Solved Please help - multiple virus attack!

[Resolved] Please help - multiple virus attack!

Hello guys!

Please pease help! I am going crazy - my computer started to show signs of multiple virus intrusion and i can't do much about it - symantec antivirus that ihave installed shows that there are follorwing viruses present:

bloodhound.packed.jmp,
gammima,
cc.exe,
tavo.exe,
kavo.exe,
cc.exe,
ff.exe,
control.exe,
ubs.exe running.

i tried to do scan and remove by symantec also in safe mode, but it did not help at all. now even typing becomes very problematic, the pc became very slow, symantec stops responding once it finds bloodhound... i am starting to really panic - afraid of loosing my files. i am in the mddle of a money problem, so can't really afford paying for those software products online that offer cleaning up or even sending my computer to repair speciists, can anybody please help?! THANK YOU!!!!

here is the log from hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:57:44, on 08.04.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\PrevxCSI\PrevxCSI.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\LTSMMSG.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\WINDOWS\System32\ezSP_PxEngine.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\PrevxCSI\PrevxCSI.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\help\F3C74E3FA248.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-tw\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-tw\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_PxEngine.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe
O4 - HKCU\..\Run: [tava] C:\WINDOWS\system32\tavo.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java ￥D±±￥x - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by133fd.bay133.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F4D222D-5EEE-40A8-8810-5642B4E4F441} (KENCAPI Class) - https://etrade.yuanta.com.tw/TSWeb/TaiCA/FSCAPIATL.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\\PrevxCSI.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus ￥I?aoY (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 6997 bytes

would be endlessly thankful for your help,
igor

Deckard's System Scanner v20071014.68
Run by igor on 2008-04-08 22:02:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2008-04-08 20:02:52 UTC - RP3 - Deckard's System Scanner Restore Point
2: 2008-04-08 14:22:16 UTC - RP2 - Software Distribution Service 3.0
1: 2008-04-08 13:16:00 UTC - RP1 - 系統檢查點


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 94% (more than 75%).
Total Physical Memory: 232 MiB (512 MiB recommended).


-- HijackThis (run as igor.exe) ------------------------------------------------

logfile has no content; running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-08 22:18:14
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\PrevxCSI\PrevxCSI.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPTray.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\WINDOWS\system32\ezSP_PxEngine.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\PrevxCSI\PrevxCSI.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\Help\F3C74E3FA248.exe
C:\Documents and Settings\igor\Local Settings\Temporary Internet Files\Content.IE5\24SSWJVX\dss[1].exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 連結
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-tw\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-tw\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_PxEngine.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe
O4 - HKCU\..\Run: [tava] C:\WINDOWS\system32\tavo.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec WinFax Starter Edition 通訊埠.lnk = C:\Program Files\Microsoft Office\Office\1028\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by133fd.bay133.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F4D222D-5EEE-40A8-8810-5642B4E4F441} (KENCAPI Class) - https://etrade.yuanta.com.tw/TSWeb/TaiCA/FSCAPIATL.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\\PrevxCSI.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus 用戶端 (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe


--
End of file - 9406 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 pxark - c:\windows\system32\drivers\pxark.sys <Not Verified; ; Prevx CSI>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CSIScanner - "c:\program files\prevxcsi\\prevxcsi.exe" /service <Not Verified; Prevx; Prevx CSI>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\DE48728004603
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\DE48728004603
Service: NIC1394


-- Files created between 2008-03-08 and 2008-04-08 -----------------------------

2008-04-08 21:52:01 0 d-------- C:\Program Files\Trend Micro
2008-04-08 19:29:43 0 d-------- C:\WINDOWS\LastGood
2008-04-08 19:04:57 117637 -r-hs---- C:\i.bat
2008-04-08 18:56:11 117683 -r-hs---- C:\lgcadwx.bat
2008-04-08 16:44:13 10880 --a------ C:\WINDOWS\system32\drivers\pxark.sys <Not Verified; ; Prevx CSI>
2008-04-08 16:44:12 0 d-------- C:\Program Files\PrevxCSI
2008-04-08 16:43:37 0 d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-04-08 11:34:18 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-04-08 11:02:37 0 d-------- C:\WINDOWS\pss
2008-04-08 10:33:00 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-04-08 10:32:34 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-04-08 00:12:50 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-08 00:11:27 0 d-------- C:\Program Files\Spyware Doctor
2008-04-08 00:11:27 0 d-------- C:\Documents and Settings\igor\Application Data\PC Tools
2008-04-07 23:43:22 125952 -r-hs---- C:\WINDOWS\system32\kavo0.dll
2008-04-07 23:24:05 81408 -r-hs---- C:\WINDOWS\system32\tavo1.dll
2008-04-07 23:00:53 125952 -r-hs---- C:\WINDOWS\system32\kavo1.dll
2008-04-07 23:00:02 81408 -----n--- C:\WINDOWS\system32\tavo0.dll
2008-04-07 23:00:02 109271 -r-hs---- C:\WINDOWS\system32\tavo.exe
2008-04-07 22:59:08 117637 -r-hs---- C:\WINDOWS\system32\kavo.exe
2008-03-11 14:58:23 0 d-------- C:\Program Files\Common Files\xing shared
2008-03-11 14:56:11 0 d-------- C:\Program Files\Common Files\Real
2008-03-11 14:56:07 0 d-------- C:\Program Files\Real
2008-03-11 14:55:13 0 d-------- C:\Documents and Settings\igor\Application Data\Real
2008-03-11 14:44:02 1763 --a------ C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache


-- Find3M Report ---------------------------------------------------------------

2008-04-08 00:14:56 248560 --a------ C:\WINDOWS\system32\prfh0404.dat
2008-04-08 00:14:56 79482 --a------ C:\WINDOWS\system32\prfc0404.dat
2008-03-11 14:58:23 0 d-------- C:\Program Files\Common Files
2008-03-11 14:44:34 0 d-------- C:\Documents and Settings\igor\Application Data\Apple Computer


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [04.08.2004 07:31]
"PHIME2002ASync "= "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [04.08.2004 09:48]
"PHIME2002A "= "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [04.08.2004 09:48]
"ATIModeChange "= "Ati2mdxx.exe" [24.05.2002 17:51 C:\WINDOWS\system32\Ati2mdxx.exe]
"AtiPTA "= "atiptaxx.exe" [24.05.2002 18:32 C:\WINDOWS\system32\atiptaxx.exe]
"LTSMMSG "= "LTSMMSG.exe" [09.11.2001 11:55 C:\WINDOWS\LTSMMSG.exe]
"vptray "= "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [01.05.2003 08:32]
"Mouse Suite 98 Daemon "= "ICO.EXE" []
"Drag'n Drop CD "= "C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe" [14.02.2002 13:37]
"ezShieldProtector for Px "= "C:\WINDOWS\System32\ezSP_PxEngine.exe" [02.05.2002 18:55]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [24.09.2007 19:11]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [14.11.2007 17:43]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [11.03.2008 14:56]
"ISTray "= "C:\Program Files\Spyware Doctor\pctsTray.exe" [01.02.2008 12:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [04.08.2004 09:47]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [21.11.2007 14:32]
"kava "= "C:\WINDOWS\system32\kavo.exe" [08.04.2008 19:07]
"tava "= "C:\WINDOWS\system32\tavo.exe" [08.04.2008 19:04]

C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23.09.2005 16:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [21.01.2000 03:15:54]
Symantec WinFax Starter Edition 通訊埠.lnk - C:\Program Files\Microsoft Office\Office\1028\OLFSNT40.EXE [11.03.1999 13:23:12]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{1DBD6574-D6D0-4782-94C3-69619E719765} "= C:\WINDOWS\HELP\F3C74E3FA248.dll [30.03.2008 17:42 143872]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7bc2b900-2f41-11d9-a5dc-806d6172696f}]
play\command- "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:4 /deviceVD "%L "




-- End of Deckard's System Scanner: finished at 2008-04-08 22:30:08 ------------

 

Welcome to WindowsBBS igorhamburg

Trust me, paying for one of those apps that popup promising to clean up your infections would be similar to flushing your $$ down the sewer. Don't panic ... we'll help you get cleaned up, and without losing your data.

Download ComboFix by sUBs from here, saving the file to your desktop.


Please disable realtime protection applications as they sometime interfere with the tool. Check this link for your applicable programs.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

DEAR noahdfear,

THANK YOU SO MUCH FOR TRYING TO HELP ME!
I TRIED TO RUN COMBOFIX - IT PRODUCED A REPORT THE FIRST TIME AND THEN MY PC FROZE, SO I COULD NOT EVEN SAVE THAT REPORT... THEN I RESTARTED COMPUTER AND RAN COMBOFIX AGAIN - HERE IS THE LOG REPORT FROM THE SECOND RUN

ComboFix 08-04-08.9 - igor 2008-04-09 12:10:07.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.1.1028.18.62 [GMT 2:00]
執行位置?: C:\Documents and Settings\igor\桌面\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((( 2008-03-09 - 2008-04-09 之間建立的檔案 )))))))))))))))))))))))))))))))))
.

2008-04-08 22:00 . 2008-04-08 22:00 <DIR> d-------- C:\Deckard
2008-04-08 21:52 . 2008-04-08 21:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-08 19:04 . 2008-04-09 11:08 117,637 -r-hs---- C:\i.bat
2008-04-08 18:56 . 2008-04-08 15:29 117,683 -r-hs---- C:\lgcadwx.bat
2008-04-08 11:34 . 2008-04-08 11:34 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-04-08 00:14 . 2008-04-08 00:14 3,416 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
2008-04-08 00:12 . 2008-04-09 11:42 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-11 14:58 . 2008-03-11 14:58 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-03-11 14:56 . 2008-03-11 14:56 <DIR> d-------- C:\Program Files\Real
2008-03-11 14:56 . 2008-03-11 14:58 <DIR> d-------- C:\Program Files\Common Files\Real

.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-30 15:42 143,872 --sh--w C:\WINDOWS\Help\F3C74E3FA248.dll
2008-03-27 06:47 119,164 --sh--w C:\WINDOWS\Help\F3C74E3FA248.exe
2008-03-11 12:44 --------- d-----w C:\Documents and Settings\igor\Application Data\Apple Computer
2007-12-11 15:02 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
1999-03-11 11:23 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-08 19:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-08 19:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-08 19:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-08 19:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-08 19:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*注意* 空白或合法的登錄值將不會顯示

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:47 15360]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-21 14:32 68856]
"kava "= "C:\WINDOWS\system32\kavo.exe" [2008-04-09 12:15 117637]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 07:31 208952]
"PHIME2002ASync "= "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 09:48 455168]
"PHIME2002A "= "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 09:48 455168]
"ATIModeChange "= "Ati2mdxx.exe" [2002-05-24 17:51 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"AtiPTA "= "atiptaxx.exe" [2002-05-24 18:32 286720 C:\WINDOWS\system32\atiptaxx.exe]
"LTSMMSG "= "LTSMMSG.exe" [2001-11-09 11:55 32768 C:\WINDOWS\LTSMMSG.exe]
"Mouse Suite 98 Daemon "= "ICO.EXE" []
"Drag'n Drop CD "= "C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe" [2002-02-14 13:37 663552]
"ezShieldProtector for Px "= "C:\WINDOWS\System32\ezSP_PxEngine.exe" [2002-05-02 18:55 36864]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-24 19:11 132496]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2007-11-14 17:43 286720]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-11 14:56 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:47 15360]

C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 16:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54 65588]
Symantec WinFax Starter Edition 通訊埠.lnk - C:\Program Files\Microsoft Office\Office\1028\OLFSNT40.EXE [1999-03-11 13:23:12 45568]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{1DBD6574-D6D0-4782-94C3-69619E719765} "= C:\WINDOWS\HELP\F3C74E3FA248.dll [2008-03-30 17:42 143872]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=

R1 Crusoe;Transmeta Crusoe Processor Driver;C:\WINDOWS\system32\DRIVERS\crusoe.sys [2004-08-04 09:39]
R3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys [2001-11-09 11:55]
R3 SONYMCAP;Sony MPEG2 R-Engine;C:\WINDOWS\system32\DRIVERS\SONYMCAP.sys [2002-05-22 07:00]
R3 SPI;Sony Programmable I/O Control Device;C:\WINDOWS\system32\DRIVERS\SonyPI.sys [2001-08-17 06:51]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7bc2b900-2f41-11d9-a5dc-806d6172696f}]
\shell\play\command - "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:4 /deviceVD "%L "

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 12:14:32
Windows 5.1.2600 Service Pack 2 NTFS

掃描隱藏的程序...

掃描隱藏的進程...

掃描隱藏的檔案...

C:\WINDOWS\system32\kavo.exe 117637 bytes executable
C:\WINDOWS\system32\kavo0.dll 125952 bytes executable

掃描完成
隱藏檔案?: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
完成時間?: 2008-04-09 12:17:24
ComboFix-quarantined-files.txt 2008-04-09 10:16:40
ComboFix2.txt 2008-04-09 09:59:34
8 個目錄 12,846,841,856 位元組可用
9 個目錄 12,836,544,512 位元組可用
.
2008-03-15 09:38:03 --- E O F ---


AND THIS IS WHAT I THINK IS THE LOG FROM THE FIRST SESSION THAT WAS SAVED AUTOMATICALLY:

ComboFix 08-04-08.4 - igor 2008-04-08 23:17:05.1 - NTFSx86
執行位置?: C:\Documents and Settings\igor\Local Settings\Temporary Internet Files\Content.IE5\I6SU4TQ1\ComboFix[1].exe
* 已建立新的還原點

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\WINDOWS\system32\kavo.exe
C:\WINDOWS\system32\kavo0.dll
C:\WINDOWS\system32\kavo1.dll
C:\WINDOWS\system32\tavo.exe
C:\WINDOWS\system32\tavo1.dll
D:\Autorun.inf

.
(((((((((((((((((((((((((((( 2008-03-08 - 2008-04-08 之間建立的檔案 )))))))))))))))))))))))))))))))))
.

2008-04-08 21:52 . 2008-04-08 21:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-08 19:04 . 2008-04-08 19:07 117,637 -r-hs---- C:\i.bat
2008-04-08 18:56 . 2008-04-08 15:29 117,683 -r-hs---- C:\lgcadwx.bat
2008-04-08 16:44 . 2008-04-08 16:44 <DIR> d-------- C:\Program Files\PrevxCSI
2008-04-08 16:44 . 2008-04-08 16:44 10,880 --a------ C:\WINDOWS\system32\drivers\pxark.sys
2008-04-08 16:43 . 2008-04-08 17:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-04-08 11:34 . 2008-04-08 11:34 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-04-08 00:14 . 2008-04-08 00:14 3,416 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
2008-04-08 00:12 . 2008-04-08 23:53 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-08 00:12 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-04-08 00:12 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-04-08 00:12 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-04-08 00:12 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-04-08 00:11 . 2008-04-08 11:44 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-04-08 00:11 . 2008-04-08 00:11 <DIR> d-------- C:\Documents and Settings\igor\Application Data\PC Tools
2008-04-07 23:00 . 2008-04-08 18:59 81,408 --------- C:\WINDOWS\system32\tavo0.dll
2008-03-11 14:58 . 2008-03-11 14:58 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-03-11 14:56 . 2008-03-11 14:56 <DIR> d-------- C:\Program Files\Real
2008-03-11 14:56 . 2008-03-11 14:58 <DIR> d-------- C:\Program Files\Common Files\Real

.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-30 15:42 143,872 --sh--w C:\WINDOWS\Help\F3C74E3FA248.dll
2008-03-27 06:47 119,164 --sh--w C:\WINDOWS\Help\F3C74E3FA248.exe
2008-03-11 12:44 --------- d-----w C:\Documents and Settings\igor\Application Data\Apple Computer
2007-12-11 15:02 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
1999-03-11 11:23 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-08 19:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-08 19:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-08 19:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-08 19:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-08 19:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*注意* 空白或合法的登錄值將不會顯示

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:47 15360]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-21 14:32 68856]
"tava "= "C:\WINDOWS\system32\tavo.exe" [2008-04-09 00:01 109271]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 07:31 208952]
"PHIME2002ASync "= "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 09:48 455168]
"PHIME2002A "= "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 09:48 455168]
"ATIModeChange "= "Ati2mdxx.exe" [2002-05-24 17:51 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"AtiPTA "= "atiptaxx.exe" [2002-05-24 18:32 286720 C:\WINDOWS\system32\atiptaxx.exe]
"LTSMMSG "= "LTSMMSG.exe" [2001-11-09 11:55 32768 C:\WINDOWS\LTSMMSG.exe]
"vptray "= "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-01 08:32 90112]
"Mouse Suite 98 Daemon "= "ICO.EXE" []
"Drag'n Drop CD "= "C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe" [2002-02-14 13:37 663552]
"ezShieldProtector for Px "= "C:\WINDOWS\System32\ezSP_PxEngine.exe" [2002-05-02 18:55 36864]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-24 19:11 132496]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2007-11-14 17:43 286720]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-11 14:56 185896]
"ISTray "= "C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 12:55 1103240]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:47 15360]

C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 16:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54 65588]
Symantec WinFax Starter Edition 通訊埠.lnk - C:\Program Files\Microsoft Office\Office\1028\OLFSNT40.EXE [1999-03-11 13:23:12 45568]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{1DBD6574-D6D0-4782-94C3-69619E719765} "= C:\WINDOWS\HELP\F3C74E3FA248.dll [2008-03-30 17:42 143872]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=

R0 pxark;pxark;C:\WINDOWS\system32\drivers\pxark.sys [2008-04-08 16:44]
R1 Crusoe;Transmeta Crusoe Processor Driver;C:\WINDOWS\system32\DRIVERS\crusoe.sys [2004-08-04 09:39]
R2 CSIScanner;CSIScanner; "C:\Program Files\PrevxCSI\\PrevxCSI.exe" /service []
R3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys [2001-11-09 11:55]
R3 SONYMCAP;Sony MPEG2 R-Engine;C:\WINDOWS\system32\DRIVERS\SONYMCAP.sys [2002-05-22 07:00]
R3 SPI;Sony Programmable I/O Control Device;C:\WINDOWS\system32\DRIVERS\SonyPI.sys [2001-08-17 06:51]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7bc2b900-2f41-11d9-a5dc-806d6172696f}]
\shell\play\command - "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:4 /deviceVD "%L "

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-08 23:54:34
Windows 5.1.2600 Service Pack 2 NTFS

掃描隱藏的程序...

掃描隱藏的進程...

掃描隱藏的檔案...

掃描完成
隱藏檔案?: 0

**************************************************************************
.

I AM SORRY ABOUT THE CHINESE INCRYPTS - MY WINDOWS XP IS TRADITIONAL CHINESE EDITION.... HOPE IT DOESN'T INTERFERE WITH YOUR BEING ABLE TO READ IT - IF ANY QUESTIONS - LET ME KNOW - I WILL TRANSLATE THE UNCLEAR PARTS INTO ENGLISH....


AND THIS IS THE HIJACKTHIS LOG THAT I DID JUST NOW:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:21, on 09.04.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\WINDOWS\System32\ezSP_PxEngine.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-tw\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-tw\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_PxEngine.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java ￥D±±￥x - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by133fd.bay133.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F4D222D-5EEE-40A8-8810-5642B4E4F441} (KENCAPI Class) - https://etrade.yuanta.com.tw/TSWeb/TaiCA/FSCAPIATL.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus ￥I?aoY (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

--
End of file - 6057 bytes


I HOPE THIS IS WHAT I WAS SUPPOSED TO DO.... AND I HOPE YOU COULD GIVE ME FURTHER INSTRUCTIONS - I AM TOTALLY AT A LOSS WITH ALL THIS.... I AM VERY VERY GREATFUL TO YOU FOR YOUR KIND HELPING ME! ))
IGOR

 

Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

Collect::[22]
C:\i.bat
C:\lgcadwx.bat
C:\WINDOWS\system32\tavo0.dll
File::
C:\WINDOWS\Help\F3C74E3FA248.dll
C:\WINDOWS\Help\F3C74E3FA248.exe
Rootkit::
C:\WINDOWS\system32\kavo.exe
C:\WINDOWS\system32\kavo0.dll
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "kava "=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shell executehooks]
 "{1DBD6574-D6D0-4782-94C3-69619E719765} "=-

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.


Please note that I have instructed CFScript to collect some files for analysis. This means that at some point, likely after reboot when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created on your desktop. The zip contains the aforementioned files. Please copy the path shown in the prompt and paste it into the box, then click Send. Thanks!

 

Hey again,
This is what ComboFix gave out as a report, however there was no zip file as you described.... Is something wrong then?

ComboFix 08-04-08.9 - igor 2008-04-10 12:56:42.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.1.1028.18.63 [GMT 2:00]
執行位置?: C:\Documents and Settings\igor\桌面\ComboFix.exe
Command switches used :: C:\Documents and Settings\igor\桌面\CFScript.txt
* 已建立新的還原點

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\Help\F3C74E3FA248.dll
C:\WINDOWS\Help\F3C74E3FA248.exe
.

(((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\i.bat
C:\lgcadwx.bat
C:\WINDOWS\Help\F3C74E3FA248.dll
C:\WINDOWS\Help\F3C74E3FA248.exe
C:\WINDOWS\system32\kavo.exe
C:\WINDOWS\system32\kavo0.dll
C:\WINDOWS\system32\tavo.exe
C:\WINDOWS\system32\tavo0.dll
D:\Autorun.inf

.
(((((((((((((((((((((((((((( 2008-03-10 - 2008-04-10 之間建立的檔案 )))))))))))))))))))))))))))))))))
.

2008-04-08 22:00 . 2008-04-08 22:00 <DIR> d-------- C:\Deckard
2008-04-08 21:52 . 2008-04-08 21:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-08 11:34 . 2008-04-08 11:34 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-04-08 00:14 . 2008-04-08 00:14 3,416 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
2008-04-08 00:12 . 2008-04-09 11:42 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-11 14:58 . 2008-03-11 14:58 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-03-11 14:56 . 2008-03-11 14:56 <DIR> d-------- C:\Program Files\Real
2008-03-11 14:56 . 2008-03-11 14:58 <DIR> d-------- C:\Program Files\Common Files\Real

.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-11 12:44 --------- d-----w C:\Documents and Settings\igor\Application Data\Apple Computer
2007-12-11 15:02 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
1999-03-11 11:23 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-08 19:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-08 19:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-08 19:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-08 19:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-08 19:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*注意* 空白或合法的登錄值將不會顯示

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:47 15360]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-21 14:32 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 07:31 208952]
"PHIME2002ASync "= "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 09:48 455168]
"PHIME2002A "= "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 09:48 455168]
"ATIModeChange "= "Ati2mdxx.exe" [2002-05-24 17:51 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"AtiPTA "= "atiptaxx.exe" [2002-05-24 18:32 286720 C:\WINDOWS\system32\atiptaxx.exe]
"LTSMMSG "= "LTSMMSG.exe" [2001-11-09 11:55 32768 C:\WINDOWS\LTSMMSG.exe]
"Mouse Suite 98 Daemon "= "ICO.EXE" []
"Drag'n Drop CD "= "C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe" [2002-02-14 13:37 663552]
"ezShieldProtector for Px "= "C:\WINDOWS\System32\ezSP_PxEngine.exe" [2002-05-02 18:55 36864]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-24 19:11 132496]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2007-11-14 17:43 286720]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-11 14:56 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:47 15360]

C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 16:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54 65588]
Symantec WinFax Starter Edition 通訊埠.lnk - C:\Program Files\Microsoft Office\Office\1028\OLFSNT40.EXE [1999-03-11 13:23:12 45568]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{1DBD6574-D6D0-4782-94C3-69619E719765} "= C:\WINDOWS\HELP\F3C74E3FA248.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=

R1 Crusoe;Transmeta Crusoe Processor Driver;C:\WINDOWS\system32\DRIVERS\crusoe.sys [2004-08-04 09:39]
R3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys [2001-11-09 11:55]
R3 SONYMCAP;Sony MPEG2 R-Engine;C:\WINDOWS\system32\DRIVERS\SONYMCAP.sys [2002-05-22 07:00]
R3 SPI;Sony Programmable I/O Control Device;C:\WINDOWS\system32\DRIVERS\SonyPI.sys [2001-08-17 06:51]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7bc2b900-2f41-11d9-a5dc-806d6172696f}]
\shell\play\command - "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:4 /deviceVD "%L "

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 13:04:18
Windows 5.1.2600 Service Pack 2 NTFS

掃描隱藏的程序...

掃描隱藏的進程...

掃描隱藏的檔案...

掃描完成
隱藏檔案?: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\conime.exe
.
**************************************************************************
.
完成時間?: 2008-04-10 13:08:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-10 11:08:26
ComboFix2.txt 2008-04-09 10:17:26
ComboFix3.txt 2008-04-09 09:59:34
8 個目錄 12,794,667,008 位元組可用
9 個目錄 12,784,300,032 位元組可用
.
2008-03-15 09:38:03 --- E O F ---

Please let me know what I should do next - there are no virus notifications coming up now, but the pc is still slower then before... MANY THANKS!!!!
igor

 

Highlight and copy the contents of the code box below to a blank notepad. Save it to the desktop as;

Filename: fix.reg
Save as type: All Files (*.*)

Code:

REGEDIT4

[-hkey_local_machine\software\microsoft\windows\currentversion\explorer\shell executehooks]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
 "{1DBD6574-D6D0-4782-94C3-69619E719765} "=-

Double click fix.reg and allow it to merge with the registry. Now delete fix.reg


Please upload the following files to my submission channel. Leave a link back to this topic.

C:\QooBox\Quarantine\C\i.bat.vir
C:\QooBox\Quarantine\C\lgcadwx.bat.vir

Thanks!


Now, download ATF Cleaner by Atribune and save it to your Desktop.

• Double click ATF-Cleaner.exe to run the program.
• Check the boxes to the left of:
  
  
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Prefetch
  • Java Cache
  • Recycle bin
  
  
• The rest are optional - if you want it to remove everything check "Select All ".
• Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK then exit.

Reboot


Finally, do an online scan with Kaspersky WebScanner

Click Scan Now and accept the agreement. You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.

Post the Kaspersky log and one more fresh HijackThis log. Let me know if there's been any improvement in performance.

 

Hello again

Ran Kaspersky today - but didn't disable Symantec prior to that - do not know if it is okay this way or not.... anyways here is the results - looks like my pc is FULL of worms and viruses - a whole zoo of them....

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, April 11, 2008 6:14:47 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/04/2008
Kaspersky Anti-Virus database records: 697578
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
F:\

Scan Statistics:
Total number of scanned objects: 62820
Number of viruses found: 12
Number of infected objects: 102
Number of suspicious objects: 0
Duration of the scan process: 03:06:29

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\igor\LOCALS~1\Temp\RarSFX0\10.sfx.exe/data.rar/10.exe Infected: Packed.Win32.PolyCrypt.h skipped
C:\Deckard\System Scanner\backup\DOCUME~1\igor\LOCALS~1\Temp\RarSFX0\10.sfx.exe/data.rar Infected: Packed.Win32.PolyCrypt.h skipped
C:\Deckard\System Scanner\backup\DOCUME~1\igor\LOCALS~1\Temp\RarSFX0\10.sfx.exe RarSFX: infected - 2 skipped
C:\Deckard\System Scanner\backup\DOCUME~1\igor\LOCALS~1\Temp\暫時目錄 1 用於 李家同開砲.zip\李家同開砲.cmd/data.rar/10.sfx.exe/data.rar/10.exe Infected: Packed.Win32.PolyCrypt.h skipped
C:\Deckard\System Scanner\backup\DOCUME~1\igor\LOCALS~1\Temp\暫時目錄 1 用於 李家同開砲.zip\李家同開砲.cmd/data.rar/10.sfx.exe/data.rar Infected: Packed.Win32.PolyCrypt.h skipped
C:\Deckard\System Scanner\backup\DOCUME~1\igor\LOCALS~1\Temp\暫時目錄 1 用於 李家同開砲.zip\李家同開砲.cmd/data.rar/10.sfx.exe Infected: Packed.Win32.PolyCrypt.h skipped
C:\Deckard\System Scanner\backup\DOCUME~1\igor\LOCALS~1\Temp\暫時目錄 1 用於 李家同開砲.zip\李家同開砲.cmd/data.rar Infected: Packed.Win32.PolyCrypt.h skipped
C:\Deckard\System Scanner\backup\DOCUME~1\igor\LOCALS~1\Temp\暫時目錄 1 用於 李家同開砲.zip\李家同開砲.cmd RarSFX: infected - 4 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05940000.VBN Infected: Trojan-PSW.Win32.OnLineGames.zta skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05940002.VBN Infected: Trojan-PSW.Win32.OnLineGames.zrw skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08580000.VBN Infected: Trojan-PSW.Win32.OnLineGames.yrz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A540000.VBN Infected: Trojan-PSW.Win32.OnLineGames.yrz skipped
C:\Documents and Settings\igor\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\igor\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\igor\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\igor\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail\刪除的郵件\2C622B3B-00000022.eml/[From chien-hung <xxx@yahoo.com.tw>][Date Tue, 12 Feb 2008 11:09:56 +0800 (CST)]/±b¸¹.zip/±b¸¹.cmd/data.rar/30.sfx.exe/data.rar/30.exe Infected: Trojan-PSW.Win32.Magania.fbv skipped
C:\Documents and Settings\igor\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail\刪除的郵件\2C622B3B-00000022.eml/[From chien-hung <xxx@yahoo.com.tw>][Date Tue, 12 Feb 2008 11:09:56 +0800 (CST)]/±b¸¹.zip/±b¸¹.cmd/data.rar/30.sfx.exe/data.rar Infected: Trojan-PSW.Win32.Magania.fbv skipped
C:\Documents and Settings\igor\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail\刪除的郵件\2C622B3B-00000022.eml/[From chien-hung <xxx@yahoo.com.tw>][Date Tue, 12 Feb 2008 11:09:56 +0800 (CST)]/±b¸¹.zip/±b¸¹.cmd/data.rar/30.sfx.exe Infected: Trojan-PSW.Win32.Magania.fbv skipped
C:\Documents and Settings\igor\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail\刪除的郵件\2C622B3B-00000022.eml/[From chien-hung <xxx@yahoo.com.tw>][Date Tue, 12 Feb 2008 11:09:56 +0800 (CST)]/±b¸¹.zip/±b¸¹.cmd/data.rar Infected: Trojan-PSW.Win32.Magania.fbv skipped
C:\Documents and Settings\igor\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail\刪除的郵件\2C622B3B-00000022.eml/[From chien-hung <xxx@xxx.com.tw>][Date Tue, 12 Feb 2008 11:09:56 +0800 (CST)]/±b¸¹.zip/±b¸¹.cmd Infected: Trojan-PSW.Win32.Magania.fbv skipped
C:\Documents and Settings\igor\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail\刪除的郵件\2C622B3B-00000022.eml/[From chien-hung <xxx@xxx.com.tw>][Date Tue, 12 Feb 2008 11:09:56 +0800 (CST)]/±b¸¹.zip Infected: Trojan-PSW.Win32.Magania.fbv skipped
C:\Documents and Settings\igor\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail\刪除的郵件\2C622B3B-00000022.eml Mail: infected - 6 skipped
C:\Documents and Settings\igor\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail\刪除的郵件\30C91334-00000021.eml/[From chien-hung <xxx@xxx.com.tw>][Date Tue, 12 Feb 2008 11:10:49 +0800 (CST)]/±b¸¹.zip/±b¸¹.cmd/data.rar/30.sfx.exe/data.rar/30.exe Infected: Trojan-PSW.Win32.Magania.fbv skipped
C:\Documents and Settings\igor\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail\刪除的郵件\30C91334-00000021.eml/[From chien-hung <xxx@xxx.com.tw>][Date Tue, 12 Feb 2008 11:10:49 +0800 (CST)]/±b¸¹.zip/±b¸¹.cmd/data.rar/30.sfx.exe/data.rar Infected: Trojan-PSW.Win32.Magania.fbv skipped
C:\Documents and Settings\igor\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail\刪除的郵件\30C91334-00000021.eml/[From chien-hung <xxx@xxx.com.tw>][Date Tue, 12 Feb 2008 11:10:49 +0800 (CST)]/±b¸¹.zip/±b¸¹.cmd/data.rar/30.sfx.exe Infected: Trojan-PSW.Win32.Magania.fbv skipped
C:\Documents and Settings\igor\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail\刪除的郵件\30C91334-00000021.eml/[From chien-hung <xxx@xxx.com.tw>][Date Tue, 12 Feb 2008 11:10:49 +0800 (CST)]/±b¸¹.zip/±b¸¹.cmd/data.rar Infected: Trojan-PSW.Win32.Magania.fbv skipped
C:\Documents and Settings\igor\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail\刪除的郵件\30C91334-00000021.eml/[From chien-hung <xxx@xxx.com.tw>][Date Tue, 12 Feb 2008 11:10:49 +0800 (CST)]/±b¸¹.zip/±b¸¹.cmd Infected: Trojan-PSW.Win32.Magania.fbv skipped
C:\Documents and Settings\igor\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail\刪除的郵件\30C91334-00000021.eml/[From chien-hung <xxx@xxx.com.tw>][Date Tue, 12 Feb 2008 11:10:49 +0800 (CST)]/±b¸¹.zip Infected: Trojan-PSW.Win32.Magania.fbv skipped
C:\Documents and Settings\igor\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail\刪除的郵件\30C91334-00000021.eml Mail: infected - 6 skipped
C:\Documents and Settings\igor\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\igor\Local Settings\Temp\hsperfdata_igor\3864 Object is locked skipped
C:\Documents and Settings\igor\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\igor\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\igor\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\igor\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\autorun.inf.vir Infected: Worm.Win32.AutoRun.dhs skipped
C:\QooBox\Quarantine\C\WINDOWS\Help\F3C74E3FA248.dll.vir Infected: Trojan-PSW.Win32.Magania.iqr skipped
C:\QooBox\Quarantine\C\WINDOWS\Help\F3C74E3FA248.exe.vir Infected: Trojan-PSW.Win32.Magania.iqr skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kavo.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.xmr skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kavo0.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.xmr skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kavo1.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.xmr skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tavo.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.xmt skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tavo1.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.xmt skipped
C:\QooBox\Quarantine\catchme2008-04-10_130356.71.zip/Documents and Settings/igor/catchme.zip/i.bat Infected: Trojan-PSW.Win32.OnLineGames.xmr skipped
C:\QooBox\Quarantine\catchme2008-04-10_130356.71.zip/Documents and Settings/igor/catchme.zip/lgcadwx.bat Infected: Trojan-PSW.Win32.OnLineGames.zta skipped
C:\QooBox\Quarantine\catchme2008-04-10_130356.71.zip/Documents and Settings/igor/catchme.zip/tavo0.dll Infected: Trojan-PSW.Win32.OnLineGames.xmt skipped
C:\QooBox\Quarantine\catchme2008-04-10_130356.71.zip/Documents and Settings/igor/catchme.zip Infected: Trojan-PSW.Win32.OnLineGames.xmt skipped
C:\QooBox\Quarantine\catchme2008-04-10_130356.71.zip ZIP: infected - 4 skipped
C:\QooBox\Quarantine\D\autorun.inf.vir Infected: Worm.Win32.AutoRun.dhs skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{A2C40451-9E7C-484D-B284-6674717FF8A5}\RP1\A0000001.exe Infected: Trojan-PSW.Win32.OnLineGames.xmr skipped
C:\System Volume Information\_restore{A2C40451-9E7C-484D-B284-6674717FF8A5}\RP1\A0000002.exe Infected: Trojan-PSW.Win32.OnLineGames.xmr skipped
C:\System Volume Information\_restore{A2C40451-9E7C-484D-B284-6674717FF8A5}\RP1\A0000003.dll Infected: Trojan-PSW.Win32.OnLineGames.xmr skipped
C:\System Volume Information\_restore{A2C40451-9E7C-484D-B284-6674717FF8A5}\RP1\A0000004.bat Infected: Trojan-PSW.Win32.OnLineGames.xmr skipped
C:\System Volume Information\_restore{A2C40451-9E7C-484D-B284-6674717FF8A5}\RP1\A0000006.exe Infected: Trojan-PSW.Win32.OnLineGames.xmt skipped
C:\System Volume Information\_restore{A2C40451-9E7C-484D-B284-6674717FF8A5}\RP1\A0000007.dll Infected: Trojan-PSW.Win32.OnLineGames.xmt skipped
C:\System Volume Information\_restore{A2C40451-9E7C-484D-B284-6674717FF8A5}\RP1\A0000075.dll Infected: Trojan-PSW.Win32.OnLineGames.xmr skipped
C:\System Volume Information\_restore{A2C40451-9E7C-484D-B284-6674717FF8A5}\RP1\A0000076.dll Infected: Trojan-PSW.Win32.OnLineGames.xmt skipped
C:\System Volume Information\_restore{A2C40451-9E7C-484D-B284-6674717FF8A5}\RP1\A0000080.bat Infected: Trojan-PSW.Win32.OnLineGames.xmr skipped
C:\System Volume Information\_restore{A2C40451-9E7C-484D-B284-6674717FF8A5}\RP1\A0000081.inf Infected: Worm.Win32.AutoRun.dhs skipped
C:\System Volume Information\_restore{A2C40451-9E7C-484D-B284-6674717FF8A5}\RP1\A0000084.exe Infected: Trojan-PSW.Win32.OnLineGames.xmt skipped
C:\System Volume Information\_restore{A2C40451-9E7C-484D-B284-6674717FF8A5}\RP2\A0000093.bat Infected: Trojan-PSW.Win32.OnLineGames.xmr skipped
C:\System Volume Information\_restore{A2C40451-9E7C-484D-B284-6674717FF8A5}\RP2\A0000094.inf Infected: Worm.Win32.AutoRun.dhs skipped
C:\System Volume Information\_restore{A2C40451-9E7C-484D-B284-6674717FF8A5}\RP2\A0000100.exe Infected: Trojan-PSW.Win32.OnLineGames.xmr skipped
C:\System Volume Information\_restore{A2C40451-9E7C-484D-B284-6674717FF8A5}\RP2\A0000101.dll Infected: Trojan-PSW.Win32.OnLineGames.xmr skipped
C:\System Volume Information\_restore{A2C40451-9E7C-484D-B284-6674717FF8A5}\RP2\A0000102.exe Infected: Trojan-PSW.Win32.OnLineGames.xmt skipped
C:\System Volume Information\_restore{A2C40451-9E7C-484D-B284-6674717FF8A5}\RP2\A0000103.dll Infected: Trojan-PSW.Win32.OnLineGames.xmt skipped
C:\System Volume Information\_restore{A2C40451-9E7C-484D-B284-6674717FF8A5}\RP2\A0001081.bat Infected: Trojan-PSW.Win32.OnLineGames.xmr skipped
C:\System Volume Information\_restore{A2C40451-9E7C-484D-B284-6674717FF8A5}\RP3\A0001168.exe Infected: Trojan-PSW.Win32.OnLineGames.xmr skipped
C:\System Volume Information\_restore{A2C40451-9E7C-484D-B284-6674717FF8A5}\RP3\A0001169.dll Infected: Trojan-PSW.Win32.OnLineGames.xmr skipped
C:\System Volume Information\_restore{A2C40451-9E7C-484D-B284-6674717FF8A5}\RP3\A0001170.exe Infected: Trojan-PSW.Win32.OnLineGames.xmt skipped
C:\System Volume Information\_restore{A2C40451-9E7C-484D-B284-6674717FF8A5}\RP3\A0001174.dll Infected: Trojan-PSW.Win32.Magania.iqr skipped
C:\System Volume Information\_restore{A2C40451-9E7C-484D-B284-6674717FF8A5}\RP3\A0001175.exe Infected: Trojan-PSW.Win32.Magania.iqr skipped
C:\System Volume Information\_restore{A2C40451-9E7C-484D-B284-6674717FF8A5}\RP3\A0001176.inf Infected: Worm.Win32.AutoRun.dhs skipped
C:\System Volume Information\_restore{A2C40451-9E7C-484D-B284-6674717FF8A5}\RP5\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{996E571C-938F-4598-AFC7-0BD2847ABF70}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\i.bat Infected: Trojan-PSW.Win32.OnLineGames.xmr skipped
D:\mail\Hotmail - 刪除的郵件.dbx/[From chien-hung <xxx@xxx.com.tw>][Date Sun, 6 Apr 2008 06:04:36 +0800 (CST)]/UNNAMED/±B¯½·Ã“.zip/±B¯½·Ã“.cmd/data.rar/28.exe Infected: Trojan-PSW.Win32.Magania.jew skipped
D:\mail\Hotmail - 刪除的郵件.dbx/[From chien-hung <xxx@xxx.com.tw>][Date Sun, 6 Apr 2008 06:04:36 +0800 (CST)]/UNNAMED/±B¯½·Ã“.zip/±B¯½·Ã“.cmd/data.rar Infected: Trojan-PSW.Win32.Magania.jew skipped
D:\mail\Hotmail - 刪除的郵件.dbx/[From chien-hung <xxx@xxx.com.tw>][Date Sun, 6 Apr 2008 06:04:36 +0800 (CST)]/UNNAMED/±B¯½·Ã“.zip/±B¯½·Ã“.cmd Infected: Trojan-PSW.Win32.Magania.jew skipped
D:\mail\Hotmail - 刪除的郵件.dbx/[From chien-hung <xxx@xxx.com.tw>][Date Sun, 6 Apr 2008 06:04:36 +0800 (CST)]/UNNAMED/±B¯½·Ã“.zip Infected: Trojan-PSW.Win32.Magania.jew skipped
D:\mail\Hotmail - 刪除的郵件.dbx/[From chien-hung <xxx@xxx.com.tw>][Date Sun, 6 Apr 2008 06:04:36 +0800 (CST)]/UNNAMED Infected: Trojan-PSW.Win32.Magania.jew skipped
D:\mail\Hotmail - 刪除的郵件.dbx/[From chien-hung <xxx@xxx.com.tw>][Date Sun, 6 Apr 2008 06:04:36 +0800 (CST)]/UNNAMED/±B¯½·Ã“.zip/±B¯½·Ã“.cmd/data.rar/28.exe Infected: Trojan-PSW.Win32.Magania.jew skipped
D:\mail\Hotmail - 刪除的郵件.dbx/[From chien-hung <xxx@xxx.com.tw>][Date Sun, 6 Apr 2008 06:04:36 +0800 (CST)]/UNNAMED/±B¯½·Ã“.zip/±B¯½·Ã“.cmd/data.rar Infected: Trojan-PSW.Win32.Magania.jew skipped
D:\mail\Hotmail - 刪除的郵件.dbx/[From chien-hung <xxx@xxx.com.tw>][Date Sun, 6 Apr 2008 06:04:36 +0800 (CST)]/UNNAMED/±B¯½·Ã“.zip/±B¯½·Ã“.cmd Infected: Trojan-PSW.Win32.Magania.jew skipped
D:\mail\Hotmail - 刪除的郵件.dbx/[From chien-hung <xxx@xxx.com.tw>][Date Sun, 6 Apr 2008 06:04:36 +0800 (CST)]/UNNAMED/±B¯½·Ã“.zip Infected: Trojan-PSW.Win32.Magania.jew skipped
D:\mail\Hotmail - 刪除的郵件.dbx/[From chien-hung <xxx@xxx.com.tw>][Date Sun, 6 Apr 2008 06:04:36 +0800 (CST)]/UNNAMED Infected: Trojan-PSW.Win32.Magania.jew skipped
D:\mail\Hotmail - 刪除的郵件.dbx Mail MS Outlook 5: infected - 10 skipped
D:\mail\Hotmail - 收件匣.bak/[From =?big5?q?=A4=FD=20=A8=CE=AC=C2?= <xxx@xxx.com.tw>][Date Sat, 26 May 2007 09:44:50 +0800 (CST)]/UNNAMED/«Ã§»Ã²´N¤£Ã–}.bat/data.rar/8.exe Infected: Trojan-PSW.Win32.Maran.fo skipped
D:\mail\Hotmail - 收件匣.bak/[From =?big5?q?=A4=FD=20=A8=CE=AC=C2?= <xxx@xxx.com.tw>][Date Sat, 26 May 2007 09:44:50 +0800 (CST)]/UNNAMED/«Ã§»Ã²´N¤£Ã–}.bat/data.rar Infected: Trojan-PSW.Win32.Maran.fo skipped
D:\mail\Hotmail - 收件匣.bak/[From =?big5?q?=A4=FD=20=A8=CE=AC=C2?= <xxx@xxx.com.tw>][Date Sat, 26 May 2007 09:44:50 +0800 (CST)]/UNNAMED/«Ã§»Ã²´N¤£Ã–}.bat Infected: Trojan-PSW.Win32.Maran.fo skipped
D:\mail\Hotmail - 收件匣.bak/[From =?big5?q?=A4=FD=20=A8=CE=AC=C2?= <xxx@xxx.com.tw>][Date Sat, 26 May 2007 09:44:50 +0800 (CST)]/UNNAMED/·d¯ºªº¤£±o¤F.bat/data.rar/8.exe Infected: Trojan-PSW.Win32.Maran.fo skipped
D:\mail\Hotmail - 收件匣.bak/[From =?big5?q?=A4=FD=20=A8=CE=AC=C2?= <xxx@xxx.com.tw>][Date Sat, 26 May 2007 09:44:50 +0800 (CST)]/UNNAMED/·d¯ºªº¤£±o¤F.bat/data.rar Infected: Trojan-PSW.Win32.Maran.fo skipped
D:\mail\Hotmail - 收件匣.bak/[From =?big5?q?=A4=FD=20=A8=CE=AC=C2?= <xxx@xxx.com.tw>][Date Sat, 26 May 2007 09:44:50 +0800 (CST)]/UNNAMED/·d¯ºªº¤£±o¤F.bat Infected: Trojan-PSW.Win32.Maran.fo skipped
D:\mail\Hotmail - 收件匣.bak/[From =?big5?q?=A4=FD=20=A8=CE=AC=C2?= <xxx@xxx.com.tw>][Date Sat, 26 May 2007 09:44:50 +0800 (CST)]/UNNAMED Infected: Trojan-PSW.Win32.Maran.fo skipped
D:\mail\Hotmail - 收件匣.bak Mail MS Outlook 5: infected - 7 skipped
D:\mail\Hotmail - 收件匣.dbx/[From =?big5?q?=A4=FD=20=A8=CE=AC=C2?= <xxx@xxx.com.tw>][Date Tue, 11 Mar 2008 06:20:37 +0800 (CST)]/UNNAMED/·s¸¹½X.zip/·s¸¹½X.cmd/data.rar/6.exe Infected: Trojan-PSW.Win32.Magania.hfz skipped
D:\mail\Hotmail - 收件匣.dbx/[From =?big5?q?=A4=FD=20=A8=CE=AC=C2?= <xxx@xxx.com.tw>][Date Tue, 11 Mar 2008 06:20:37 +0800 (CST)]/UNNAMED/·s¸¹½X.zip/·s¸¹½X.cmd/data.rar Infected: Trojan-PSW.Win32.Magania.hfz skipped
D:\mail\Hotmail - 收件匣.dbx/[From =?big5?q?=A4=FD=20=A8=CE=AC=C2?= <xxx@xxx.com.tw>][Date Tue, 11 Mar 2008 06:20:37 +0800 (CST)]/UNNAMED/·s¸¹½X.zip/·s¸¹½X.cmd Infected: Trojan-PSW.Win32.Magania.hfz skipped
D:\mail\Hotmail - 收件匣.dbx/[From =?big5?q?=A4=FD=20=A8=CE=AC=C2?= <xxx@xxx.com.tw>][Date Tue, 11 Mar 2008 06:20:37 +0800 (CST)]/UNNAMED/·s¸¹½X.zip Infected: Trojan-PSW.Win32.Magania.hfz skipped
D:\mail\Hotmail - 收件匣.dbx/[From =?big5?q?=A4=FD=20=A8=CE=AC=C2?= <xxx@xxx.com.tw>][Date Tue, 11 Mar 2008 06:20:37 +0800 (CST)]/UNNAMED Infected: Trojan-PSW.Win32.Magania.hfz skipped
D:\mail\Hotmail - 收件匣.dbx/[From =?big5?q?=A4=FD=20=A8=CE=AC=C2?= <xxx@xxx.com.tw>][Date Tue, 11 Mar 2008 06:20:37 +0800 (CST)]/UNNAMED/·s¸¹½X.zip/·s¸¹½X.cmd/data.rar/6.exe Infected: Trojan-PSW.Win32.Magania.hfz skipped
D:\mail\Hotmail - 收件匣.dbx/[From =?big5?q?=A4=FD=20=A8=CE=AC=C2?= <xxx@xxx.com.tw>][Date Tue, 11 Mar 2008 06:20:37 +0800 (CST)]/UNNAMED/·s¸¹½X.zip/·s¸¹½X.cmd/data.rar Infected: Trojan-PSW.Win32.Magania.hfz skipped
D:\mail\Hotmail - 收件匣.dbx/[From =?big5?q?=A4=FD=20=A8=CE=AC=C2?= <xxx@xxx.com.tw>][Date Tue, 11 Mar 2008 06:20:37 +0800 (CST)]/UNNAMED/·s¸¹½X.zip/·s¸¹½X.cmd Infected: Trojan-PSW.Win32.Magania.hfz skipped
D:\mail\Hotmail - 收件匣.dbx/[From =?big5?q?=A4=FD=20=A8=CE=AC=C2?= <xxx@xxx.com.tw>][Date Tue, 11 Mar 2008 06:20:37 +0800 (CST)]/UNNAMED/·s¸¹½X.zip Infected: Trojan-PSW.Win32.Magania.hfz skipped
D:\mail\Hotmail - 收件匣.dbx/[From =?big5?q?=A4=FD=20=A8=CE=AC=C2?= <xxx@xxx.com.tw>][Date Tue, 11 Mar 2008 06:20:37 +0800 (CST)]/UNNAMED Infected: Trojan-PSW.Win32.Magania.hfz skipped
D:\mail\Hotmail - 收件匣.dbx Mail MS Outlook 5: infected - 10 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{A2C40451-9E7C-484D-B284-6674717FF8A5}\RP1\A0000005.bat Infected: Trojan-PSW.Win32.OnLineGames.xmr skipped
D:\System Volume Information\_restore{A2C40451-9E7C-484D-B284-6674717FF8A5}\RP1\A0000082.bat Infected: Trojan-PSW.Win32.OnLineGames.xmr skipped
D:\System Volume Information\_restore{A2C40451-9E7C-484D-B284-6674717FF8A5}\RP1\A0000083.inf Infected: Worm.Win32.AutoRun.dhs skipped
D:\System Volume Information\_restore{A2C40451-9E7C-484D-B284-6674717FF8A5}\RP2\A0000095.bat Infected: Trojan-PSW.Win32.OnLineGames.xmr skipped
D:\System Volume Information\_restore{A2C40451-9E7C-484D-B284-6674717FF8A5}\RP2\A0000096.inf Infected: Worm.Win32.AutoRun.dhs skipped
D:\System Volume Information\_restore{A2C40451-9E7C-484D-B284-6674717FF8A5}\RP2\A0001082.bat Infected: Trojan-PSW.Win32.OnLineGames.xmr skipped
D:\System Volume Information\_restore{A2C40451-9E7C-484D-B284-6674717FF8A5}\RP3\A0001177.inf Infected: Worm.Win32.AutoRun.dhs skipped
D:\System Volume Information\_restore{A2C40451-9E7C-484D-B284-6674717FF8A5}\RP5\change.log Object is locked skipped

Scan process completed.


------------------------------------------------------------------------


THIS IS THE HIJACKTHIS FILE

Logfile of Trend Micro HijackThis v2.0.2


Scan saved at 18:29:30, on 11.04.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\WINDOWS\System32\ezSP_PxEngine.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-tw\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-tw\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_PxEngine.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java ￥D±±￥x - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by133fd.bay133.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F4D222D-5EEE-40A8-8810-5642B4E4F441} (KENCAPI Class) - https://etrade.yuanta.com.tw/TSWeb/TaiCA/FSCAPIATL.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus ￥I?aoY (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

--
End of file - 6242 bytes


-----------------------------------------------------------------------

All this looks very intimidating to me... looks like the viruses are all over my pc - is there hope of getting them out? Or should I copy the files out and clean the drives? I am no specialist in all this at all, thank God you are so kind as to give me a helping hand, really appreciate it! Please let me know what i should do next Many many thanks! You are the best!!!
igor

 

Not as bad as it looks. Delete the following file.

D:\i.bat

There are some infected Windows Live Mail\Hotmail emails and email backups in D:\mail\Hotmail. The backups in D:\mail\Hotmail (D:\mail\Hotmail - ?????.dbx and ???.bak ) may require deleting completely, unless you have an application to extract them and delete only the infected emails, then replace the backup with what remains. The infected emails within Windows Live Mail you should be able to delete through it's interface. I will send you the details for those emails via private message since they contain email addresses.

Open the Norton Antivirus interface and delete all Quarantined items.

Download ATF Cleaner by Atribune and save it to your Desktop.

• Double click ATF-Cleaner.exe to run the program.
• Check the boxes to the left of:
  
  
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Prefetch
  • Java Cache
  • Recycle bin
  
  
• The rest are optional - if you want it to remove everything check "Select All ".
• Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK then exit.

Reboot


Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing the infected files there as well. The C:\Deckard's folder will also be removed. You can delete any logs that were created/saved too.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.


Now run another Kaspersky scan and post the report here.

 

HERE IT GOES
4 more viruses to kill?


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, April 12, 2008 3:44:42 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/04/2008
Kaspersky Anti-Virus database records: 699549
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
F:\

Scan Statistics:
Total number of scanned objects: 61003
Number of viruses found: 4
Number of infected objects: 4
Number of suspicious objects: 2
Duration of the scan process: 02:57:21

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05940000.VBN Infected: Trojan-PSW.Win32.OnLineGames.zta skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05940002.VBN Infected: Trojan-PSW.Win32.OnLineGames.zrw skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08580000.VBN Infected: Trojan-PSW.Win32.OnLineGames.yrz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A540000.VBN Infected: Trojan-PSW.Win32.OnLineGames.yrz skipped
C:\Documents and Settings\igor\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\igor\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\igor\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\igor\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail\收件匣\323B2213-00000913.eml/[From email479380@id531862.secure.paypal.com <email479380@id531862.secure.paypal.com>][Date Tue, 01 Apr 2008 03:09:49 +0200]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\igor\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail\收件匣\323B2213-00000913.eml Mail: suspicious - 1 skipped
C:\Documents and Settings\igor\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\igor\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\igor\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\igor\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\igor\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{A2C40451-9E7C-484D-B284-6674717FF8A5}\RP6\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

WHAT IS NEXT?
Many thanks for your help again!!!
igor

 

Looks great! 1 suspicious and some files still in Norton's quarantine. Delete the following please.

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\* << asterisk means delete everything in the Quarantine folder

In Windows Mail folder Hotmail\???
<email479380@id531862.secure.paypal.com>][Date Tue, 01 Apr 2008 03:09:49 +0200]

Empty the recycle bin when done.

Everything seem to be working as it should? Computer performing OK?

 

Deleted the files as you advised hopefully it were the last viruses here
I get no more virus notifications from symantec, typing is back to normal, no more missed letters as before (3 out of 10 would appear)... the only thing which is still very slow is internet explorer - it takes ages to open a window etc etc, maybe it is because my pc is getting old? it is about 6 years old by now or maybe there is not enough memory space or something? no matter what - I AM VERY VERY GRATEFUL FOR YOUR KIND HELPING ME! i was really getting frastruated when it all started to happen - it killed a week of my time, but with your help i seem to be back into recovery THANK YOU SO MUCH!!!! hope one day i will be able to help you with something in return
igor

 

You might want to check all options in ATF Cleaner and run it. Have you cleaned the dust from inside the case lately? Has IE7 always been slow? If so, maybe try re-installing it.

You're very welcome, Igor. Glad I could help.

Geri has posted some very helpful information and recommendations regarding future protection in the following link.

http://www.windowsbbs.com/showthread.php?t=67958

Surf safe!