Windows security alert popup. Please help! [RESOLVED]

Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic of your own. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!

> Geeks to Go! » Security » Virus, Spyware and Trojan Removal

Windows security alert popup. Please help! [RESOLVED]

Options

Ty-Reef View Member Profile	Mar 17 2008, 05:56 PM Post #1
Member Posts: 12 OS: windows xp	Hello!! I have this pesky windows security alert popup that continues to pop up about 30 seconds after i boot up my desktop. The entire message is this: Warning! Potential Spyware Operation! Your computer is making unauthorized copies of your system and Internet files. Run full scan now to prevent any unauthorized access to your files! Click here to download spyware remover... I also have a red button with a white X in the middle and right beside it is a yield sign with a black exclamation point, which both tell me that my computer is infected. I believe if you try to click on either of them, they take you to protect.spyguardpro.com. I'm using spyware doctor on my computer so it blocks the site from being accessed. I've had virtumonde and outerinfo and i took plenty of scans and figured that i got rid of it however i can't get rid of these icons or this pop up. I've tried scanning with spyware doctor, AVG anti- spyware, SUPER Anit-spyware, and Smitfraudfix. None of these have been able to fix my problem. I was thinking that it was a hidden file in Internet explorer like a hidden rootkit or something but i'm willing to try anything else at this point including using these programs over if need be. This is my Hijackthis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:25:42 PM, on 3/17/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\TVersity\Media Server\MediaServer.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Spyware Doctor\pctsTray.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {42B18F05-59FA-495F-BB30-D6B82070B108} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvjuf.dll,startup O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvkat.dll,startup O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: ClientManager3.lnk = C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: awtrsst - awtrsst.dll (file missing) O20 - Winlogon Notify: yvojmbvy - yvojmbvy.dll (file missing) O23 - Service: Bwsvc - BUFFALO INC. - C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe -- End of file - 5252 bytes And i don't know if you need this but here is my uninstall file as well: Adobe Flash Player Plugin Adobe Reader 7.0.5 Adware Away v3.1.4.7 Apple Software Update BUFFALO Client Manager 3 Compaq Connections (remove only) Customer Experience Enhancement Data Fax SoftModem with SmartCP DivX Content Uploader DivX Web Player ffdshow [rev 1324] [2007-07-01] High Definition Audio Driver Package - KB888111 HijackThis 2.0.2 Hotfix for Windows XP (KB893357) Hotfix for Windows XP (KB906569) Hotfix for Windows XP (KB935448) HP Boot Optimizer HP DVD Play 2.1 HP Imaging Device Functions 7.0 HP Photosmart Premier Software 6.5 HP Software Update HP Support Overview HP Web Helper J2SE Runtime Environment 5.0 Update 6 Lexmark X1100 Series Macromedia Flash Player 8 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft Money 2006 Microsoft Office Standard Edition 2003 60 days trial Microsoft Works Mozilla Firefox (2.0.0.12) MSXML 4.0 SP2 (KB936181) My HP Games Netscape Browser (remove only) NVIDIA Drivers PC-Doctor 5 for Windows Python 2.2 pywin32 extensions (build 203) Quicken 2006 QuickTime RealPlayer Realtek High Definition Audio Driver Rhapsody Security Update for Step By Step Interactive Training (KB923723) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB936782) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896422) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB908531) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB912812) Security Update for Windows XP (KB912919) Security Update for Windows XP (KB913580) Security Update for Windows XP (KB914388) Security Update for Windows XP (KB914389) Security Update for Windows XP (KB917344) Security Update for Windows XP (KB918118) Security Update for Windows XP (KB918439) Security Update for Windows XP (KB919007) Security Update for Windows XP (KB920213) Security Update for Windows XP (KB920670) Security Update for Windows XP (KB920683) Security Update for Windows XP (KB920685) Security Update for Windows XP (KB921503) Security Update for Windows XP (KB922819) Security Update for Windows XP (KB923191) Security Update for Windows XP (KB923414) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB923980) Security Update for Windows XP (KB924270) Security Update for Windows XP (KB924496) Security Update for Windows XP (KB924667) Security Update for Windows XP (KB925902) Security Update for Windows XP (KB926255) Security Update for Windows XP (KB926436) Security Update for Windows XP (KB927779) Security Update for Windows XP (KB927802) Security Update for Windows XP (KB928255) Security Update for Windows XP (KB929123) Security Update for Windows XP (KB930178) Security Update for Windows XP (KB931261) Security Update for Windows XP (KB931784) Security Update for Windows XP (KB932168) Security Update for Windows XP (KB933729) Security Update for Windows XP (KB935839) Security Update for Windows XP (KB935840) Security Update for Windows XP (KB936021) Security Update for Windows XP (KB938127) Security Update for Windows XP (KB938829) Security Update for Windows XP (KB941202) Security Update for Windows XP (KB941568) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB941644) Security Update for Windows XP (KB942615) Security Update for Windows XP (KB943055) Security Update for Windows XP (KB943460) Security Update for Windows XP (KB943485) Security Update for Windows XP (KB944533) Security Update for Windows XP (KB944653) Security Update for Windows XP (KB946026) Sonic Express Labeler Sonic RecordNow Audio Sonic RecordNow Copy Sonic RecordNow Data Sonic Update Manager Spyware Doctor 5.5 SUPERAntiSpyware Free Edition TVersity Codec Pack 1.1 TVersity Media Server 0.9.11.4 beta Update for Windows XP (KB898461) Update for Windows XP (KB900485) Update for Windows XP (KB910437) Update for Windows XP (KB911280) Update for Windows XP (KB912945) Update for Windows XP (KB916595) Update for Windows XP (KB920872) Update for Windows XP (KB922582) Update for Windows XP (KB927891) Update for Windows XP (KB930916) Update for Windows XP (KB938828) Update for Windows XP (KB942763) Update for Windows XP (KB942840) Update for Windows XP (KB946627) Windows Installer 3.1 (KB893803) Windows Media Format Runtime Windows Media Player 10 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB883667 Windows XP Hotfix - KB885250 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB887742 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888239 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890175 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB891781 Windows XP Hotfix - KB892050 Windows XP Hotfix - KB893066 Please help if you can!! I appreciate your time and concern!!

miekiemoes View Member Profile	Mar 18 2008, 08:26 AM Post #2
Malware Expert Posts: 5,489 From: Belgium OS: XP Home, XP Pro, Vista	Hi, I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first.. I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed! This is somewhat suicidal in today's digital world. That's why I want you to install one first!! * Please install Avira Antivirus: http://www.free-av.com/ This is a free Antivirus. Perform a full scan with Avira and let it delete everything it is finding. Then reboot. After reboot, open your Avira and select "reports". There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog. Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.

Ty-Reef View Member Profile	Mar 19 2008, 10:26 PM Post #3
Member Posts: 12 OS: windows xp	Ahh when i downloaded spyware doctor, it said it had antivirus on it but i guess it wasn't good enough of a replacement. I accidently put it all on quarantine but i deleted everything in the quarantine folder. I'm not getting the pop-up anymore however there were some things that weren't deleted. Here is my Avira report: AntiVir PersonalEdition Classic Report file date: Wednesday, March 19, 2008 01:42 Scanning for 1157825 virus strains and unwanted programs. Licensed to: Avira AntiVir PersonalEdition Classic Serial number: 0000149996-ADJIE-0001 Platform: Windows XP Windows version: (Service Pack 2) [5.1.2600] Username: SYSTEM Computer name: TJ Version information: BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00 AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 18:16:29 AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 17:23:51 LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 20:32:47 LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 17:35:20 ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 19:27:15 ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 3/7/2008 21:08:03 ANTIVIR2.VDF : 7.0.3.3 2048 Bytes 3/7/2008 21:08:04 ANTIVIR3.VDF : 7.0.3.49 297472 Bytes 3/18/2008 21:08:04 AVEWIN32.DLL : 7.6.0.75 3334656 Bytes 3/18/2008 21:08:05 AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 15:36:26 AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 12:39:17 AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 18:16:24 AVPACK32.DLL : 7.6.0.3 360488 Bytes 3/18/2008 21:08:05 AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 12:17:06 AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 17:26:33 AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 12:10:18 NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 16:09:42 RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 17:38:13 RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 17:50:37 SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 14:37:21 Configuration settings for the scan: Jobname..........................: Complete system scan Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp Logging..........................: low Primary action...................: interactive Secondary action.................: ignore Scan master boot sector..........: off Scan boot sector.................: on Boot sectors.....................: D:, Scan memory......................: on Process scan.....................: on Scan registry....................: on Search for rootkits..............: off Scan all files...................: Intelligent file selection Scan archives....................: on Recursion depth..................: 20 Smart extensions.................: on Macro heuristic..................: on File heuristic...................: medium Start of the scan: Wednesday, March 19, 2008 01:42 The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'alg.exe' - '1' Module(s) have been scanned Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned Scan process 'wuauclt.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned Scan process 'MediaServer.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'RtlWake.exe' - '1' Module(s) have been scanned Scan process 'Compaq Connections.exe' - '1' Module(s) have been scanned Scan process 'cm3_tray.exe' - '1' Module(s) have been scanned Scan process 'lxbkbmon.exe' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'lxbkbmgr.exe' - '1' Module(s) have been scanned Scan process 'pctsTray.exe' - '1' Module(s) have been scanned Scan process 'RTHDCPL.EXE' - '1' Module(s) have been scanned Scan process 'pctsSvc.exe' - '1' Module(s) have been scanned Scan process 'pctsAuxs.exe' - '1' Module(s) have been scanned Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned Scan process 'Bwsvc.exe' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'spoolsv.exe' - '1' Module(s) have been scanned Scan process 'LEXPPS.EXE' - '1' Module(s) have been scanned Scan process 'LEXBCES.EXE' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 36 processes with 36 modules were scanned Start scanning boot sectors: Boot sector 'C:\' [NOTE] No virus was found! Boot sector 'D:\' [NOTE] No virus was found! Starting to scan the registry. C:\WINDOWS\system32\drvkat.dll [DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen [INFO] The file was moved to '4856a84f.qua'! C:\WINDOWS\system32\drvkat.dll [DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen The registry was scanned ( '34' files ). Starting the file scan: Begin scan in 'C:\' <PRESARIO> C:\hiberfil.sys [WARNING] The file could not be opened! C:\pagefile.sys [WARNING] The file could not be opened! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B312472.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4813aa8b.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\11A55B1B.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4821aa80.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\15313459.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4813aa87.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\153B324E.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4813aa89.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\153E5C4B.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4813aa8c.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\15453043.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4814aac7.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\159D1DE2.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4819aad2.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\15A047DF.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4821aad6.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\15AA45D4.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4821aad8.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\15AD6FD0.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4821ab25.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\15B443C9.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4822ab27.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\15B76DC6.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4822ab2b.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\16C16071.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4823ab2d.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\17810750.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4818ab2e.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\21DF6138.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4824ab29.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\45694673.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4816ab2d.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\506E4A7C.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4816ab28.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\50F90272.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4826ab29.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5C170339.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4811ab3c.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5C4666FC.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4814ab3d.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5C530EED.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4815ab3d.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5C6A34D4.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4816ab3e.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5C7047A8.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4817ab3e.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5C7371A4.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4817ab3f.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5C7432C9.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '49af14a0.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5C761BA1.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4817ab40.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5C7A459D.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '49af14a1.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5C801996.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4818ab40.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5C8B58B0.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4818ab41.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5CDC7256.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4824ab41.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5CE91A48.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4825ab42.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5DBC2087.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4822ab44.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5DCB6B50.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4823ab48.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5E7B468E.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4817ab4c.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5E854483.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4818ab51.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5EF02E0D.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4826ab52.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5EF45809.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4826ab53.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5EFA2C02.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4826ab56.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5F017FFB.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4810ab57.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5F0E27EC.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4810ab58.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5F1151E9.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4811ab59.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5F1B4FDE.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4811ab5a.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5F2877D0.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4812ab5b.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5F351FC1.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4813ab5c.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5F4F6FA4.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4814ab5f.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5F636B8F.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4816ab5f.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5F7D3B72.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4817ab60.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5F8D0D60.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4818ab62.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5F9E5F4E.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4819ab63.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5FA75D43.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4821ab64.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5FB40535.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4822ab64.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5FBB592E.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4822ab65.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5FC55723.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4823ab65.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5FD27F15.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4824ab66.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5FDF2706.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '499c1487.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60101CD0.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4811ab55.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\603E689E.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4813ab56.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6041129B.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4814ab56.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60443C97.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4814ab57.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60476693.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4814ab59.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\604B1090.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4814ab5a.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60516489.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4815ab5a.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60583881.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4815ab5b.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\605E0C7A.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '49ad14bc.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60613677.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4816ab5c.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60680A6F.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '49ae14bd.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60720865.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4817ab5d.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60753261.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '49af14be.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\607C065A.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4817ab5e.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\608F0244.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4818ab5f.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60C74C07.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4823ab62.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60D473F9.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4824ab63.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60DA47F2.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4824ab65.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60E11BEA.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4825ab65.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60EE43DC.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4825ab67.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60FB6BCE.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4826ab67.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\610B3DBC.exe [DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/Delf.BF Backdoor server programs [INFO] The file was moved to '4810ab69.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61153BB1.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4811ab6a.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\611C0FAA.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '49a9148b.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\612263A3.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4812ab6b.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6129379B.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '49aa148c.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61365F8D.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4813ab6c.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\613C3386.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4813ab6d.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61405D82.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4814ab6d.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6146317B.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '49ac148e.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\614D0574.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4814ab6e.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61560369.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4815ab6f.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\615D5762.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '49ad1490.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61675557.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4816ab70.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6181253A.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4818ab71.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61E310CF.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4825ab71.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\62000AAE.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4810ab75.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\62105C9C.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4811ab75.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\63DD33C4.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4824ab77.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\63E407BD.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4825ab77.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\63E731B9.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4825ab78.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\65CE21A2.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4823ab7a.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\65D14B9E.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4824ab7a.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6AB3651B.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4822ab87.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6ABD6311.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '499a1468.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6AE3020B.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4825ab88.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6AEA5604.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4825ab89.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6AED0000.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '499d146a.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6AF029FD.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4826ab89.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6AF353F9.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4826ab8a.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6AF77DF6.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4826ab8b.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6B007BEB.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4810ab8c.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6E731CFB.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4817ab90.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6E7F6C12.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4817ab91.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\713F3F0B.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4813ab7d.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\718874BB.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4818ab7e.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\726120A8.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4816ab7f.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\729B3B8D.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4819ab80.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\72A26860.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4821ab80.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\72A93C59.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4821ab81.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\72AC6655.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '49991462.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\73CF7F16.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4823ab82.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\75612B5C.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4816ab85.qua'! C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\77A752B9.exe [DETECTION] Contains detection pattern of the Windows virus W32/Parite [INFO] The file was moved to '4821ab88.qua'! C:\Documents and Settings\Compaq_Owner\Desktop\SmitfraudFix.exe [DETECTION] Contains detection pattern of the dropper DR/Tool.Reboot.F.44 [INFO] The file was moved to '4849ad5b.qua'! C:\Program Files\HP Games\Cake Mania\CakeMania-WT.exe [DETECTION] Contains suspicious code HEUR/Malware [INFO] The file was moved to '484bbb16.qua'! C:\Program Files\HP Games\Diner Dash\Diner Dash.exe [DETECTION] Contains suspicious code HEUR/Crypted [INFO] The file was moved to '484ebb28.qua'! C:\Program Files\Online Services\PeoplePC\ISP5900\Branding\ppal3ppc.exe [DETECTION] Contains detection pattern of the dropper DR/Agent.aeh [INFO] The file was moved to '4841bdcd.qua'! C:\WINDOWS\system32\drivers\sptd.sys [WARNING] The file could not be opened! Begin scan in 'D:\' <PRESARIO_RP> End of the scan: Wednesday, March 19, 2008 04:00 Used time: 2:18:15 min The scan has been done completely. 14047 Scanning directories 610027 Files were scanned 122 viruses and/or unwanted programs were found 2 Files were classified as suspicious: 0 files were deleted 0 files were repaired 124 files were moved to quarantine 0 files were renamed 3 Files cannot be scanned 609905 Files not concerned 22563 Archives were scanned 3 Warnings 127 Notes And this my second Hijackthis file: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:59:25 PM, on 3/19/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\TVersity\Media Server\MediaServer.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Spyware Doctor\pctsTray.exe C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe C:\PROGRA~1\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {42B18F05-59FA-495F-BB30-D6B82070B108} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvjuf.dll,startup O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: ClientManager3.lnk = C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: awtrsst - awtrsst.dll (file missing) O20 - Winlogon Notify: yvojmbvy - yvojmbvy.dll (file missing) O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Bwsvc - BUFFALO INC. - C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe -- End of file - 5849 bytes This is all of my information so far but i'm not sure what to do from here.

miekiemoes View Member Profile	Mar 20 2008, 12:01 AM Post #4
Malware Expert Posts: 5,489 From: Belgium OS: XP Home, XP Pro, Vista	Hi, * Please visit this webpage for instructions for downloading and running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix This includes installing the Windows XP Recovery Console in case you have not installed it yet. Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Ty-Reef View Member Profile	Mar 20 2008, 11:33 AM Post #5
Member Posts: 12 OS: windows xp	Okay i ran Combofix and here are the results of it: ComboFix 08-03-18.1 - Compaq_Owner 2008-03-20 13:02:00.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.530 [GMT -4:00] Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\#SharedObjects\Y8LA7QJD\www.broadcaster.com C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\#SharedObjects\Y8LA7QJD\www.broadcaster.com\played_list.sol C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\#SharedObjects\Y8LA7QJD\www.broadcaster.com\video_queue.sol C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol C:\Program Files\internet explorer\msimg32.dll C:\Program Files\MyWebSearch C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat C:\WINDOWS\adaway.lic C:\WINDOWS\system32\ttstv.ini2 C:\WINDOWS\system32\vwfydjrd.ini C:\WINDOWS\system32\yvojmbvy.dllbox D:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-02-20 to 2008-03-20 ))))))))))))))))))))))))))))))) . 2008-03-18 17:06 . 2008-03-18 17:06 <DIR> d-------- C:\Program Files\Avira 2008-03-18 17:06 . 2008-03-18 17:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira 2008-03-17 19:24 . 2008-03-17 19:24 <DIR> d-------- C:\Program Files\Trend Micro 2008-03-17 19:23 . 2008-03-17 19:23 <DIR> d-------- C:\WINDOWS\system32\LogFiles 2008-03-15 15:57 . 2008-03-15 15:57 20,747 --a------ C:\WINDOWS\system32\drivers\AegisP.sys 2008-03-15 15:57 . 2005-06-10 17:20 1,536 --a------ C:\WINDOWS\system32\bwsvc_event.dll 2008-03-15 15:56 . 2005-07-06 11:52 9,600 --a------ C:\WINDOWS\system32\BUFADPT.SYS 2008-03-15 15:55 . 2006-02-01 09:05 192,512 --a------ C:\WINDOWS\UN800114.EXE 2008-03-13 15:04 . 2008-03-14 21:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-03-13 15:04 . 2008-03-13 15:04 1,409 --a------ C:\WINDOWS\QTFont.for 2008-02-29 21:40 . 2008-02-29 21:40 <DIR> d--hs---- C:\found.000 2008-02-21 15:12 . 2008-02-21 15:12 <DIR> d-------- C:\Documents and Settings\Administrator.TJ\.housecall6.6 2008-02-21 15:12 . 2008-02-21 15:12 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-20 17:16 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-03-20 17:15 --------- d-----w C:\Program Files\Spyware Doctor 2008-03-18 00:20 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Azureus 2008-03-10 17:34 --------- d-----w C:\Program Files\Azureus 2008-03-04 02:56 --------- d-----w C:\Program Files\StepMania 2008-02-27 05:57 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment 2008-02-23 22:06 --------- d-----w C:\Program Files\SUPERAntiSpyware 2008-02-20 17:16 --------- d-----w C:\Program Files\The Cleaner 2008-02-19 17:57 --------- d-----w C:\Program Files\Adware Away 2008-02-12 20:09 --------- d-----w C:\Program Files\Lexmark X1100 Series 2008-02-08 08:28 --------- d-----w C:\Program Files\DivX 2008-02-05 22:07 --------- d-----w C:\Program Files\TVersity Codec Pack 2008-02-05 22:07 --------- d-----w C:\Program Files\ffdshow 2008-02-05 22:05 --------- d-----w C:\Program Files\TVersity 2008-02-05 21:57 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Apple Computer 2008-01-31 09:41 --------- d-----w C:\Program Files\QuickTime 2008-01-31 09:40 --------- d--h--w C:\Documents and Settings\Compaq_Owner\Application Data\ijjigame 2008-01-31 09:39 --------- d-----w C:\Program Files\Motorola USB Drivers 2008-01-31 09:39 --------- d-----w C:\Program Files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter 2008-01-30 05:22 --------- d-----w C:\Program Files\DAEMON Tools Lite 2008-01-29 17:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Tools 2008-01-29 17:46 --------- d-----w C:\Program Files\Common Files\PC Tools 2008-01-29 15:56 1,519,616 ----a-w C:\WINDOWS\system32\nwiz .exe 2008-01-29 09:04 218,504 ----a-w C:\WINDOWS\system32\drivers\pctfw2.sys 2008-01-29 05:25 --------- d-----w C:\Documents and Settings\Administrator.TJ\Application Data\Talkback 2008-01-29 03:57 --------- d-----w C:\Documents and Settings\Administrator.TJ\Application Data\SUPERAntiSpyware.com 2008-01-29 03:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-01-29 03:52 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com 2008-01-29 03:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-01-27 23:23 --------- d-----w C:\Documents and Settings\Administrator.TJ\Application Data\PC Tools 2008-01-25 06:19 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-01-24 20:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-01-24 05:15 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\PlayFirst 2008-01-24 05:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\WildTangent 2008-01-24 05:13 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-01-24 02:31 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\DAEMON Tools 2008-01-24 02:29 --------- d-----w C:\Program Files\PC-Doctor 5 for Windows 2008-01-24 02:22 --------- d-----w C:\Program Files\Trillian 2008-01-24 02:20 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys 2008-01-24 01:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer 2008-01-24 01:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple 2008-01-23 04:05 700,416 ----a-w C:\StubInstaller.exe 2008-01-23 03:57 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Netscape 2008-01-23 03:52 53,248 ----a-w C:\WINDOWS\ap561.exe 2008-01-23 03:46 1,688 --sha-r C:\WINDOWS\system32\drivers\103C_HP_CPC_RE467AA-ABA SR2010NX NA640_YC_0Pres_QCNH631_E64NAheREA2_48_INAOS_SASUSTek Computer INC._V1.05_B3.00_T060630_WXH2_L409_M959_J120_7AMD_8Sempron_91.8_#061002_N_Z14F12 F20_G10DE0241_OLITE-ON COMBO SOHC-4836K.MRK 2008-01-23 03:45 --------- d-----w C:\Program Files\Windows Defender 2008-01-22 06:08 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Aim 2008-01-04 21:56 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe 2006-12-25 04:23 450 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat 2006-02-19 17:28 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll 2002-10-01 19:43 119,798 -c--a-w C:\WINDOWS\inf\spca561.sys . CODE <pre> ----a-w 27,136 2008-01-24 23:35:07 C:\hp\bin\cloaker .exe ----a-w 185,896 2008-01-23 03:46:28 C:\Program Files\Common Files\Real\Update_OB\realsched .exe ----a-w 52,848 2008-01-24 02:29:49 C:\Program Files\Common Files\Symantec Shared\ccApp .exe ----a-w 218,240 2008-01-24 02:29:50 C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt .exe ----a-w 49,152 2008-01-29 15:56:47 C:\Program Files\HP\HP Software Update\HPwuSchd2 .exe ----a-w 36,975 2008-01-29 16:09:57 C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe ----a-w 1,694,208 2008-01-29 15:58:11 C:\Program Files\Messenger\msmsgs .exe ----a-w 53,248 2008-01-24 02:29:48 C:\Program Files\PC-Doctor 5 for Windows\RunProfiler .exe ----a-w 1,103,752 2008-01-29 15:58:04 C:\Program Files\Spyware Doctor\pctsTray .exe ----a-w 1,318,912 2008-01-29 15:58:37 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe ----a-w 663,552 2008-01-29 18:28:10 C:\WINDOWS\CREATOR\Remind_XP .exe ----a-w 208,952 2008-01-23 03:39:06 C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE ------w 237,568 2008-01-25 05:53:13 C:\WINDOWS\SMINST\RECGUARD .EXE ----a-w 1,519,616 2008-01-29 15:56:43 C:\WINDOWS\system32\nwiz .exe </pre> ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ftutil2"="ftutil2.dll" [2004-06-07 17:05 106496 C:\WINDOWS\system32\ftutil2.dll] "RTHDCPL"="RTHDCPL.EXE" [2006-06-13 23:05 16239616 C:\WINDOWS\RTHDCPL.EXE] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-05-09 18:50 7311360] "nwiz"="nwiz.exe" [] "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [ ] "PCDrProfiler"="" [] "MSDrive"="C:\WINDOWS\system32\drvjuf.dll" [ ] "ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-01-31 03:10 1103752] "Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 11:43 57344] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-03-18 17:08 249896] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-12 15:46:23 113664] ClientManager3.lnk - C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe [2008-03-15 15:55:55 466944] Compaq Connections.lnk - C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe [2006-08-01 14:56:30 36903] WG111v2 Smart Wizard Wireless Setting.lnk - C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2007-05-17 13:12:22 745472] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 14:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtrsst] awtrsst.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yvojmbvy] yvojmbvy.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Azureus\\Azureus.exe"= "C:\\Program Files\\BUFFALO\\Client Manager3\\BWSVC\\bwsvc.exe"= "C:\\Program Files\\BUFFALO\\Client Manager3\\AOSS\\aoss.exe"= R1 BUFADPT;BUFADPT;C:\WINDOWS\system32\BUFADPT.SYS [2005-07-06 11:52] R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-01-29 05:04] . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-20 13:16:18 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\Program Files\TVersity\Media Server\MediaServer.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\wscntfy.exe . ************************************************************************ . Completion time: 2008-03-20 13:26:14 - machine was rebooted ComboFix-quarantined-files.txt 2008-03-20 17:26:07 . 2008-03-12 20:09:09 --- E O F --- And here is my new HijackThis file: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:28:48 PM, on 3/20/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Spyware Doctor\pctsTray.exe C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\TVersity\Media Server\MediaServer.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvjuf.dll,startup O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: ClientManager3.lnk = C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: awtrsst - awtrsst.dll (file missing) O20 - Winlogon Notify: yvojmbvy - yvojmbvy.dll (file missing) O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Bwsvc - BUFFALO INC. - C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe -- End of file - 6091 bytes Well, now that this is done, what is my next step? Also, thanks again for the help thus far. I appreciate it very much so.

miekiemoes View Member Profile	Mar 20 2008, 12:02 PM Post #6
Malware Expert Posts: 5,489 From: Belgium OS: XP Home, XP Pro, Vista	Hi, * Open notepad - don't use any other texteditor than notepad or the script will fail. Copy/paste the text in the quotebox below into notepad: QUOTE Renv:: C:\hp\bin\cloaker .exe C:\Program Files\Common Files\Real\Update_OB\realsched .exe C:\Program Files\Common Files\Symantec Shared\ccApp .exe C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt .exe C:\Program Files\HP\HP Software Update\HPwuSchd2 .exe C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe C:\Program Files\Messenger\msmsgs .exe C:\Program Files\PC-Doctor 5 for Windows\RunProfiler .exe C:\Program Files\Spyware Doctor\pctsTray .exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe C:\WINDOWS\CREATOR\Remind_XP .exe C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE C:\WINDOWS\SMINST\RECGUARD .EXE C:\WINDOWS\system32\nwiz .exe Registry:: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSDrive"=- [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtrsst] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yvojmbvy] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000000 Save this as txtfile CFScript Then drag the CFScript into ComboFix.exe as you see in the screenshot below. This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog. Also, I see you have disabled your Windows Firewall. Please enable it again since you have no other firewall installed (unless you decide to install a desktop firewall)

Ty-Reef View Member Profile	Mar 20 2008, 11:17 PM Post #7
Member Posts: 12 OS: windows xp	I cut off windows firewall only for that scan because i wasn't sure if i was supposed to have it on or not while it was scanning. However, i cut it back on now. Here is my new Combofix log: ComboFix 08-03-18.1 - Compaq_Owner 2008-03-21 0:39:19.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.466 [GMT -4:00] Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Compaq_Owner\Desktop\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2008-02-21 to 2008-03-21 ))))))))))))))))))))))))))))))) . 2008-03-18 17:06 . 2008-03-18 17:06 <DIR> d-------- C:\Program Files\Avira 2008-03-18 17:06 . 2008-03-18 17:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira 2008-03-17 19:24 . 2008-03-17 19:24 <DIR> d-------- C:\Program Files\Trend Micro 2008-03-17 19:23 . 2008-03-17 19:23 <DIR> d-------- C:\WINDOWS\system32\LogFiles 2008-03-15 15:57 . 2008-03-15 15:57 20,747 --a------ C:\WINDOWS\system32\drivers\AegisP.sys 2008-03-15 15:57 . 2005-06-10 17:20 1,536 --a------ C:\WINDOWS\system32\bwsvc_event.dll 2008-03-15 15:56 . 2005-07-06 11:52 9,600 --a------ C:\WINDOWS\system32\BUFADPT.SYS 2008-03-15 15:55 . 2006-02-01 09:05 192,512 --a------ C:\WINDOWS\UN800114.EXE 2008-03-13 15:04 . 2008-03-14 21:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-03-13 15:04 . 2008-03-13 15:04 1,409 --a------ C:\WINDOWS\QTFont.for 2008-02-29 21:40 . 2008-02-29 21:40 <DIR> d--hs---- C:\found.000 2008-02-21 15:12 . 2008-02-21 15:12 <DIR> d-------- C:\Documents and Settings\Administrator.TJ\.housecall6.6 2008-02-21 15:12 . 2008-02-21 15:12 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-21 04:50 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-03-21 04:49 --------- d-----w C:\Program Files\Spyware Doctor 2008-03-21 04:39 --------- d-----w C:\Program Files\SUPERAntiSpyware 2008-03-21 04:39 --------- d-----w C:\Program Files\PC-Doctor 5 for Windows 2008-03-21 04:39 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-03-18 00:20 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Azureus 2008-03-10 17:34 --------- d-----w C:\Program Files\Azureus 2008-03-04 02:56 --------- d-----w C:\Program Files\StepMania 2008-02-27 05:57 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment 2008-02-20 17:16 --------- d-----w C:\Program Files\The Cleaner 2008-02-19 17:57 --------- d-----w C:\Program Files\Adware Away 2008-02-12 20:09 --------- d-----w C:\Program Files\Lexmark X1100 Series 2008-02-08 08:28 --------- d-----w C:\Program Files\DivX 2008-02-05 22:07 --------- d-----w C:\Program Files\TVersity Codec Pack 2008-02-05 22:07 --------- d-----w C:\Program Files\ffdshow 2008-02-05 22:05 --------- d-----w C:\Program Files\TVersity 2008-02-05 21:57 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Apple Computer 2008-01-31 09:41 --------- d-----w C:\Program Files\QuickTime 2008-01-31 09:40 --------- d--h--w C:\Documents and Settings\Compaq_Owner\Application Data\ijjigame 2008-01-31 09:39 --------- d-----w C:\Program Files\Motorola USB Drivers 2008-01-31 09:39 --------- d-----w C:\Program Files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter 2008-01-30 05:22 --------- d-----w C:\Program Files\DAEMON Tools Lite 2008-01-29 17:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Tools 2008-01-29 17:46 --------- d-----w C:\Program Files\Common Files\PC Tools 2008-01-29 09:04 218,504 ----a-w C:\WINDOWS\system32\drivers\pctfw2.sys 2008-01-29 05:25 --------- d-----w C:\Documents and Settings\Administrator.TJ\Application Data\Talkback 2008-01-29 03:57 --------- d-----w C:\Documents and Settings\Administrator.TJ\Application Data\SUPERAntiSpyware.com 2008-01-29 03:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-01-29 03:52 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com 2008-01-29 03:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-01-27 23:23 --------- d-----w C:\Documents and Settings\Administrator.TJ\Application Data\PC Tools 2008-01-25 06:19 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-01-24 20:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-01-24 05:15 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\PlayFirst 2008-01-24 05:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\WildTangent 2008-01-24 02:31 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\DAEMON Tools 2008-01-24 02:22 --------- d-----w C:\Program Files\Trillian 2008-01-24 02:20 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys 2008-01-24 01:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer 2008-01-24 01:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple 2008-01-23 04:05 700,416 ----a-w C:\StubInstaller.exe 2008-01-23 03:57 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Netscape 2008-01-23 03:52 53,248 ----a-w C:\WINDOWS\ap561.exe 2008-01-23 03:46 1,688 --sha-r C:\WINDOWS\system32\drivers\103C_HP_CPC_RE467AA-ABA SR2010NX NA640_YC_0Pres_QCNH631_E64NAheREA2_48_INAOS_SASUSTek Computer INC._V1.05_B3.00_T060630_WXH2_L409_M959_J120_7AMD_8Sempron_91.8_#061002_N_Z14F12 F20_G10DE0241_OLITE-ON COMBO SOHC-4836K.MRK 2008-01-23 03:45 --------- d-----w C:\Program Files\Windows Defender 2008-01-22 06:08 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Aim 2006-12-25 04:23 450 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat 2006-02-19 17:28 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ftutil2"="ftutil2.dll" [2004-06-07 17:05 106496 C:\WINDOWS\system32\ftutil2.dll] "RTHDCPL"="RTHDCPL.EXE" [2006-06-13 23:05 16239616 C:\WINDOWS\RTHDCPL.EXE] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-05-09 18:50 7311360] "nwiz"="nwiz.exe" [] "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2008-01-25 01:53 237568] "PCDrProfiler"="" [] "ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-01-29 11:58 1103752] "Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 11:43 57344] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-03-18 17:08 249896] C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ Pin.lnk - C:\hp\bin\CLOAKER.EXE [2008-01-23 22:30:05 27136] C:\Documents and Settings\Administrator.TJ\Start Menu\Programs\Startup\ Pin.lnk - C:\hp\bin\CLOAKER.EXE [2008-01-23 22:30:05 27136] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-12 15:46:23 113664] ClientManager3.lnk - C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe [2008-03-15 15:55:55 466944] Compaq Connections.lnk - C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe [2006-08-01 14:56:30 36903] WG111v2 Smart Wizard Wireless Setting.lnk - C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2007-05-17 13:12:22 745472] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 14:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Azureus\\Azureus.exe"= "C:\\Program Files\\BUFFALO\\Client Manager3\\BWSVC\\bwsvc.exe"= "C:\\Program Files\\BUFFALO\\Client Manager3\\AOSS\\aoss.exe"= R1 BUFADPT;BUFADPT;C:\WINDOWS\system32\BUFADPT.SYS [2005-07-06 11:52] R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-01-29 05:04] . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-21 00:50:26 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\Program Files\TVersity\Media Server\MediaServer.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe . ************************************************************************ . Completion time: 2008-03-21 0:57:49 - machine was rebooted ComboFix-quarantined-files.txt 2008-03-21 04:57:45 ComboFix2.txt 2008-03-20 17:26:15 . 2008-03-12 20:09:09 --- E O F --- And here is my newest hijackthis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:13:00 AM, on 3/21/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\TVersity\Media Server\MediaServer.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Spyware Doctor\pctsTray.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: ClientManager3.lnk = C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Bwsvc - BUFFALO INC. - C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe -- End of file - 5898 bytes What is the next step that i take??

miekiemoes View Member Profile	Mar 21 2008, 12:39 AM Post #8
Malware Expert Posts: 5,489 From: Belgium OS: XP Home, XP Pro, Vista	Hi, This looks OK again. * Go to start > run and copy and paste next command in the field: ComboFix /u Make sure there's a space between Combofix and / Then hit enter. This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again. Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities. Updating Java: Download the latest version of Java Runtime Environment (JRE) 6 Update 5. Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 5". Click the "Download" button to the right. For Platform, select "Windows" For language, select your language Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement". Click Continue Click on the link to download Windows Offline Installation and save to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. - Examples of older versions in Add or Remove Programs: Java 2 Runtime Environment, SE v1.4.2 J2SE Runtime Environment 5.0 J2SE Runtime Environment 5.0 Update 6 Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u5-windows-i586-p.exe to install the newest version. Let me know in your next reply how things are now.

Ty-Reef View Member Profile	Mar 21 2008, 12:16 PM Post #9
Member Posts: 12 OS: windows xp	Actually everything seems pretty good right now. I really appreciate all of the help because i didn't think i'd ever get rid of this problem. Thanks again for everything and i'll make sure to keep a close eye on everything for now on!

miekiemoes View Member Profile	Mar 21 2008, 12:23 PM Post #10
Malware Expert Posts: 5,489 From: Belgium OS: XP Home, XP Pro, Vista	Glad I could help. Please read my Prevention page with lots of info and tips how to prevent this in the future. And if you want to improve speed/system performance after malware removal, take a look here. Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. Happy Surfing again!

miekiemoes View Member Profile	Mar 22 2008, 07:59 AM Post #11
Malware Expert Posts: 5,489 From: Belgium OS: XP Home, XP Pro, Vista	Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

« Next Oldest · Virus, Spyware and Trojan Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies / Views	Topic Information
Virus, Spyware and Trojan Removal Popup city / Browser Hijack probem.. Please help! [RESOLVED] 1234	52 / 3,333	15th January 2006 - 09:25 AM Hunter-1 started - last by Cookiegal
Virus, Spyware and Trojan Removal Windows security alert .... spyware problem help [RESOLVED]	10 / 2,384	23rd April 2008 - 01:32 PM surfave started - last by Essexboy
Virus, Spyware and Trojan Removal Windows Security Alert - Popup [RESOLVED]	10 / 707	12th September 2008 - 10:48 AM bstew8008 started - last by fenzodahl512
Virus, Spyware and Trojan Removal windows installer patch 17.8 gigs.? please help! [RESOLVED] 1234	47 / 4,296	8th November 2008 - 10:20 AM bluegang6 started - last by Essexboy