 AM]
"IntelMeM "= "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [09/03/2003 06:12 PM]
"IAAnotif "= "C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [06/29/2004 09:23 AM]
"ehTray "= "C:\WINDOWS\ehome\ehtray.exe" [08/05/2005 02:56 PM]
"dvd43 "= "C:\Program Files\dvd43\dvd43_tray.exe" [03/01/2008 03:49 PM]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [12/05/2004 11:05 PM]
"CTxfiHlp "= "CTXFIHLP.EXE" [04/09/2007 12:32 PM C:\WINDOWS\SYSTEM32\Ctxfihlp.exe]
"CTSysVol "= "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [09/17/2003 11:43 AM]
"CTHelper "= "CTHELPER.EXE" [04/09/2007 12:32 PM C:\WINDOWS\SYSTEM32\CtHelper.exe]
"CTDVDDET "= "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [06/18/2003 02:00 AM]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/31/2008 02:15 PM]
"osCheck "= "C:\Program Files\Norton Internet Security\osCheck.exe" [08/24/2007 09:53 PM]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [02/01/2008 12:13 AM]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 02:25 AM]
"d4b169e1 "= "C:\WINDOWS\system32\ubwfwnyw.dll" [04/13/2008 12:09 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG "= "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 09:05 PM]
"Norton SystemWorks "= "C:\Program Files\Norton SystemWorks\cfgwiz.exe" [09/09/2004 07:12 PM]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 03:00 AM]

C:\Documents and Settings\David\Start Menu\Programs\Startup\
DESKTOP.INI [8/19/2004 2:07:20 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [8/19/2004 2:07:20 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle "=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme "=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{0cab0400-7395-11d0-a5e5-0020afe2fdd9} "= qvphook.dll [ ]
"{63AB48C9-01A8-495C-8194-A715DB8A37A2} "= C:\WINDOWS\system32\ssQkLEuV.dll [04/09/2008 10:37 PM 37888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkhf]
C:\WINDOWS\system32\pmkhf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssQkLEuV]
ssQkLEuV.dll 04/09/2008 10:37 PM 37888 C:\WINDOWS\SYSTEM32\ssQkLEuV.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@= "Service "

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2008-04-13 17:00:39 ------------

ComboFix log on next post!

 

Reply (b)

ComboFix Log:

ComboFix 08-04-13.1 - David 2008-04-13 17:30:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.522 [GMT -7:00]
Running from: C:\Documents and Settings\David\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\David\Application Data\inst.exe
C:\Documents and Settings\David\Desktopblackbird.jpg
C:\Documents and Settings\David\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\David\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\David\Desktopfilemanagerclient.exe
C:\Documents and Settings\David\Desktopfkwp1.5.exe
C:\Documents and Settings\David\Desktopfkwp2.0.exe
C:\Documents and Settings\David\Desktopfwebd.exe
C:\Documents and Settings\David\DesktopFWebdEditor.exe
C:\Documents and Settings\David\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\Kat\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\a.bat
C:\WINDOWS\base64.tmp
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\SYSTEM32\QYcbLRqr.ini
C:\WINDOWS\SYSTEM32\QYcbLRqr.ini2
C:\WINDOWS\system32\rqRLbcYQ.dll
C:\WINDOWS\system32\ssQkLEuV.dll
C:\WINDOWS\system32\ubwfwnyw.dll
C:\WINDOWS\SYSTEM32\wynwfwbu.ini
C:\WINDOWS\system32akttzn.exe
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32h@tkeysh@@k.dll
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32msvchost.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32Rundl1.exe
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32WINWGPX.EXE
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\winsystem.exe
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp
G:\buildbu.bat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_6to4
-------\Service_PortProxy


((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))
.

2008-04-13 17:19 . 2008-04-13 17:33 4,958,588 --------- C:\WINDOWS\{00000004-00000000-00000002-00001102-00000004-20061102}.BAK
2008-04-13 16:53 . 2008-04-13 16:53 <DIR> d-------- C:\Deckard
2008-04-12 22:03 . 2008-04-12 22:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-12 22:02 . 2008-04-12 22:03 97,916 --a------ C:\TEMP\cc_20080412_2202.reg
2008-04-12 12:46 . 2008-04-12 12:46 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-04-12 12:46 . 2008-04-12 12:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-12 12:40 . 2008-04-12 12:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-12 12:06 . 2008-04-13 12:06 294 --ahs---- C:\WINDOWS\SYSTEM32\xccfmflt.ini
2008-04-12 01:40 . 2008-04-12 01:40 <DIR> d-------- C:\Documents and Settings\David\Application Data\Grisoft
2008-04-12 01:40 . 2007-05-30 05:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2008-04-10 23:16 . 2008-04-10 23:17 474 --ahs---- C:\WINDOWS\SYSTEM32\ygbbdtkt.ini
2008-04-10 20:26 . 2008-04-10 23:09 414 --ahs---- C:\WINDOWS\SYSTEM32\gokikkks.ini
2008-04-10 00:45 . 2008-04-10 08:12 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-10 00:45 . 2008-04-10 00:45 <DIR> d-------- C:\Documents and Settings\David\Application Data\Malwarebytes
2008-04-10 00:45 . 2008-04-10 00:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-10 00:38 . 2008-04-10 00:38 <DIR> d-------- C:\Documents and Settings\David\Application Data\TmpRecentIcons
2008-04-09 22:38 . 2008-04-10 06:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nezutere

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 00:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-14 00:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-12 22:55 --------- d-----w C:\Program Files\Yahoo!
2008-04-12 21:54 --------- d-----w C:\Program Files\LAIEL
2008-04-11 06:35 --------- d-----w C:\Program Files\Qimage
2008-04-07 09:23 --------- d-----w C:\Program Files\Norton SystemWorks
2008-04-03 02:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\1Click DVD Copy Pro
2008-04-03 01:51 --------- d-----w C:\Documents and Settings\David\Application Data\Vso
2008-03-26 09:27 --------- d-----w C:\Program Files\Thumbs7
2008-03-26 02:41 67,736 ----a-w C:\Documents and Settings\Jessica\Application Data\GDIPFONTCACHEV1.DAT
2008-03-15 20:38 --------- d-----w C:\Program Files\EPSON Print CD
2008-03-15 20:02 --------- d-----w C:\Documents and Settings\David\Application Data\AccurateRip
2008-03-15 19:48 18,816 ----a-w C:\WINDOWS\system32\drivers\dvd43llh.sys
2008-03-15 19:48 --------- d-----w C:\Program Files\dvd43
2008-03-12 06:44 --------- d-----w C:\Documents and Settings\David\Application Data\DivX
2008-03-07 04:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 04:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 04:32 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-02-27 18:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-27 18:11 --------- d-----w C:\Program Files\Quick View Plus
2008-02-22 06:14 --------- d-----w C:\Documents and Settings\Jessica\Application Data\Apple Computer
2008-02-15 00:26 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-13 18:01 67,344 ----a-w C:\Documents and Settings\David\Application Data\GDIPFONTCACHEV1.DAT
2007-08-18 05:17 47,360 ----a-w C:\Documents and Settings\David\Application Data\pcouffin.sys
2007-08-18 04:54 87,608 ----a-w C:\Documents and Settings\David\Application Data\ezpinst.exe
2005-04-29 15:41 251 ----a-w C:\Program Files\wt3d.ini
2007-12-27 18:00 77,824 ----a-w C:\Program Files\mozilla firefox\plugins\QVPLUG32.DLL
2005-05-09 00:50 32 --sha-w C:\WINDOWS\{55B8C43D-0DB9-4D8A-AD4E-60FA02B9170F}.dat
2005-05-09 00:51 32 --sha-w C:\WINDOWS\{CB856DDB-335E-4AF6-A2F3-0BBDCC68C66D}.dat
2005-05-09 00:51 32 --sha-w C:\WINDOWS\{EEE916EB-E2C8-4833-A0FC-CD222E754C85}.dat
2006-05-09 04:53 8 --sh--r C:\WINDOWS\SYSTEM32\3D2BE1D866.sys
2006-02-27 20:22 56 --sh--r C:\WINDOWS\SYSTEM32\66D8E12B3D.sys
2005-05-09 00:50 32 --sha-w C:\WINDOWS\SYSTEM32\{380A6DD9-641B-46B2-9B3B-26012AF9271F}.dat
2005-05-09 00:51 32 --sha-w C:\WINDOWS\SYSTEM32\{9D9E4D2C-6A9E-4456-ACE7-7940780B53D9}.dat
2005-05-09 00:51 32 --sha-w C:\WINDOWS\SYSTEM32\{D1E58116-341A-4EDB-AB78-7962087101D9}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
2007-10-04 13:06 1135968 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-24 20:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-02-06 00:34 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} "= "C:\Program Files\Winamp Toolbar\winamptb.dll" [2007-10-04 13:06 1135968]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} "= "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll" [2007-08-24 20:51 316784]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} "= C:\Program Files\Winamp Toolbar\winamptb.dll [2007-10-04 13:06 1135968]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} "= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 20:51 316784]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG "= "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"Norton SystemWorks "= "C:\Program Files\Norton SystemWorks\cfgwiz.exe" [2004-09-09 19:12 132248]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 03:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 16:16 5562368]
"UpdReg "= "C:\WINDOWS\UpdReg.EXE" [2000-05-10 23:00 90112]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-28 16:54 185896]
"SSBkgdUpdate "= "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 00:14 155648]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"nwiz "= "nwiz.exe" [2005-04-01 16:16 1495040 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2005-04-01 16:16 86016]
"Norton Ghost 12.0 "= "C:\Program Files\Norton Ghost\Agent\VProTray.exe" [2008-01-10 05:43 2037088]
"Logitech Utility "= "Logi_MwX.Exe" [2003-05-16 07:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 04:22 267048]
"IntelMeM "= "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 18:12 221184]
"IAAnotif "= "C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 09:23 135168]
"ehTray "= "C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56 64512]
"dvd43 "= "C:\Program Files\dvd43\dvd43_tray.exe" [2008-03-01 15:49 826880]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 23:05 127035]
"CTxfiHlp "= "CTXFIHLP.EXE" [2007-04-09 12:32 19968 C:\WINDOWS\SYSTEM32\Ctxfihlp.exe]
"CTSysVol "= "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 11:43 57344]
"CTHelper "= "CTHELPER.EXE" [2007-04-09 12:32 19456 C:\WINDOWS\SYSTEM32\CtHelper.exe]
"CTDVDDET "= "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 02:00 45056]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 14:15 51048]
"osCheck "= "C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-24 21:53 714608]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25 6731312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle "= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme "= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{0cab0400-7395-11d0-a5e5-0020afe2fdd9} "= qvphook.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkhf]
C:\WINDOWS\system32\pmkhf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"C:\\Program Files\\AboutTime\\AboutTime.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"C:\\Program Files\\MSN Messenger\\livecall.exe "=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=

R2 LiveUpdate Notice;LiveUpdate Notice; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R3 Angel;Angel MPEG Device;C:\WINDOWS\system32\DRIVERS\Angel.sys [2005-02-24 18:20]
S3 brparimg;Brother Multi Function Parallel Image driver;C:\WINDOWS\system32\DRIVERS\BrParImg.sys [2001-08-17 13:12]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys [2005-08-16 12:23]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-04-09 22:14:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-11 13:27:27 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - David.job "
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
"2008-04-07 09:23:05 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job "
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-04-13 10:00:00 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job "
- C:\Program Files\SpywareBot\SpywareBot.ex
- C:\Program Files\SpywareBot
"2008-04-13 07:00:00 C:\WINDOWS\Tasks\Symantec Drmc.job "
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 17:45:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\SYSTEM32\BRSS01A.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\EHOME\ehrecvr.exe
C:\WINDOWS\EHOME\ehSched.exe
C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.exe
C:\WINDOWS\EHOME\mcrdsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\SYSTEM32\DLLHOST.EXE
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\WINDOWS\EHOME\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-04-13 17:48:17 - machine was rebooted [David]
ComboFix-quarantined-files.txt 2008-04-14 00:48:10

Pre-Run: 56,021,626,880 bytes free
Post-Run: 56,059,936,768 bytes free
.
2008-04-09 10:03:31 --- E O F ---

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Thanks again!

 

Hi dhartson

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

SpywareBot

Please note any other programs that you dont recognize in that list and post them in your next response

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

File::
C:\WINDOWS\SYSTEM32\xccfmflt.ini
C:\WINDOWS\SYSTEM32\ygbbdtkt.ini
C:\WINDOWS\SYSTEM32\gokikkks.ini
C:\WINDOWS\{55B8C43D-0DB9-4D8A-AD4E-60FA02B9170F}.dat
C:\WINDOWS\{CB856DDB-335E-4AF6-A2F3-0BBDCC68C66D}.dat
C:\WINDOWS\{EEE916EB-E2C8-4833-A0FC-CD222E754C85}.dat
C:\WINDOWS\SYSTEM32\3D2BE1D866.sys
C:\WINDOWS\SYSTEM32\66D8E12B3D.sys
C:\WINDOWS\SYSTEM32\{380A6DD9-641B-46B2-9B3B-26012AF9271F}.dat
C:\WINDOWS\SYSTEM32\{9D9E4D2C-6A9E-4456-ACE7-7940780B53D9}.dat
C:\WINDOWS\SYSTEM32\{D1E58116-341A-4EDB-AB78-7962087101D9}.dat
C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job
C:\Downloads\Anti-Spyware\setupxv.exe 
C:\TEMP\cc_20080412_2202.reg
C:\Downloads\MediaTubeCodec_ver1.919.0(2).exe

Folder::
C:\Program Files\SpywareBot

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkhf] 

Please post the CFScript and a new HJT log.

Thanks
Geri

 

Thank you very much for the continuing help, Geri.

I followed your instructions and am posting the two logs you requested. However, I thought that you might want to know that I received an error message during the first run of HijackThis, so I ran it again for the log I have posted below (at the bottom). The program ran the second time without any error. It turns out that both logs were identical.

Please help us improve HijackThis by reporting this error

Click 'Yes' to submit

Error Details:

An unexpected error has occurred at procedure: modRegistry_IniGetString(sFile=system.ini, sSection=boot, sValue=Shell)
Error #5 - Invalid procedure call or argument

Windows version: Windows NT 5.01.2600
MSIE version: 7.0.5730.11
HijackThis version: 2.0.2:

ComboFix Log:

ComboFix 08-04-13.1 - David 2008-04-14 19:53:40.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.583 [GMT -7:00]
Running from: C:\Documents and Settings\David\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\David\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Downloads\Anti-Spyware\setupxv.exe
C:\Downloads\MediaTubeCodec_ver1.919.0(2).exe
C:\TEMP\cc_20080412_2202.reg
C:\WINDOWS\{55B8C43D-0DB9-4D8A-AD4E-60FA02B9170F}.dat
C:\WINDOWS\{CB856DDB-335E-4AF6-A2F3-0BBDCC68C66D}.dat
C:\WINDOWS\{EEE916EB-E2C8-4833-A0FC-CD222E754C85}.dat
C:\WINDOWS\SYSTEM32\{380A6DD9-641B-46B2-9B3B-26012AF9271F}.dat
C:\WINDOWS\SYSTEM32\{9D9E4D2C-6A9E-4456-ACE7-7940780B53D9}.dat
C:\WINDOWS\SYSTEM32\{D1E58116-341A-4EDB-AB78-7962087101D9}.dat
C:\WINDOWS\SYSTEM32\3D2BE1D866.sys
C:\WINDOWS\SYSTEM32\66D8E12B3D.sys
C:\WINDOWS\SYSTEM32\gokikkks.ini
C:\WINDOWS\SYSTEM32\xccfmflt.ini
C:\WINDOWS\SYSTEM32\ygbbdtkt.ini
C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Downloads\Anti-Spyware\setupxv.exe
C:\Downloads\MediaTubeCodec_ver1.919.0(2).exe
C:\TEMP\cc_20080412_2202.reg
C:\WINDOWS\{55B8C43D-0DB9-4D8A-AD4E-60FA02B9170F}.dat
C:\WINDOWS\{CB856DDB-335E-4AF6-A2F3-0BBDCC68C66D}.dat
C:\WINDOWS\{EEE916EB-E2C8-4833-A0FC-CD222E754C85}.dat
C:\WINDOWS\SYSTEM32\{380A6DD9-641B-46B2-9B3B-26012AF9271F}.dat
C:\WINDOWS\SYSTEM32\{9D9E4D2C-6A9E-4456-ACE7-7940780B53D9}.dat
C:\WINDOWS\SYSTEM32\{D1E58116-341A-4EDB-AB78-7962087101D9}.dat
C:\WINDOWS\SYSTEM32\3D2BE1D866.sys
C:\WINDOWS\SYSTEM32\66D8E12B3D.sys
C:\WINDOWS\SYSTEM32\gokikkks.ini
C:\WINDOWS\SYSTEM32\xccfmflt.ini
C:\WINDOWS\SYSTEM32\ygbbdtkt.ini
C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job

.
((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-13 17:19 . 2008-04-13 18:05 4,958,588 --a------ C:\WINDOWS\{00000004-00000000-00000002-00001102-00000004-20061102}.BAK
2008-04-13 16:53 . 2008-04-13 16:53 <DIR> d-------- C:\Deckard
2008-04-12 22:03 . 2008-04-12 22:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-12 12:46 . 2008-04-12 12:46 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-04-12 12:46 . 2008-04-12 12:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-12 12:40 . 2008-04-12 12:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-12 01:40 . 2008-04-12 01:40 <DIR> d-------- C:\Documents and Settings\David\Application Data\Grisoft
2008-04-12 01:40 . 2007-05-30 05:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2008-04-10 00:45 . 2008-04-10 08:12 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-10 00:45 . 2008-04-10 00:45 <DIR> d-------- C:\Documents and Settings\David\Application Data\Malwarebytes
2008-04-10 00:45 . 2008-04-10 00:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-10 00:38 . 2008-04-10 00:38 <DIR> d-------- C:\Documents and Settings\David\Application Data\TmpRecentIcons
2008-04-09 22:38 . 2008-04-10 06:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nezutere

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 01:16 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-15 01:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-14 16:23 --------- d-----w C:\Program Files\Norton SystemWorks
2008-04-12 22:55 --------- d-----w C:\Program Files\Yahoo!
2008-04-12 21:54 --------- d-----w C:\Program Files\LAIEL
2008-04-12 08:48 4,532 ----a-w C:\WINDOWS\SYSTEM32\tmp.reg
2008-04-11 06:35 --------- d-----w C:\Program Files\Qimage
2008-04-03 02:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\1Click DVD Copy Pro
2008-04-03 01:51 --------- d-----w C:\Documents and Settings\David\Application Data\Vso
2008-04-01 07:30 4,184 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2008-03-26 09:27 --------- d-----w C:\Program Files\Thumbs7
2008-03-26 02:41 67,736 ----a-w C:\Documents and Settings\Jessica\Application Data\GDIPFONTCACHEV1.DAT
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2008-03-15 20:38 --------- d-----w C:\Program Files\EPSON Print CD
2008-03-15 20:02 --------- d-----w C:\Documents and Settings\David\Application Data\AccurateRip
2008-03-15 19:48 18,816 ----a-w C:\WINDOWS\system32\drivers\dvd43llh.sys
2008-03-15 19:48 --------- d-----w C:\Program Files\dvd43
2008-03-12 06:44 --------- d-----w C:\Documents and Settings\David\Application Data\DivX
2008-03-07 04:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 04:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 04:32 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-03-02 01:36 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-02-29 08:55 70,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-02-29 08:55 625,664 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-02-27 18:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-27 18:11 --------- d-----w C:\Program Files\Quick View Plus
2008-02-22 10:00 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-02-22 06:14 --------- d-----w C:\Documents and Settings\Jessica\Application Data\Apple Computer
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-02-15 00:26 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-13 18:01 67,344 ----a-w C:\Documents and Settings\David\Application Data\GDIPFONTCACHEV1.DAT
2008-02-08 15:34 60,800 ----a-w C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2008-02-08 08:30 25,992 ----a-w C:\WINDOWS\SYSTEM32\pgdfgsvc.exe
2008-01-28 23:54 348,160 ----a-w C:\WINDOWS\SYSTEM32\msvcr71.dll
2007-08-18 05:17 47,360 ----a-w C:\Documents and Settings\David\Application Data\pcouffin.sys
2007-08-18 04:54 87,608 ----a-w C:\Documents and Settings\David\Application Data\ezpinst.exe
2005-04-29 15:41 251 ----a-w C:\Program Files\wt3d.ini
2007-12-27 18:00 77,824 ----a-w C:\Program Files\mozilla firefox\plugins\QVPLUG32.DLL
.

((((((((((((((((((((((((((((( snapshot@2008-04-13_17.47.48.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-14 00:34:18 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-04-14 01:06:50 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-04-14 01:07:15 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_690.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
2007-10-04 13:06 1135968 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-24 20:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-02-06 00:34 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} "= "C:\Program Files\Winamp Toolbar\winamptb.dll" [2007-10-04 13:06 1135968]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} "= "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll" [2007-08-24 20:51 316784]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} "= C:\Program Files\Winamp Toolbar\winamptb.dll [2007-10-04 13:06 1135968]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} "= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 20:51 316784]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG "= "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"Norton SystemWorks "= "C:\Program Files\Norton SystemWorks\cfgwiz.exe" [2004-09-09 19:12 132248]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 03:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 16:16 5562368]
"UpdReg "= "C:\WINDOWS\UpdReg.EXE" [2000-05-10 23:00 90112]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-28 16:54 185896]
"SSBkgdUpdate "= "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 00:14 155648]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"nwiz "= "nwiz.exe" [2005-04-01 16:16 1495040 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2005-04-01 16:16 86016]
"Norton Ghost 12.0 "= "C:\Program Files\Norton Ghost\Agent\VProTray.exe" [2008-01-10 05:43 2037088]
"Logitech Utility "= "Logi_MwX.Exe" [2003-05-16 07:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 04:22 267048]
"IntelMeM "= "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 18:12 221184]
"IAAnotif "= "C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 09:23 135168]
"ehTray "= "C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56 64512]
"dvd43 "= "C:\Program Files\dvd43\dvd43_tray.exe" [2008-03-01 15:49 826880]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 23:05 127035]
"CTxfiHlp "= "CTXFIHLP.EXE" [2007-04-09 12:32 19968 C:\WINDOWS\SYSTEM32\Ctxfihlp.exe]
"CTSysVol "= "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 11:43 57344]
"CTHelper "= "CTHELPER.EXE" [2007-04-09 12:32 19456 C:\WINDOWS\SYSTEM32\CtHelper.exe]
"CTDVDDET "= "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 02:00 45056]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 14:15 51048]
"osCheck "= "C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-24 21:53 714608]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25 6731312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle "= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme "= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{0cab0400-7395-11d0-a5e5-0020afe2fdd9} "= qvphook.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"C:\\Program Files\\AboutTime\\AboutTime.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"C:\\Program Files\\MSN Messenger\\livecall.exe "=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=

R2 LiveUpdate Notice;LiveUpdate Notice; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R3 Angel;Angel MPEG Device;C:\WINDOWS\system32\DRIVERS\Angel.sys [2005-02-24 18:20]
S3 brparimg;Brother Multi Function Parallel Image driver;C:\WINDOWS\system32\DRIVERS\BrParImg.sys [2001-08-17 13:12]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys [2005-08-16 12:23]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-04-09 22:14:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-11 13:27:27 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - David.job "
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
"2008-04-14 16:23:23 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job "
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-04-14 07:00:00 C:\WINDOWS\Tasks\Symantec Drmc.job "
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-14 19:55:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-14 19:56:24
ComboFix-quarantined-files.txt 2008-04-15 02:56:20
ComboFix2.txt 2008-04-14 01:12:17
ComboFix3.txt 2008-04-14 00:48:18

Pre-Run: 56,018,948,096 bytes free
Post-Run: 55,993,499,648 bytes free
.
2008-04-09 10:03:31 --- E O F ---

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>o<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

HijackThis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:10:22 PM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ScanSoft\PDF Professional 4.0\PdfPro4Hook.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Norton Ghost 12.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe "
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Open with ScanSoft PDF Converter 4.0 - res://C:\Program Files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.99 85.255.112.133
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.99 85.255.112.133
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

--
End of file - 10948 bytes

 

Hi dhartson

Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.99 85.255.112.133
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.99 85.255.112.133

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

Reboot your computer.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.


Now lets get a on-line scan.

Please do an online scan with Kaspersky WebScanner

Click on "Accept" If your pop "“up blocker blocks the ActiveX download, allow it, click on "Accept" again

You will be prompted to install an ActiveX component from Kaspersky, Click Yes or Install.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will start the program and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Please post the Kaspersky results.

Thanks
Geri

 

I ran the HiJackThis as instructed, as well as the ATF Cleaner.

I then ran the online scan 3x; each scan is about 2 1/2 hours, and the program crashes when I try to save the report. I click save as, change to *.txt, type the first letter of a file name, and it freezes. After the third try, I went down the list before trying to save the report and made the following notes.

# of viruses: 6
# of infected objects: 11
number of suspicious objects: 3
scan duration: 02:16:54

my notes don't seem to add up to the above totals, but here is what I got:

the third column of the report says "skipped" all the way down

in the second column, every line says "Object is locked" except for the following

there were 3 items marked as "suspicious ":

trojan-spy.html.fraud.gen
c:\documents and settings\david\local settings\application data\identities\(B32D48CA-91FC-4570-8853-6AD2EA99D834)\Microsoft\Outlook Express\Deleted Items.dbx\[from "HSBC Bank" <auto_remailer.id9285-7796402bib@hsbc.com>][Date Mon, 24 Mar 2008 23:45:29 -0400]/unnamed\html

trojan-spy.html.fraud.gen
c:\documents and settings\david\local settings\application data\identities\(B32D48CA-91FC-4570-8853-6AD2EA99D834)\Microsoft\Outlook Express\Deleted Items.dbx\[from "HSBC Bank" <auto_remailer.id9285-7796402bib@hsbc.com>][Date Mon, 24 Mar 2008 23:45:29 -0400]/unnamed

Mail MS Outlook 5: suspicious -2
c:\documents and settings\david\local settings\application data\identities\(B32D48CA-91FC-4570-8853-6AD2EA99D834)\Microsoft\Outlook Express\Deleted Items.dbx

there were 6 items marked as "infected ":

virus: not-a-virus:FraudTool.Win32.SpywareBot.a
c:\qooBox\Quarantine\C\Downloads\Anti-Spyware\setupxv.exe.vir/spywarebot/spywarebot.exe

virus: not-a-virus:FraudTool.win32.antiSpyware.b
c:\qooBox\Quarantine\C\Downloads\Anti-Spyware\setupxv.exe.vir/spywarebot/spywarebotsrv.srv.exe

7-zip: infected - 2
c:\qooBox\Quarantine\C\Downloads\Anti-Spyware\setupxv.exe.vir

UPX: infected - 2
c:\qooBox\Quarantine\C\Downloads\Anti-Spyware\setupxv.exe.vir

PE_Patch.UPX: infected - 2
c:\qooBox\Quarantine\C\Downloads\Anti-Spyware\setupxv.exe.vir

virus: not-a-virus:AdWare.Win32.MyWay.v
G:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll

Finally, on my last post I was to list any files in the "ADD OR REMOVE PROGRAMS" list that I didn't recognize; I missed posting the list, so here it is:

I did not recognize (for sure):

Bonjour
Broadcom Advanced Control Suite 2
DIY DataREcover MBRtool 2
GemMaster Mystic
Otto
SmartSound Quicktracks Plugin

In addition, there was no SpywareBot on the list to remove.

I look forward to your next post. Thanks for the help.

David

 

Hi David

What is your G drive? External drive?

We can remove MyWaySA, it is put on Dell computers or you may have dowloaded it yourself. Really it is up to you.
See here.
http://vil.mcafeesecurity.com/vil/content/v_134251.htm

Let me know.

OK Please do this.

Click Start>Run in the run box copy and paste or type ComboFix /u then hit Enter to uninstall ComboFix and remove the files/folders it created.

Empty your deleted items folder in Outlook Express.

Let me know what you want to do with MyWaySearch and we'll go from there.

Thanks
Geri

 

Drive G is a partition of a HDD. There is a USB drive, K.

It's OK by me to remove it if you are at all concerned about it. I don't "use" it, and if I have a program that looks for it, I suppose it will let me know ...

DONE

DONE

As indicated above, I'll follow your lead on this.

Thank you!

 

Hi dhartson

OK I,m guessing that it is a recovery partition from a OEM. (Dell computer)?

And it being there does not hurt or hamper your system, unless you ever have to use it to do a system recovery. even then it's not that big a problem.
So I'm inclined to leave it.

This does not add up to what you posted from your Kaspersky log.
I count 9 that you posted. Please review it again if you still have it to make sure you did not miss anything.

The programs that you posted from your add/remove are OK.

Also please let me know how things are running.

Thanks
Geri

 

Thank you, Geri, for your continuing help. I will run another online scan to see what if shows compared to the earlier one. I had noted the discrepancy between the results I had recorded and the log's totals, but didn't know what to make of it.

My "G" drive was an earlier "clone" of my original "C" drive that I made when I started my migration to larger capacity drives. I think it was Partition Magic that I used to shrink the size of my original 160 GB "C" drive to fit in a smaller partition. The current drive "G" is one of the attempts to clone the original drive. When I'm done I will remove that drive after using it to archive the system and some data. However, since it was there when the system became infected, I have left it alone to make sure I don't archive a virus!

I do have a hidden 39 MB FAT partition with DELL diagnostic tools. There had been another hidden "recovery" partition with a ghost image of the factory software installation, but I have copied (not easy) and archived it, and it is no longer on the system.

We didn't resolve whether to remove MyWaySA; I was going to follow your recommendation on that. I'll report back on the online system scan, probably tomorrow since I'll probably run it overnight. Thanks again!

David

 

Hi dhartson

Sorry I should have been more clear.
"it being there does not hurt or hamper your system, unless you ever have to use it to do a system recovery. even then it's not that big a problem.
So I'm inclined to leave it. "

Let me know what Kaspersky says.

Thanks
Geri

 

Kaspersky irregularities

Any idea why Kaspersky's online scanner crashes now when I try to save a report, but worked fine and saved a report without any problem when the system was originally infected (I posted an initial report with my first posting, when I overdid things a little!). Also, it skips past the middle step where you select the scan settings now, whereas initially it stopped there so that I could select "Extended ", which is what I selected initially. Finally, it takes very little time to load the databases or library of viruses, etc., now, compared to the first time I ran it. Is there a way to "uninstall" what is on my system so that it might reset and work normally?

 

Hi dhartson
Not sure why Kaspersky would be doing that?

Lets try this.

Open add/remove list. Remove Kaspersky on-line scanner.

Open HJT and do a scan only, check the box next to this.

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab

Make sure all other windows are closed and click fix checked.

Reboot your computer.

Go to Kaspersky again following these instructions and do a scan.

Please do an online scan with Kaspersky WebScanner

Click on “Accept” If your pop –up blocker blocks the ActiveX download, allow it, click on “Accept” again

You will be prompted to install an ActiveX component from Kaspersky, Click Yes or Install.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will start the program and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

It may help and speed things up if you disable your Norton just before you start the scanning.

Make sure you re-inable your Norton after the scan.

Let me know if that helped.
Geri

 

Geri, thank you for your continuing help. Kaspersky worked as expected and I was able to save the report, but I made notes before trying in order to avoid having to re-run the scan if it crashed as before. So that you can more easily pick out the specific items Kaspersky flagged as a problem, my notes precede the report.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>0<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Of course, all the items were skipped. I suppose that would be different with the full version of the program. While there may be some typographical errors, the following items were reported:

c:\documents and settings\david\local settings\temporary internet files\content ie5\J601YZoZ\smitfraudfix(1).zip\smitfraudfixr/reboot.exe
not-a-virus:RiskTool.Win32.Reboot.f

c:\documents and settings\david\local settings\temporary internet files\content ie5\J601YZoZ\smitfraudfix(1).zip
zip: infected - 1

c:\downloads\anti-spyware\smitfraudfix\reboot.exe
not-a-virus:RiskTool.Win32.Reboot.f

c:\downloads\anti-spyware\smitfraudfix\smitfraudfix.zip\smitfraudfix/reboot.exe
not-a-virus:RiskTool.Win32.Reboot.f

c:\downloads\anti-spyware\smitfraudfix\smitfraudfix.zip
ZIP: infected - 1

c:\downloads\anti-spyware\smitfraudfix.exe/data.rar/smitfraudfix/reboot.exe
not-a-virus:RiskTool.Win32.Reboot.f

c:\downloads\anti-spyware\smitfraudfix.exe/data.rar
not-a-virus:RiskTool.Win32.Reboot.f

c:\downloads\anti-spyware\smitfraudfix.exe
RarSFX: infected - 2

c:\downloads\utilities\astlog\astlog.exe
not-a-virusSWTool.Win32.Asterisk.a

c:\system volume\information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1\A0000102.exe
not-a-virus:RiskTool.Win32.Reboot.f

G:\program files\mywaySA\SrchAsDe\1.bin\deSrcAs.dll
not-a-virus: AdWare.Win32.MyWay.v

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, April 20, 2008 6:37:39 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/04/2008
Kaspersky Anti-Virus database records: 717511
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
S:\

Scan Statistics:
Total number of scanned objects: 162525
Number of viruses found: 3
Number of infected objects: 11
Number of suspicious objects: 0
Duration of the scan process: 02:17:01

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_5b150187-0f05-4c72-917c-77c8e6964ac4 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ee6dddd0c7fe09abe3ead472936878c8_5b150187-0f05-4c72-917c-77c8e6964ac4 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\LOGS\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\ccSubSDK\submissions.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\volatile.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-04-20_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{370E23D4-8891-4A1B-A0CF-EA5D502A0EB0}.ldb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{370E23D4-8891-4A1B-A0CF-EA5D502A0EB0}.sds Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\70BBE99C.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\806F2E01.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\Del_ME\Alleg_Rg.ttf Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\Del_ME\BernFash.ttf Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\Del_ME\BRADHITC.TTF Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\Del_ME\BROADW.TTF Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\Del_ME\BRUSHSCI.TTF Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\Del_ME\CURLZ___.TTF Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\Del_ME\EDDA.TTF Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\Del_ME\Eng111Vi.ttf Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\Del_ME\FREESCPT.TTF Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\Del_ME\Jokerman.TTF Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\Del_ME\KUNSTLER.TTF Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\Del_ME\SCRIPTBL.TTF Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\Del_ME\SNAP____.TTF Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\Del_ME\TEMPSITC.TTF Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\Del_ME\TypoUpri.ttf Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\Del_ME\VINERITC.TTF Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\Del_ME\VLADIMIR.TTF Object is locked skipped
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\David\Application Data\Symantec\NPMDataStore\CIMStore.xml Object is locked skipped
C:\Documents and Settings\David\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\David\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temp\Perflib_Perfdata_810.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temp\~DF3E60.tmp Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temp\~DF3E8D.tmp Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\J601YZ0Z\SmitfraudFix[1].zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\J601YZ0Z\SmitfraudFix[1].zip ZIP: infected - 1 skipped
C:\Documents and Settings\David\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\David\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Downloads\Anti-Spyware\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Downloads\Anti-Spyware\SmitfraudFix\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Downloads\Anti-Spyware\SmitfraudFix\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Downloads\Anti-Spyware\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Downloads\Anti-Spyware\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Downloads\Anti-Spyware\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Downloads\Utilities\astlog\astlog.exe Infected: not-a-virusSWTool.Win32.Asterisk.a skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1\A0000102.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP2\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Intel(R) 537EP V9x DF PCI Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D91E1BBF-0613-4E6F-87CA-6B7F460F018C}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{0D71E18D-CB60-430F-9219-1AC9A08AE74A}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Media Ce.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\JET950C.tmp Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_434.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000004-00000000-00000002-00001102-00000004-20061102}.CDF Object is locked skipped
D:\Recorded TV\TempRec\TempSBE\MSDVRMM_1421815329_851968_69 Object is locked skipped
D:\Recorded TV\TempRec\TempSBE\MSDVRMM_1421815329_983040_57 Object is locked skipped
D:\Recorded TV\TempRec\TempSBE\SBE1.tmp Object is locked skipped
D:\Recorded TV\TempRec\TempSBE\SBE8.tmp Object is locked skipped
D:\Recorded TV\TempRec\{0F7EA560-B332-4486-BA38-928750F497DC}.TmpSBE Object is locked skipped
D:\Recorded TV\TempRec\{C149DCE3-FFB8-43C3-A141-557CBD780332}.TmpSBE Object is locked skipped
D:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP2\change.log Object is locked skipped
E:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP2\change.log Object is locked skipped
F:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP2\change.log Object is locked skipped
G:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_5b150187-0f05-4c72-917c-77c8e6964ac4 Object is locked skipped
G:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll Infected: not-a-virus:AdWare.Win32.MyWay.v skipped
G:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP2\change.log Object is locked skipped
K:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP2\change.log Object is locked skipped
K:\RECYCLED\NPROTECT\NPROTECT.LOG Object is locked skipped
S:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
S:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
S:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP2\change.log Object is locked skipped

Scan process completed.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>0<<<<<<<<<<<<<<<<<<<<<<<<<<<

Ahh. I see it is a simple matter to scan the web page for the word "infected" to find each instance of significance ...

 

Hi dhartson

That is not always true, the whole log needs to be gone through, sometimes the "Object is locked skipped" Kaspersky can not scan and "could" be infected.

OK please do this.


Did you download this?
C:\Downloads\Utilities\astlog\astlog.exe

If not, it is a security risk and should be removed.

If you remove it go here and delete the folder.
C:\Downloads\Utilities\astlog


Please delete these.

Smitfraudfix.exe <<If this is still on your desktop.

These files.
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\SYSTEM32\Process.exe
C:\WINDOWS\SYSTEM32\SrchSTS.exe
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\WS2Fix.exe
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\IEDFix.exe
C:\WINDOWS\system32\VACFix.exe


The recycle bin needs to be emptied in all these drives.
D:\ E:\ F:\ G:\ K:\ S:\


We need to turn off and on system restore. There are infections in it and by using system restore you would reinfect yourself.

You must be logged in as an Administrator to do this. If you are not logged in as an Administrator, the System Restore tab will not be displayed.
Turning off System Restore will clear out all previous restore points.

To turn off Windows XP System Restore:
NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows XP System Restore:
1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives. "
5. Click Apply, and then click OK
6. Make a new restore point.
7. Click Start, All Programs, Accessories, System Tools, System Restore.
Choose Create a restore point and clicked Next, Under "Type a description for your restore point…â€put a name in the box,. Click Create. In the next window click Close.

Run Kaspersky again, you should end up with only this showing infected in the log.
G:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll Infected: not-a-virus:AdWare.Win32.MyWay.v skipped

Let me know.

Geri

 

Is this "fini "?

I used windows explorer to look for the files, and when I found VACFix.exe, I double clicked on it -- that was right, wasn't it?

Yeah, I'm kidding; not much left of April ...
(Hope that didn't tick you off; you probably have to figure we're all dumb enough to do that or we wouldn't have gotten our systems infected in the first place!)

I deleted all instances of SmitFraudFix on my system, excepting only "txt" log files I may have from that program. I did not find any of the other files you specified except for "tmp.reg ", which I deleted along with "tmp.txt. "

I also found these files, which were somewhat close in name, but which I left alone:

WS2_32.DLL I left it alone
WS2HELP.DLL I left it alone

Also, I have "SymKBFix.EXE" on my desktop, and I don't recognize it. It may well be a symantec utility, though, that their tech support had me download, or that they downloaded when they took over my system remotely in order to fix a problem with one of their programs. While I did not delete it, I think I will unless you have something to say to the contrary on the subject.

You asked me to delete the following files, along with SmitFraudFix.exe:

C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\SYSTEM32\Process.exe
C:\WINDOWS\SYSTEM32\SrchSTS.exe
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\WS2Fix.exe
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\IEDFix.exe
C:\WINDOWS\system32\VACFix.exe

I was curious where you came up with this list since none of the files or paths were listed in the log of the online scan. The only instance I found of "tmp" as the root of a file name referenced in the log of my last online scan was the following:
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
In an overabundance of caution, I did a system search for any file with the following as part of the file name:

dumphive
SrchSTS
VCCLSID
WS2Fix
IEDFix
VACFix

I found nothing. Next, I used "Add or Remove Programs" to remove AVG Antispyware and all quarantined files and related folders, etc., and did the same for Malwarebytes' Anti-Malware 1.11. I emptied the recycle bin for all system drives, turned off "System Restore ", and then ran CCcleaner and then ATF Cleaner. Next, I emptied my "Norton Protected Files" folders for all drives/users. Then I rebooted, turned on "System Restore" and lastly I ran Kaspersky Online.

As before, the online scan crashed when I tried to save the log. I believe this has something to do with the use of ATF Cleaner or CCcleaner deleting a file that the program uses, and the file is restored with the removal and reinstallation procedure you provided the last time around. Notwithstanding, I once again typed notes of the two "positive" findings. Should you believe it prudent to run another scan and post the full report, I will follow the removal and reinstallation procedure as before, and will run the scan tonight when I quit the system. In the meantime, the scan summary and my notes of the two positives, which I believe you will have anticipated:

Total number of scanned objects: 155688
Number of viruses found: 2
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 02:11:07

c:\downloads\utilities\astlog\astlog.exe not-a-virus: PSWTool.Win32.Asterisk.a
g:\Prograg Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll not-a-virus: AdWare.Win32.MyWay.v

Please advise whether I should post a full scan report, or if it is safe to consider my system CLEAN and this thread closed!

Once again, thank you for your patience and outstanding help!

Regards,

David

 

Hi David

Well that's not completely true, many people are just innocent of the way things can and do work.
You visit bad places, try to get things for nothing (P2P file sharing) or just don't know to protect thier systems. (been there-done that) That's why I do what I do here.

Good that you did. see here.
http://www.liutilities.com/products/wintaskspro/dlllibrary/ws2_32/

Yes that is part of Norton, seems to have something to do with Activation or updates.

Smithfraud installs those files as part of the tool. They could have been deleted by another tool you ran. Avg AS or MalwareBytes AM

Nothing to worry about, Info here.
http://support.microsoft.com/kb/197971

More then likely CCleaner, it is a more powerful cleaner then ATF Cleaner.
ATF Cleaner will just get rid of junk you don't need, CClean could harm your system if used incorrectly.
By the way, you don't need both, so you can delete one of them. If you keep CCleaner just be careful what you do with it.

No, That does not look necessary. You should be good to go.

I'll mark this one resolved.

Surf Safely
Geri