Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

TROJ/BCKDR-QJL & TROJ/VIRTUM-GEN [RESOLVED]

Started by KingzJnky22 , Nov 04 2007 07:48 PM

  • This topic is locked This topic is locked

#1
KingzJnky22
Posted 04 November 2007 - 07:48 PM

KingzJnky22

    Member

  • Member
  • PipPip
  • 16 posts
Hi

I have been infected w/ a virus - it started out with DOWNLOADER.EXE & TROJAN.VUNDO

I have Norton Anti Virus & Norton Internet Security - I ran their scan, but it did not eliminate the virus

I went to the symantec website and downladed FIXVUNDO.EXE & followed instructions carefully - still no fix

I have since downloaded & installed ATFCLEANER.EXE, SPYSWEEPER.EXE (WEBROOT), WINDOWS KB890830-V1.34

It seems to have gotten rid of the DOWNLOADER.EXE & TROJAN.VUNDO (At least the warnings have stopped coming up) There is still annoying pop-ups of "privacy tool" website - so I don't know if the 2 virus have been eliminated

NOW I have 2 more viruses TROJ/BCKDR-QJL & TROJ/VIRTUM-GEN

re-ran everything again - TROJ/BCKDR-QJL return - none of my antivirus will delete/eliminate this virus

I downloaded DECKARDS SCANNER and ran it.... (wouldn't let me download HIJACKTHIS through DECKARDS installation) so it installed the HIJACKTHIS clone... here are my results - hope this helps?!?!?

I have 2 results MAIN.TXT & EXTRA.TXT

can someone please help? I am @ my wits end - thanks in advance for any advice...

Deckard's System Scanner v20071014.68
Run by Owner on 2007-11-04 19:58:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2007-11-05 00:59:03 UTC - RP4 - Deckard's System Scanner Restore Point
3: 2007-11-04 20:47:37 UTC - RP3 - Installed Java™ 6 Update 3
2: 2007-11-04 17:29:58 UTC - RP2 - Restore Operation
1: 2007-11-04 17:18:56 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-11-04 20:04:40
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\Program Files\Common Files\Symantec Shared\CCPROXY.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\GWMDMMSG.exe
C:\WINDOWS\GWHotKey.exe
C:\Program Files\iDownload.com\Popup Blocker\popupblocker.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\alertic.exe
C:\Program Files\WinAmp\winampa.exe
C:\Program Files\Atari\Atari Arcade Hits 2\Atari Icon.exe
C:\Program Files\Hasbro Interactive\Atari Arcade Hits 1\Atari icon.exe
C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe
C:\Program Files\Sierra\Planner\PLNRnote.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
C:\Program Files\Webroot\Spy Sweeper\ssu.exe
C:\Documents and Settings\Owner\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie.search.msn...st/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {30FE5C92-3751-4821-AF7B-1B69F7C3067B} - C:\WINDOWS\system32\tuvss.dll
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {6FA1305D-B243-75C8-D106-64550DF62945} - C:\WINDOWS\system32\uit.dll (file missing)
O2 - BHO: BndShell3 BHO Class - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - C:\Program Files\ISM\BndDrive7.dll (file missing)
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: {15fb16bc-0c49-066a-39c4-99decf51fd3a} - {a3df15fc-ed99-4c93-a660-94c0cb61bf51} - C:\WINDOWS\system32\cowsekle.dll
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVSHEXT.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: Her - {C4DE5B15-4FFE-4c02-8CB3-CAD24A33562B} - C:\WINDOWS\system32\ramtmb.dll (file missing)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: IE Class - {E385DF17-3B18-11D6-8CF3-00304F10A79B} - C:\Program Files\iDownload.com\Popup Blocker\Helper.dll
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVSHEXT.DLL
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [Popup Blocker] "C:\Program Files\iDownload.com\Popup Blocker\popupblocker.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Iprvdso] C:\Program Files\Knpxra\Ghcw.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Atari Launcher 2] "C:\Program Files\Atari\Atari Arcade Hits 2\Atari icon.exe"
O4 - HKLM\..\Run: [Atari Launcher] "C:\Program Files\Hasbro Interactive\Atari Arcade Hits 1\Atari icon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AcctMgr] "C:\Program Files\Norton Password Manager\AcctMgr.exe" /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [e88f3759] "rundll32.exe" "C:\WINDOWS\system32\alfwtlxj.dll",b
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RemoveIT Pro XT] C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe
O4 - Global Startup: Digimax Viewer 1.0.lnk = ?
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = ?
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\GREETING CARDS\AG CreataCard\agremind.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Spades () - http://download.game...nts/y/st2_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} () - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1167266843915
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.24 85.255.112.184
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.24 85.255.112.184
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\smshlyhl.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\CCPWDSVC.EXE
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPROXY.EXE
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\COMHOST.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Windows Notification Service (Winaltet) - Unknown owner - C:\WINDOWS\System32\winaltet.exe -srv
O24 - Desktop Component 0: - http://www.brownhair...9/jimage.jpgO24 - Desktop Component 1: - http://i9.photobucke...01/ajhot.jpgO24 - Desktop Component 2: - http://images.barnes...10295452.gifO24 - Desktop Component 3: - http://csmail.compus...nline/nonameO24 - Desktop Component 4: - http://www.importedb...ductid=16220O24 - Desktop Component 5: - http://mail.charter....o...S&v=charter

--
End of file - 15083 bytes

-- File Associations -----------------------------------------------------------

.txt - txtfile - shell\open\command - notepad.exe %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 CBTNDIS5 (CBTNDIS5 NDIS Protocol Driver) - c:\windows\system32\cbtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Winalert (Windows Alert Service) - c:\windows\system32\alertic.exe -srv <Not Verified; Microsoft Corporation; Microsoft® DRM>

S2 Winaltet (Windows Notification Service) - c:\windows\system32\winaltet.exe -srv (file missing)
S3 PictureTaker - c:\windows\system32\pctkrnt.sys <Not Verified; LANovation; PictureTaker Software Family>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-10-29 09:49:05 498 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Run Norton QuickScan - Owner.job
2007-10-29 09:49:02 548 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job
2007-10-25 02:00:00 488 --a------ C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job
2007-10-24 23:00:22 308 --a------ C:\WINDOWS\Tasks\Symantec Drmc.job


-- Files created between 2007-10-04 and 2007-11-04 -----------------------------

2007-11-04 18:29:18 0 d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-11-04 18:29:11 0 d-------- C:\b3e43d4539310e128fe19e35
2007-11-04 18:27:35 0 d-------- C:\{00004495-0000-0000-5942-503B070B6CD8}
2007-11-04 18:23:00 0 d-------- C:\{8001BC26-0000-0000-C2BC-E5AC2E094943}
2007-11-04 15:58:18 0 d-------- C:\Program Files\Windows Live Safety Center
2007-11-04 15:48:54 0 d-------- C:\Program Files\Java
2007-11-04 15:47:59 0 d-------- C:\Program Files\Common Files\Java
2007-11-04 15:41:45 86080 --a------ C:\WINDOWS\system32\alfwtlxj.dll
2007-11-04 15:35:39 78912 --a------ C:\WINDOWS\system32\cowsekle.dll
2007-11-04 14:46:48 392094 --ahs---- C:\WINDOWS\system32\ssvut.ini2
2007-11-04 12:18:45 5242880 --a------ C:\Documents and Settings\Owner\ntuser.dat
2007-11-04 12:18:44 233472 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2007-11-04 12:04:37 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-11-04 11:38:26 0 d-------- C:\Documents and Settings\LocalService\SendTo
2007-11-04 11:38:15 0 d-------- C:\Documents and Settings\LocalService\Application Data\Identities
2007-11-04 11:37:46 0 dr------- C:\Documents and Settings\LocalService\My Documents
2007-11-04 11:37:42 0 dr-h----- C:\Documents and Settings\LocalService\Recent
2007-11-04 11:37:42 0 d-------- C:\Documents and Settings\LocalService\Desktop
2007-11-04 10:58:48 78912 --a------ C:\WINDOWS\system32\opaffeba.dll
2007-11-04 10:55:51 86080 -----n--- C:\WINDOWS\system32\aupwltum.dll
2007-11-04 09:36:03 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-11-04 09:34:26 0 d-------- C:\Program Files\Webroot
2007-11-04 09:34:26 0 d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2007-11-04 09:34:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-11-04 09:26:00 164 --a------ C:\install.dat
2007-11-03 21:49:28 87616 --a------ C:\WINDOWS\system32\lddmgalm.dll
2007-11-03 21:46:27 81472 --a------ C:\WINDOWS\system32\ovxmjlkj.dll
2007-11-03 09:25:13 81472 --a------ C:\WINDOWS\system32\bfbgjocc.dll
2007-11-03 09:19:09 87616 --a------ C:\WINDOWS\system32\rthmvkeq.dll
2007-11-02 06:49:50 85568 --a------ C:\WINDOWS\system32\bxohqvjw.dll
2007-10-30 21:16:22 0 d-------- C:\Program Files\InCode Solutions
2007-10-30 19:33:20 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-10-30 19:33:20 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-10-30 19:33:20 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-10-30 19:33:20 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-10-30 19:33:20 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-10-30 19:33:20 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-10-30 19:33:20 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-10-30 19:33:20 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-10-30 19:33:20 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-10-30 19:33:20 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-10-30 19:33:20 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-10-30 19:33:20 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-10-30 19:33:20 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-10-30 19:33:19 524288 --ah----- C:\Documents and Settings\Administrator\ntuser.dat
2007-10-29 09:42:24 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2007-10-29 09:42:20 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-10-29 06:25:56 10 --a------ C:\WINDOWS\26171344
2007-10-29 06:25:40 77824 --a------ C:\WINDOWS\system32\alertic.exe <Not Verified; Microsoft Corporation; Microsoft® DRM>
2007-10-28 19:55:48 589 --a------ C:\WINDOWS\system32\gcppqkid.dll
2007-10-25 05:05:48 378883 ---hs---- C:\WINDOWS\system32\ssvut.bak2
2007-10-24 19:23:36 0 d-------- C:\Program Files\Norton Internet Security
2007-10-24 18:52:20 0 d-------- C:\WINDOWS\system32\System
2007-10-24 18:52:19 0 d-------- C:\Program Files\Norton Password Manager
2007-10-24 18:50:44 0 d-------- C:\Program Files\Symantec
2007-10-24 17:21:31 0 d-------- C:\Program Files\e-zshopper
2007-10-24 17:21:27 0 d-------- C:\WINDOWS\system32\acespy
2007-10-24 17:05:31 389505 ---hs---- C:\WINDOWS\system32\ssvut.bak1
2007-10-24 17:03:56 317536 --a------ C:\WINDOWS\system32\tuvss.dll
2007-10-24 16:58:57 0 d-------- C:\Documents and Settings\Owner\Application Data\WinRAR
2007-10-24 08:19:47 0 d-------- C:\Program Files\ISM2
2007-10-24 06:49:35 0 d-------- C:\WINDOWS\system32\W?nSxS
2007-10-21 08:23:49 0 d-------- C:\Program Files\Temporary
2007-10-21 08:20:50 0 d-------- C:\Program Files\T?sks
2007-10-18 06:54:27 81920 --a------ C:\WINDOWS\148138101 <Not Verified; Microsoft Corporation; Microsoft® DRM>
2007-10-16 14:40:54 31 --ah----- C:\WINDOWS\uccspecc.sys
2007-10-16 14:40:54 0 d-------- C:\Program Files\Coupons


-- Find3M Report ---------------------------------------------------------------

2007-11-04 18:37:09 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-04 15:47:59 0 d-a------ C:\Program Files\Common Files
2007-11-04 11:38:22 0 d-------- C:\Program Files\Web Publish
2007-10-24 18:54:37 0 d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2007-10-21 14:02:43 0 d-------- C:\Program Files\T?sks
2007-10-09 08:39:25 0 d-------- C:\Program Files\GREETING CARDS
2007-10-01 14:14:15 77824 --a------ C:\WINDOWS\148119614 <Not Verified; Microsoft Corporation; Microsoft® DRM>
2007-09-08 02:07:01 34304 --a------ C:\WINDOWS\148096421 <Not Verified; Microsoft; NT Service Control Module>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30FE5C92-3751-4821-AF7B-1B69F7C3067B}]
10/24/2007 05:03 PM 317536 --a------ C:\WINDOWS\system32\tuvss.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6FA1305D-B243-75C8-D106-64550DF62945}]
C:\WINDOWS\system32\uit.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ABA9A9C-8791-4d61-8D5B-BCC9448EA573}]
C:\Program Files\ISM\BndDrive7.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a3df15fc-ed99-4c93-a660-94c0cb61bf51}]
11/04/2007 03:35 PM 78912 --a------ C:\WINDOWS\system32\cowsekle.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C4DE5B15-4FFE-4c02-8CB3-CAD24A33562B}]
C:\WINDOWS\system32\ramtmb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E385DF17-3B18-11D6-8CF3-00304F10A79B}]
08/11/2003 07:56 PM 94208 --a------ C:\PROGRA~1\IDOWNL~1.COM\POPUPB~1\Helper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GWMDMMSG"="GWMDMMSG.exe" [07/03/2004 09:37 AM C:\WINDOWS\GWMDMMSG.exe]
"GWMDMpi"="C:\WINDOWS\GWMDMpi.exe" [07/03/2004 09:37 AM]
"ATIModeChange"="Ati2mdxx.exe" [07/03/2004 09:37 AM C:\WINDOWS\system32\Ati2mdxx.exe]
"Multi-function Keyboard"="GWHotKey.exe" [08/28/2001 11:13 AM C:\WINDOWS\GWHotKey.exe]
"Popup Blocker"="C:\Program Files\iDownload.com\Popup Blocker\popupblocker.exe" [08/20/2003 06:13 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [08/16/2004 07:11 PM]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [10/03/2002 06:50 PM]
"Iprvdso"="C:\Program Files\Knpxra\Ghcw.exe" []
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [12/20/2004 01:41 PM]
"Atari Launcher 2"="C:\Program Files\Atari\Atari Arcade Hits 2\Atari icon.exe" [03/08/2000 10:21 AM]
"Atari Launcher"="C:\Program Files\Hasbro Interactive\Atari Arcade Hits 1\Atari icon.exe" [06/25/1999 02:41 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 02:06 AM]
"AcctMgr"="C:\Program Files\Norton Password Manager\AcctMgr.exe" [07/29/2005 09:32 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/22/2007 09:19 PM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [03/12/2007 05:30 PM]
"e88f3759"="rundll32.exe" [08/04/2004 02:56 AM C:\WINDOWS\system32\rundll32.exe]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [10/01/2007 04:40 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [08/29/2005 12:51 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [05/30/2007 08:49 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"RemoveIT Pro XT"="C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digimax Viewer 1.0.lnk - C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe [4/26/2005 7:58:36 PM]
Event Planner Reminders Tray Icon.lnk - C:\Program Files\Sierra\Planner\PLNRnote.exe [11/6/2006 9:53:37 PM]
Forget Me Not.lnk - C:\Program Files\GREETING CARDS\AG CreataCard\agremind.exe [11/6/2006 9:14:08 PM]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [5/30/2007 8:49:43 PM]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [4/5/2003 11:37:10 PM]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [4/6/2003 1:06:58 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="kddkd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\smshlyhl.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\tuvss.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders rpasspc.dll, msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2007-11-04 20:06:42 ------------

















Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.40GHz
Percentage of Memory in Use: 71%
Physical Memory (total/avail): 510.98 MiB / 146.41 MiB
Pagefile Memory (total/avail): 1247.43 MiB / 820.06 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1923.01 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.26 GiB total, 23.9 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - IC25N040ATCS04-0 - 37.26 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.26 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: Norton Internet Worm Protection v2006 (Symantec) Disabled
FW: Norton Internet Security 2006 v2006 (Symantec Corporation)
AV: Spy Sweeper with AntiVirus v5.5.7.103 (Webroot Software Inc)
AV: Norton Internet Security 2006 v2006 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\kdx\\khost.exe"="C:\\WINDOWS\\kdx\\khost.exe:*:Enabled:Secure Delivery Plug-In"
"C:\\Program Files\\JavaSoft\\JRE\\1.3.1_02\\bin\\javaw.exe"="C:\\Program Files\\JavaSoft\\JRE\\1.3.1_02\\bin\\javaw.exe:*:Disabled:javaw"
"C:\\Program Files\\CompuServe 7.0\\wcs2000.exe"="C:\\Program Files\\CompuServe 7.0\\wcs2000.exe:*:Enabled:CompuServe"
"C:\\Program Files\\LimeWire\\LimeWire 4.2.6\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire 4.2.6\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\esis32\\jre\\1.3.1\\bin\\javaw.exe"="C:\\esis32\\jre\\1.3.1\\bin\\javaw.exe:*:Enabled:javaw"
"C:\\esis32\\jre\\1.4.2\\bin\\javaw.exe"="C:\\esis32\\jre\\1.4.2\\bin\\javaw.exe:*:Enabled:javaw"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\funkitron\\Slingo Deluxe\\Slingo-am-G.exe"="C:\\Program Files\\funkitron\\Slingo Deluxe\\Slingo-am-G.exe:*:Enabled:Slingo ®"
"C:\\Documents and Settings\\Slingo Deluxe\\Slingo-am-G.exe"="C:\\Documents and Settings\\Slingo Deluxe\\Slingo-am-G.exe:*:Enabled:Slingo ®"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=H
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\H
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Adaptec Shared\System
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=H
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (admin)
Guest (new local, guest)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
American Greetings CreataCard --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9B58AA53-6EB9-405E-AB6B-6B83C16235F1}\setup.exe" -l0x9 anything
Atari Arcade Hits 1 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Hasbro Interactive\Atari Arcade Hits 1\Uninst.isu"
Atari Arcade Hits 2 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Atari\Atari Arcade Hits 2\Uninst.isu"
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
CC_ccProxyExt --> MsiExec.exe /I{2EBF25F1-F8A2-40EA-92BE-931C142A44E2}
ccCommon --> MsiExec.exe /I{1248C09A-BD6B-47F5-BF3F-CD2B700D9FCB}
ccPxyCore --> MsiExec.exe /I{30738666-9805-4926-A78F-91DA33B6C437}
Coupon Printer for Windows --> "C:\Program Files\Coupons\uninstall.exe" "/U:C:\Program Files\Coupons\Uninstall\uninstall.xml"
Desktop Weather by The Weather Channel --> C:\Program Files\The Weather Channel FW\Desktop Weather\TheWeatherChannelCustomUninstall.exe
Digimax Viewer 1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A20EF228-8545-45D8-8E2E-6D067948727E}\SETUP.EXE"
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
Do More 7.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D2B7C41F-C63D-4935-B323-B60673724D63}\setup.exe" -l0x9
DVD --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
Event Planner --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B1182355-1464-4B43-8986-031A86808495}\Setup.exe"
Gateway Desktop Manager --> C:\Program Files\Gateway\BMPMAN\GWBMPMAN.exe UNINSTALL
Gateway Drivers and Applications Recovery --> C:\Program Files\Gateway\HPA\GWMenu.exe UNINSTALL
Gateway Internet Links --> "C:\Program Files\SIFXINST\SIFXINST.EXE" /UnapplyFile 99A393E0-1F86-4AB7-9FE3-ACEC7E10098F /Prompt
Gateway Multi-function Keyboard --> C:\WINDOWS\gwhotkey.exe -U
Gateway Power Management --> "C:\Program Files\SIFXINST\SIFXINST.EXE" /UnapplyFile CABC148C-D45D-431C-AEC7-6E7CC31E8583 /Prompt
Gateway Rhapsody --> "C:\Program Files\SIFXINST\SIFXINST.EXE" /UnapplyFile 20BBF229-A337-40AD-9FEB-2C98CDA53D1C /Prompt
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
GTW V.92 Voicemodem --> C:\WINDOWS\GWMDMU.exe verbose
Hallmark Card Studio 2003 --> C:\WINDOWS\IsUninst.exe -f"c:\program files\greeting cards\VuUninst.isu" -c"c:\program files\greeting cards\Uninstpa.DLL"
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
hp instant support --> C:\PROGRA~1\HEWLET~1\hpis\Uninstall.exe /s CeS
HP Memories Disc --> MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
HP Photo and Imaging 2.0 - All-in-One --> MsiExec.exe /X{9867A917-5D17-40DE-83BA-BEA5293194B1}
HP Photo and Imaging 2.0 - All-in-One Drivers --> MsiExec.exe /X{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}
HP Photo and Imaging 2.0 - hp psc 1200 series --> C:\Program Files\Hewlett-Packard\Digital Imaging\{7C8BB31C-E09E-4c7d-BBF1-45E33B467FE1}\Setup\hpzscr01.exe -datfile hposcr02.dat -forcereboot
HP Photo and Imaging 2.0 - hp psc 2200 series --> C:\Program Files\Hewlett-Packard\Digital Imaging\{7C8BB31C-E09E-4c7d-BBF1-45E33B467FE1}\Setup\hpzscr01.exe -datfile hposcr02.dat -forcereboot
hp psc 1200 series --> MsiExec.exe /X{C900EF06-2E76-49C7-8DB0-41F629B21DC5}
hp psc 2200 series --> MsiExec.exe /X{913DA816-E8E4-4467-8D22-E2DF5DBF04E4}
Intel® PRO Ethernet Adapter and Software --> Prounstl.exe
Java 2 Runtime Environment Standard Edition v1.3.1_02 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\JavaSoft\JRE\1.3.1_02\Uninst.isu"
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
LG USB Modem driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C3ABE126-2BB2-4246-BFE1-6797679B3579}\Setup.exe" -l0x9
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 3.0 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office Excel Viewer 2003 --> MsiExec.exe /I{90840409-6000-11D3-8CFE-0150048383C9}
Microsoft PowerPoint Viewer 97 --> C:\Program Files\PowerPoint Viewer\setup\setup.exe
Microsoft Streets and Trips 2002 --> MsiExec.exe /I{12BDDF23-B1DB-49C8-92D3-3E6841CCED61}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Web Publishing Wizard 1.52 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie4x86.inf,WebPostUninstall
Microsoft Word 2002 --> MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9}
Microsoft Works 2003 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2003\Setup\Launcher.exe D:\
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
Microsoft Works Suite Add-in for Microsoft Word --> MsiExec.exe /I{7EE9DE0D-9228-4C33-B80E-FDD1773600DF}
Mouse Suite --> Pmuninst.exe MouseSuite98
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MSRedist --> MsiExec.exe /I{B7C61755-DB48-4003-948F-3D34DB8EAF69}
MSRedist --> MsiExec.exe /I{FC37ABD0-2108-4beb-B010-1254E0662B5A}
Norton AntiSpam --> MsiExec.exe /I{3B29A786-5803-4E9E-9B58-3014A5B4E519}
Norton AntiSpam --> MsiExec.exe /I{5677563D-0CB1-485F-9E18-C5025306BB3F}
Norton AntiVirus 2006 --> MsiExec.exe /X{C6F5B6CF-609C-428E-876F-CA83176C021B}
Norton Internet Security --> MsiExec.exe /I{12E2B9E9-05B1-407d-B0FD-B5F350535125}
Norton Internet Security --> MsiExec.exe /I{48185814-A224-447a-81DA-71BD20580E1B}
Norton Internet Security --> MsiExec.exe /I{A93C9E60-29B6-49da-BA21-F70AC6AADE20}
Norton Internet Security --> MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
Norton Internet Security --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton Internet Security 2006 (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{A93C9E60-29B6-49da-BA21-F70AC6AADE20}.exe" /X
Norton Password Manager --> MsiExec.exe /I{8315D4B0-9BF2-4D63-8654-74B89D288D6E}
Norton Password Manager (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\SymSetup\{8315D4B0-9BF2-4D63-8654-74B89D288D6E}.exe /X
Norton Protection Center --> MsiExec.exe /I{82A5BF38-8461-4A5C-B2C9-24F5256D92A6}
Norton WMI Update --> MsiExec.exe /X{E85FA9A1-C241-4698-893B-DD99509B8DB0}
Norton WMI Update --> MsiExec.exe /X{F64306A5-4C32-41bb-B153-53986527FAB4}
NPM_DRM_COLLECTION --> MsiExec.exe /I{E38D4B55-212A-4016-BE7E-ED3A6153CBEA}
Popup Blocker --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6F36980F-B89A-42F5-A0E0-5850ED9252F4}\Setup.exe" -l0x9
PowerPak for PowerPoint Sampler --> C:\Program Files\PowerPak\UnInstall_51238.exe
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Samsung Digimax 340 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Samsung\Samsung Digimax 340\Uninst.isu"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
Slingo Deluxe --> C:\PROGRA~1\FUNKIT~1\SLINGO~1\UNWISE.EXE C:\PROGRA~1\FUNKIT~1\SLINGO~1\INSTALL.LOG
Solitaire Master 3 --> C:\PROGRA~1\eGames\SOLITA~1\UNWISE.EXE C:\PROGRA~1\eGames\SOLITA~1\INSTALL.LOG
SPBBC --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spy Sweeper --> "C:\Program Files\Webroot\Spy Sweeper\unins000.exe"
Synaptics TouchPad --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Tetris (remove only) --> "C:\Program Files\Tetris\Tetris\uninstall.exe"
USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C8F7C1E5-0150-11D6-A96C-00D05908F85D}\Setup.exe" -l0x9
Virtual Key --> C:\WINDOWS\uninst.exe -fC:\WINDOWS\System32\DeIsL1.isu -cC:\WINDOWS\System32\VkUninst.dll
Watson --> MsiExec.exe /I{9B88DD94-1AAE-41C4-BD95-2D8737D5E9E2}
Weather Services --> C:\WINDOWS\System32\control.exe C:\WINDOWS\System32\wxfw.cpl,4
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinPhlash --> "C:\Program Files\SIFXINST\SIFXINST.EXE" /UnapplyFile 7A7A3120-0DBA-4CEC-895C-67DB0B86F7CB /Prompt
Wireless-G Notebook Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2A2EDF5F-F3C6-4919-AE34-C08A71AD034A}\Setup.exe" -l0x9


-- Application Event Log -------------------------------------------------------

Event Record #/Type7681 / Error
Event Submitted/Written: 11/04/2007 07:52:00 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application msimn.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type7658 / Warning
Event Submitted/Written: 11/04/2007 06:56:46 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type7654 / Warning
Event Submitted/Written: 11/04/2007 06:45:33 PM
Event ID/Source: 1020 / ASP.NET 2.0.50727.0
Event Description:
Updates to the IIS metabase were aborted because IIS is either not installed or is disabled on this machine. To configure ASP.NET to run in IIS, please install or enable IIS and re-register ASP.NET using aspnet_regiis.exe /i.

Event Record #/Type7647 / Error
Event Submitted/Written: 11/04/2007 05:48:48 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application msimn.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type7621 / Error
Event Submitted/Written: 11/04/2007 02:54:42 PM
Event ID/Source: 101 / Automatic LiveUpdate Scheduler
Event Description:
Information Level: error

Internet connection not detected.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2139 / Error
Event Submitted/Written: 11/04/2007 07:03:04 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Windows Notification Service service failed to start due to the following error:
%%2

Event Record #/Type2084 / Error
Event Submitted/Written: 11/04/2007 03:28:33 PM / 11/04/2007 03:28:34 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Windows Notification Service service failed to start due to the following error:
%%2

Event Record #/Type2077 / Warning
Event Submitted/Written: 11/04/2007 03:07:21 PM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\YOUR-0591B6C1CB on the network \Device\NetBT_Tcpip_{5BF830F0-CD2C-4320-B18C-7BB04244988A}.
The data is the error code.

Event Record #/Type2028 / Error
Event Submitted/Written: 11/04/2007 02:45:30 PM / 11/04/2007 02:45:32 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Windows Notification Service service failed to start due to the following error:
%%2

Event Record #/Type1989 / Error
Event Submitted/Written: 11/04/2007 00:48:52 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Windows Notification Service service failed to start due to the following error:
%%2



-- End of Deckard's System Scanner: finished at 2007-11-04 20:06:42 ------------
  • 0

Advertisements

#2
racenutalways
Posted 09 November 2007 - 12:04 PM

racenutalways

    Member 1K

  • Retired Staff
  • 1,675 posts
Hello KingzJnky22 and welcome to G2G, you have been hit with multiple infections, we are gonna need to do this in stages, strap yourself down and let's get to it. :)

Go to Start | Run and type this in the box: services.msc
  • Locate these services, 'Windows Notification Service or Winaltet
    then right click and select properties.
  • Under Service Status: select Stop
  • In the drop down box labeled, Startup Type: select Disabled
Please go HERE and click the "Download VundoFix" link.
Download VundoFix to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Please download FixWareout from here:
http://downloads.sub.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

When I receive the FixWareout, combofix, vundofix, hijackthis reports, I will analyze them and advise a fix.
  • 0

#3
KingzJnky22
Posted 13 November 2007 - 11:56 AM

KingzJnky22

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hi

thanks for your help - this is much appreciated

sorry for the slow response, been out of town,

seems that the virus warnings have slowed down / stopped - but still real slow and annoying popus from 'privacy tool' wanting me to download their virus tool...

and spyware sweeper keeps popping up telling me that it is blocking attemps to access certain sites...

but here are my new reports...


COMBOFIX
ComboFix 07-11-08.1 - Owner 2007-11-13 11:40:55.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.133 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\e-zshopper
C:\Program Files\ISM2
C:\Program Files\ISM2\dictionary.gz
C:\Program Files\ISM2\targets.gz
C:\Program Files\myglobalsearch
C:\Program Files\myglobalsearch\bar\History\search
C:\Program Files\Temporary
C:\Program Files\tsks~1
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\alertic.exe
C:\WINDOWS\system32\bxohqvjw.dll
C:\WINDOWS\system32\ssvut.bak1
C:\WINDOWS\system32\ssvut.bak2
C:\WINDOWS\system32\ssvut.ini
C:\WINDOWS\system32\ssvut.ini2
C:\WINDOWS\system32\ssvut.tmp
C:\WINDOWS\system32\system
C:\WINDOWS\system32\system\msxml4.dll
C:\WINDOWS\system32\system\msxml4r.dll
C:\WINDOWS\system32\tuvss.dll
C:\WINDOWS\system32\wjvqhoxb.ini
C:\WINDOWS\system32\wnsxs~1

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-10-13 to 2007-11-13 )))))))))))))))))))))))))))))))
.

2007-11-13 11:35 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-13 10:51 <DIR> d-------- C:\VundoFix Backups
2007-11-04 19:57 <DIR> d-------- C:\Deckard
2007-11-04 18:29 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-11-04 18:27 <DIR> d-------- C:\{00004495-0000-0000-5942-503B070B6CD8}
2007-11-04 18:23 <DIR> d-------- C:\{8001BC26-0000-0000-C2BC-E5AC2E094943}
2007-11-04 15:58 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-11-04 15:48 <DIR> d-------- C:\Program Files\Java
2007-11-04 15:47 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-04 15:41 86,080 --a------ C:\WINDOWS\system32\alfwtlxj.dll
2007-11-04 15:35 78,912 --a------ C:\WINDOWS\system32\cowsekle.dll
2007-11-04 12:04 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-11-04 10:58 78,912 --a------ C:\WINDOWS\system32\opaffeba.dll
2007-11-04 10:55 86,080 --------- C:\WINDOWS\system32\aupwltum.dll
2007-11-04 09:36 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-11-04 09:35 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-11-04 09:35 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-11-04 09:35 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-11-04 09:35 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-11-04 09:34 <DIR> d-------- C:\Program Files\Webroot
2007-11-04 09:34 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2007-11-04 09:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-11-04 09:34 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2007-11-04 09:26 164 --a------ C:\install.dat
2007-11-03 21:49 87,616 --a------ C:\WINDOWS\system32\lddmgalm.dll
2007-11-03 21:46 81,472 --a------ C:\WINDOWS\system32\ovxmjlkj.dll
2007-11-03 09:25 81,472 --a------ C:\WINDOWS\system32\bfbgjocc.dll
2007-11-03 09:19 87,616 --a------ C:\WINDOWS\system32\rthmvkeq.dll
2007-10-30 21:16 <DIR> d-------- C:\Program Files\InCode Solutions
2007-10-28 19:55 589 --a------ C:\WINDOWS\system32\gcppqkid.dll
2007-10-24 19:23 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-10-24 19:17 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-24 19:17 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-24 18:52 <DIR> d-------- C:\Program Files\Norton Password Manager
2007-10-24 18:51 10,344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2007-10-24 18:50 <DIR> d-------- C:\Program Files\Symantec
2007-10-24 17:21 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-10-16 14:40 <DIR> d-------- C:\Program Files\Coupons
2007-10-16 14:40 31 --ah----- C:\WINDOWS\uccspecc.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 16:08 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-13 14:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-13 00:29 --------- d-----w C:\Program Files\GREETING CARDS
2007-11-04 16:38 --------- d-----w C:\Program Files\Web Publish
2007-10-25 01:19 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-25 01:19 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-25 01:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-24 23:54 --------- d-----w C:\Documents and Settings\Owner\Application Data\Symantec
2007-10-01 18:49 98,184 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2007-10-01 18:49 31,624 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2007-10-01 18:49 28,040 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2007-10-01 18:49 23,944 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2007-10-01 18:49 189,320 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2007-10-01 18:48 12,680 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2005-08-06 23:32 5,182,784 ----a-w C:\Documents and Settings\Owner\PeerAnia.com.exe
2005-07-24 02:35 28,680 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2005-01-13 20:12 877,056 ----a-w C:\Program Files\iview395.exe
2004-12-21 08:00 274,664 ----a-w C:\Program Files\aolsupp.exe
2004-11-17 00:37 747,407 ----a-w C:\Program Files\SBYSetup.exe
2004-08-19 15:11 2,855,552 ----a-w C:\Program Files\PPView97.exe
2004-08-19 14:51 2,483,605 ----a-w C:\Program Files\PowerPakSampler.exe
2004-08-19 14:48 808,200 ----a-w C:\Program Files\ppt2ksec.exe
2004-08-18 14:52 683,132 ----a-w C:\Program Files\flashplayer7installer.exe
2004-08-17 21:55 6,688 ----a-w C:\Program Files\livelog-2004-08-17.html
2004-08-17 00:03 9,828,946 ----a-w C:\Program Files\QuickTimeInstallCache.qdat
2004-08-16 23:56 574,632 ----a-w C:\Program Files\QuickTimeInstaller.exe
2004-08-03 21:13 1,096,455 ----a-w C:\Program Files\ashampoo_burnitaudiocd111_se.exe
2004-08-03 20:56 4,325,376 ----a-w C:\Program Files\ashampoo_mediaplayer185_fe.exe
2004-08-03 20:54 1,003 ----a-w C:\Program Files\ashampoo_mediaplayer_fe.exe
2004-07-21 20:42 182,424 ----a-w C:\Program Files\ratmigptoy.exe
2004-07-06 21:17 93 ----a-w C:\Program Files\browser.ini
2004-07-06 21:17 4,766,724 ----a-w C:\Program Files\gecko.exe
2002-02-20 06:29 712,384 ----a-w C:\Program Files\DATA1.CAB
2002-02-20 06:29 47,970 ----a-w C:\Program Files\DATA1.HDR
2002-02-20 06:29 434 ----a-w C:\Program Files\LAYOUT.BIN
2002-02-20 06:29 2,449,328 ----a-w C:\Program Files\DATA2.CAB
2002-02-20 06:29 145,619 ----a-w C:\Program Files\SETUP.INX
2002-02-20 06:29 103 ----a-w C:\Program Files\SETUP.INI
2002-01-15 02:16 561,656 ----a-w C:\Program Files\SETUP.BMP
2001-09-05 18:06 344,923 ----a-w C:\Program Files\IKERNEL.EX_
2000-05-15 08:23 41,472 ----a-w C:\Program Files\SETUP.EXE
.

VUNDOFIX
VundoFix V6.5.11

Checking Java version...

Scan started at 12:27:38 PM 11/13/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...


FIXWAREOUT
Username "Owner" - 11/13/2007 11:08:34 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kddkd.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.116.24 85.255.112.184" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GWMDMMSG"="GWMDMMSG.exe"
"GWMDMpi"="C:\\WINDOWS\\GWMDMpi.exe"
"ATIModeChange"="Ati2mdxx.exe"
"Multi-function Keyboard"="GWHotKey.exe"
"Popup Blocker"="\"C:\\Program Files\\iDownload.com\\Popup Blocker\\popupblocker.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"Iprvdso"="C:\\Program Files\\Knpxra\\Ghcw.exe"
"WinampAgent"="\"C:\\Program Files\\Winamp\\winampa.exe\""
"Atari Launcher 2"="\"C:\\Program Files\\Atari\\Atari Arcade Hits 2\\Atari icon.exe\""
"Atari Launcher"="\"C:\\Program Files\\Hasbro Interactive\\Atari Arcade Hits 1\\Atari icon.exe\""
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"AcctMgr"="\"C:\\Program Files\\Norton Password Manager\\AcctMgr.exe\" /startup"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""
"e88f3759"="\"rundll32.exe\" \"C:\\WINDOWS\\system32\\alfwtlxj.dll\",b"
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DW4"="\"C:\\Program Files\\The Weather Channel FW\\Desktop Weather\\DesktopWeather.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="\"C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe\""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"RemoveIT Pro XT"="C:\\Program Files\\InCode Solutions\\RemoveIT Pro v4-Trial\\removeit.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
C:\WINDOWS\System32\AUTOEXEC.NT missing
~~~~~ End report ~~~~~

DECKARDS SCANNER / HIJACKTHIS CLONE
Deckard's System Scanner v20071014.68
Run by Owner on 2007-11-13 12:34:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-11-13 12:35:03
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\Program Files\Common Files\Symantec Shared\CCPROXY.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\GWMDMMSG.exe
C:\WINDOWS\GWHotKey.exe
C:\Program Files\iDownload.com\Popup Blocker\popupblocker.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\WinAmp\winampa.exe
C:\Program Files\Atari\Atari Arcade Hits 2\Atari Icon.exe
C:\Program Files\Hasbro Interactive\Atari Arcade Hits 1\Atari icon.exe
C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe
C:\Program Files\Sierra\Planner\PLNRnote.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
C:\Documents and Settings\Owner\Desktop\Unused Desktop Shortcuts\dss.exe
C:\Program Files\Webroot\Spy Sweeper\ssu.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie.search.msn...st/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {6FA1305D-B243-75C8-D106-64550DF62945} - C:\WINDOWS\system32\uit.dll (file missing)
O2 - BHO: BndShell3 BHO Class - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - C:\Program Files\ISM\BndDrive7.dll (file missing)
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: {15fb16bc-0c49-066a-39c4-99decf51fd3a} - {a3df15fc-ed99-4c93-a660-94c0cb61bf51} - C:\WINDOWS\system32\cowsekle.dll
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVSHEXT.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: Her - {C4DE5B15-4FFE-4c02-8CB3-CAD24A33562B} - C:\WINDOWS\system32\ramtmb.dll (file missing)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: IE Class - {E385DF17-3B18-11D6-8CF3-00304F10A79B} - C:\Program Files\iDownload.com\Popup Blocker\Helper.dll
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVSHEXT.DLL
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [Popup Blocker] "C:\Program Files\iDownload.com\Popup Blocker\popupblocker.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Iprvdso] C:\Program Files\Knpxra\Ghcw.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Atari Launcher 2] "C:\Program Files\Atari\Atari Arcade Hits 2\Atari icon.exe"
O4 - HKLM\..\Run: [Atari Launcher] "C:\Program Files\Hasbro Interactive\Atari Arcade Hits 1\Atari icon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AcctMgr] "C:\Program Files\Norton Password Manager\AcctMgr.exe" /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [e88f3759] "rundll32.exe" "C:\WINDOWS\system32\alfwtlxj.dll",b
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RemoveIT Pro XT] C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe
O4 - Global Startup: Digimax Viewer 1.0.lnk = ?
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = ?
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\GREETING CARDS\AG CreataCard\agremind.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Spades () - http://download.game...nts/y/st2_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} () - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1167266843915
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\smshlyhl.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\CCPWDSVC.EXE
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPROXY.EXE
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\COMHOST.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Windows Alert Service (Winalert) - Unknown owner - C:\WINDOWS\System32\alertic.exe -srv
O23 - Service: Windows Notification Service (Winaltet) - Unknown owner - C:\WINDOWS\System32\winaltet.exe -srv
O24 - Desktop Component 0: - http://www.brownhair...9/jimage.jpgO24 - Desktop Component 1: - http://i9.photobucke...01/ajhot.jpgO24 - Desktop Component 2: - http://images.barnes...10295452.gifO24 - Desktop Component 3: - http://csmail.compus...nline/nonameO24 - Desktop Component 4: - http://www.importedb...ductid=16220O24 - Desktop Component 5: - http://mail.charter....o...S&v=charter

--
End of file - 14874 bytes
  • 0

#4
racenutalways
Posted 15 November 2007 - 11:33 AM

racenutalways

    Member 1K

  • Retired Staff
  • 1,675 posts
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Go to Start | Run and type this in the box: services.msc
  • Locate these services, 'Windows Alert Service or Winalert
    and Windows Notification Service' then right click and select properties.
  • Under Service Status: select Stop
  • In the drop down box labeled, Startup Type: select Disabled
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.


O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {6FA1305D-B243-75C8-D106-64550DF62945} - C:\WINDOWS\system32\uit.dll (file missing)
O2 - BHO: BndShell3 BHO Class - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - C:\Program Files\ISM\BndDrive7.dll (file missing)
O2 - BHO: {15fb16bc-0c49-066a-39c4-99decf51fd3a} - {a3df15fc-ed99-4c93-a660-94c0cb61bf51} - C:\WINDOWS\system32\cowsekle.dll
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: Her - {C4DE5B15-4FFE-4c02-8CB3-CAD24A33562B} - C:\WINDOWS\system32\ramtmb.dll (file missing)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: IE Class - {E385DF17-3B18-11D6-8CF3-00304F10A79B} - C:\Program Files\iDownload.com\Popup Blocker\Helper.dll
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O4 - HKLM\..\Run: [Popup Blocker] "C:\Program Files\iDownload.com\Popup Blocker\popupblocker.exe"
O4 - HKLM\..\Run: [Iprvdso] C:\Program Files\Knpxra\Ghcw.exe
O4 - HKLM\..\Run: [e88f3759] "rundll32.exe" "C:\WINDOWS\system32\alfwtlxj.dll",b
O20 - AppInit_DLLs: C:\WINDOWS\system32\smshlyhl.dll
O23 - Service: Windows Alert Service (Winalert) - Unknown owner - C:\WINDOWS\System32\alertic.exe -srv
O23 - Service: Windows Notification Service (Winaltet) - Unknown owner - C:\WINDOWS\System32\winaltet.exe -srv

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

ISM
iDownload.com
Knpxra

Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\alfwtlxj.dll
C:\WINDOWS\system32\cowsekle.dll
C:\WINDOWS\system32\opaffeba.dll
C:\WINDOWS\system32\aupwltum.dll
C:\install.dat
C:\WINDOWS\system32\lddmgalm.dll
C:\WINDOWS\system32\ovxmjlkj.dll
C:\WINDOWS\system32\bfbgjocc.dll
C:\WINDOWS\system32\rthmvkeq.dll
C:\WINDOWS\system32\gcppqkid.dll
C:\Program Files\SBYSetup.exe
C:\WINDOWS\system32\uit.dll
C:\WINDOWS\system32\ramtmb.dll
C:\WINDOWS\system32\alfwtlxj.dll
C:\WINDOWS\system32\smshlyhl.dll
C:\WINDOWS\System32\alertic.exe
C:\WINDOWS\System32\winaltet.exe

Folder::
C:\Program Files\ISM
C:\Program Files\iDownload.com
C:\Program Files\Knpxra

Driver::
C:\WINDOWS\uccspecc.sys



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#5
KingzJnky22
Posted 21 November 2007 - 10:41 PM

KingzJnky22

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
ComboFix 07-11-19.3 - Owner 2007-11-21 23:02:31.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.161 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\combofix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\install.dat
C:\Program Files\SBYSetup.exe
C:\WINDOWS\System32\alertic.exe
C:\WINDOWS\system32\alfwtlxj.dll
C:\WINDOWS\system32\aupwltum.dll
C:\WINDOWS\system32\bfbgjocc.dll
C:\WINDOWS\system32\cowsekle.dll
C:\WINDOWS\system32\gcppqkid.dll
C:\WINDOWS\system32\lddmgalm.dll
C:\WINDOWS\system32\opaffeba.dll
C:\WINDOWS\system32\ovxmjlkj.dll
C:\WINDOWS\system32\ramtmb.dll
C:\WINDOWS\system32\rthmvkeq.dll
C:\WINDOWS\system32\smshlyhl.dll
C:\WINDOWS\system32\uit.dll
C:\WINDOWS\System32\winaltet.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.dat
C:\Program Files\iDownload.com
C:\Program Files\iDownload.com\Popup Blocker\alarm.wav
C:\Program Files\iDownload.com\Popup Blocker\log
C:\Program Files\iDownload.com\Popup Blocker\popupblocker.exe
C:\Program Files\iDownload.com\Popup Blocker\whitelist
C:\Program Files\Knpxra
C:\Program Files\SBYSetup.exe
C:\WINDOWS\system32\gcppqkid.dll
C:\WINDOWS\system32\lddmgalm.dll
C:\WINDOWS\system32\rthmvkeq.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-22 to 2007-11-22 )))))))))))))))))))))))))))))))
.

2007-11-21 22:03 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-21 22:03 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-21 22:03 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-21 22:03 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-09 16:56 681,991 ---hs---- C:\WINDOWS\system32\jxltwfla.ini
2007-11-04 19:57 <DIR> d-------- C:\Deckard
2007-11-04 18:29 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-11-04 18:27 <DIR> d-------- C:\{00004495-0000-0000-5942-503B070B6CD8}
2007-11-04 18:23 <DIR> d-------- C:\{8001BC26-0000-0000-C2BC-E5AC2E094943}
2007-11-04 15:58 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-11-04 15:54 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-04 15:50 5,387 --a------ C:\WINDOWS\system32\jupdate-1.6.0_03-b05.log
2007-11-04 15:48 <DIR> d-------- C:\Program Files\Java
2007-11-04 15:47 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-04 12:04 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-11-04 10:56 654 ---hs---- C:\WINDOWS\system32\mutlwpua.ini
2007-11-04 09:36 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-11-04 09:35 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-11-04 09:35 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-11-04 09:35 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-11-04 09:35 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-11-04 09:34 <DIR> d-------- C:\Program Files\Webroot
2007-11-04 09:34 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2007-11-04 09:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-11-04 09:34 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2007-11-03 21:49 576,803 ---hs---- C:\WINDOWS\system32\mlagmddl.ini
2007-11-03 09:19 572,570 ---hs---- C:\WINDOWS\system32\qekvmhtr.ini
2007-11-03 09:19 572,537 ---hs---- C:\WINDOWS\system32\xrdanqsk.tmp
2007-11-02 07:25 572,537 ---hs---- C:\WINDOWS\system32\xrdanqsk.ini
2007-11-01 09:41 490,742 ---hs---- C:\WINDOWS\system32\qxcudjhk.ini
2007-10-30 21:16 <DIR> d-------- C:\Program Files\InCode Solutions
2007-10-30 13:51 477,888 ---hs---- C:\WINDOWS\system32\pfsndxje.ini
2007-10-29 11:05 585,795 ---hs---- C:\WINDOWS\system32\qjrmopss.ini
2007-10-29 09:38 477,845 ---hs---- C:\WINDOWS\system32\cytyfwud.ini
2007-10-29 06:25 34,304 --a------ C:\WINDOWS\system32\NTSVC.ocx
2007-10-28 20:03 478,567 ---hs---- C:\WINDOWS\system32\gsbxgwxk.ini
2007-10-27 18:04 1,172,360 ---hs---- C:\WINDOWS\system32\igqctitb.ini
2007-10-27 07:42 1,177,059 ---hs---- C:\WINDOWS\system32\jqlbrqim.ini
2007-10-25 17:05 1,172,600 ---hs---- C:\WINDOWS\system32\xcvldbob.ini
2007-10-25 07:01 693,721 ---hs---- C:\WINDOWS\system32\ahoiuyjj.ini
2007-10-25 07:01 693,601 ---hs---- C:\WINDOWS\system32\htqwwcqu.tmp
2007-10-25 06:11 693,601 ---hs---- C:\WINDOWS\system32\htqwwcqu.ini
2007-10-25 05:20 693,481 ---hs---- C:\WINDOWS\system32\lmfvrkua.ini
2007-10-24 20:15 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-24 20:15 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-24 19:23 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-10-24 19:17 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-24 19:17 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-24 18:52 <DIR> d-------- C:\Program Files\Norton Password Manager
2007-10-24 18:51 10,344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2007-10-24 18:50 <DIR> d-------- C:\Program Files\Symantec
2007-10-24 17:21 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-10-24 16:59 2 --a------ C:\WINDOWS\system32\lt.res
2007-10-24 16:58 3,720 --a------ C:\WINDOWS\system32\sft.res

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-22 03:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-14 16:25 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-13 00:29 --------- d-----w C:\Program Files\GREETING CARDS
2007-11-04 16:38 --------- d-----w C:\Program Files\Web Publish
2007-10-25 01:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-24 23:54 --------- d-----w C:\Documents and Settings\Owner\Application Data\Symantec
2007-10-16 19:40 --------- d-----w C:\Program Files\Coupons
2007-10-01 18:49 98,184 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2007-10-01 18:49 31,624 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2007-10-01 18:49 28,040 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2007-10-01 18:49 23,944 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2007-10-01 18:49 189,320 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2007-10-01 18:48 12,680 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2005-08-06 23:32 5,182,784 ----a-w C:\Documents and Settings\Owner\PeerAnia.com.exe
2005-07-24 02:35 28,680 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2005-01-13 20:12 877,056 ----a-w C:\Program Files\iview395.exe
2004-12-21 08:00 274,664 ----a-w C:\Program Files\aolsupp.exe
2004-08-19 15:11 2,855,552 ----a-w C:\Program Files\PPView97.exe
2004-08-19 14:51 2,483,605 ----a-w C:\Program Files\PowerPakSampler.exe
2004-08-19 14:48 808,200 ----a-w C:\Program Files\ppt2ksec.exe
2004-08-18 14:52 683,132 ----a-w C:\Program Files\flashplayer7installer.exe
2004-08-17 21:55 6,688 ----a-w C:\Program Files\livelog-2004-08-17.html
2004-08-17 00:03 9,828,946 ----a-w C:\Program Files\QuickTimeInstallCache.qdat
2004-08-16 23:56 574,632 ----a-w C:\Program Files\QuickTimeInstaller.exe
2004-08-03 21:13 1,096,455 ----a-w C:\Program Files\ashampoo_burnitaudiocd111_se.exe
2004-08-03 20:56 4,325,376 ----a-w C:\Program Files\ashampoo_mediaplayer185_fe.exe
2004-08-03 20:54 1,003 ----a-w C:\Program Files\ashampoo_mediaplayer_fe.exe
2004-07-21 20:42 182,424 ----a-w C:\Program Files\ratmigptoy.exe
2004-07-06 21:17 93 ----a-w C:\Program Files\browser.ini
2004-07-06 21:17 4,766,724 ----a-w C:\Program Files\gecko.exe
2002-02-20 06:29 712,384 ----a-w C:\Program Files\DATA1.CAB
2002-02-20 06:29 47,970 ----a-w C:\Program Files\DATA1.HDR
2002-02-20 06:29 434 ----a-w C:\Program Files\LAYOUT.BIN
2002-02-20 06:29 2,449,328 ----a-w C:\Program Files\DATA2.CAB
2002-02-20 06:29 145,619 ----a-w C:\Program Files\SETUP.INX
2002-02-20 06:29 103 ----a-w C:\Program Files\SETUP.INI
2002-01-15 02:16 561,656 ----a-w C:\Program Files\SETUP.BMP
2001-09-05 18:06 344,923 ----a-w C:\Program Files\IKERNEL.EX_
2000-05-15 08:23 41,472 ----a-w C:\Program Files\SETUP.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2005-08-29 12:51]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-30 20:49]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"RemoveIT Pro XT"="C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GWMDMMSG"="GWMDMMSG.exe" [2004-07-03 09:37 C:\WINDOWS\GWMDMMSG.exe]
"GWMDMpi"="C:\WINDOWS\GWMDMpi.exe" [2004-07-03 09:37]
"ATIModeChange"="Ati2mdxx.exe" [2004-07-03 09:37 C:\WINDOWS\system32\Ati2mdxx.exe]
"Multi-function Keyboard"="GWHotKey.exe" [2001-08-28 11:13 C:\WINDOWS\GWHotKey.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-08-16 19:11]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-10-03 18:50]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2004-12-20 13:41]
"Atari Launcher 2"="C:\Program Files\Atari\Atari Arcade Hits 2\Atari icon.exe" [2000-03-08 10:21]
"Atari Launcher"="C:\Program Files\Hasbro Interactive\Atari Arcade Hits 1\Atari icon.exe" [1999-06-25 14:41]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"AcctMgr"="C:\Program Files\Norton Password Manager\AcctMgr.exe" [2005-07-29 09:32]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 21:19]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digimax Viewer 1.0.lnk - C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe [2005-04-26 19:58:36]
Event Planner Reminders Tray Icon.lnk - C:\Program Files\Sierra\Planner\PLNRnote.exe [2006-11-06 21:53:37]
Forget Me Not.lnk - C:\Program Files\GREETING CARDS\AG CreataCard\agremind.exe [2006-11-06 21:14:08]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-05-30 20:49:43]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-05 23:37:10]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders rpasspc.dll, msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\WINDOWS\system32\Drivers\SSFS0BB9.SYS
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\CBTNDIS5.SYS
S3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys
S4 Winalert;Windows Alert Service;C:\WINDOWS\System32\alertic.exe -srv
S4 Winaltet;Windows Notification Service;C:\WINDOWS\System32\winaltet.exe -srv

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-11-07 01:00:01 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job"
- C:\PROGRA~1\NORTON~2\NORTON~1\Navw32.exe
"2007-10-29 14:49:05 C:\WINDOWS\Tasks\Norton AntiVirus - Run Norton QuickScan - Owner.job"
- C:\PROGRA~1\NORTON~2\NORTON~1\NAVW32.EXE
"2007-11-19 08:00:00 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.ex
- C:\Program Files\SpywareBot
"2007-11-19 05:00:02 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-21 23:10:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-21 23:14:13 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-21 23:00
C:\ComboFix3.txt ... 2007-11-13 12:05
.
--- E O F ---







Logfile of HijackThis v1.99.1
Scan saved at 11:36:12 PM, on 11/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\GWHotKey.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Atari\Atari Arcade Hits 2\Atari icon.exe
C:\Program Files\Hasbro Interactive\Atari Arcade Hits 1\Atari icon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe
C:\Program Files\Sierra\Planner\PLNRnote.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 68.114.167.217
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Atari Launcher 2] "C:\Program Files\Atari\Atari Arcade Hits 2\Atari icon.exe"
O4 - HKLM\..\Run: [Atari Launcher] "C:\Program Files\Hasbro Interactive\Atari Arcade Hits 1\Atari icon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AcctMgr] "C:\Program Files\Norton Password Manager\AcctMgr.exe" /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RemoveIT Pro XT] C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe
O4 - Global Startup: Digimax Viewer 1.0.lnk = ?
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Program Files\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Forget Me Not.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/st2_x.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1167266843915
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

thanks...
  • 0

#6
racenutalways
Posted 23 November 2007 - 11:09 AM

racenutalways

    Member 1K

  • Retired Staff
  • 1,675 posts
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\jxltwfla.ini
C:\WINDOWS\system32\mutlwpua.ini
C:\WINDOWS\system32\mlagmddl.ini
C:\WINDOWS\system32\qekvmhtr.ini
C:\WINDOWS\system32\xrdanqsk.tmp
C:\WINDOWS\system32\xrdanqsk.ini
C:\WINDOWS\system32\qxcudjhk.ini
C:\WINDOWS\system32\pfsndxje.ini
C:\WINDOWS\system32\qjrmopss.ini
C:\WINDOWS\system32\cytyfwud.ini
C:\WINDOWS\system32\gsbxgwxk.ini
C:\WINDOWS\system32\igqctitb.ini
C:\WINDOWS\system32\jqlbrqim.ini
C:\WINDOWS\system32\xcvldbob.ini
C:\WINDOWS\system32\ahoiuyjj.ini
C:\WINDOWS\system32\htqwwcqu.tmp
C:\WINDOWS\system32\htqwwcqu.ini
C:\WINDOWS\system32\lmfvrkua.ini
C:\WINDOWS\System32\alertic.exe
C:\WINDOWS\System32\winaltet.exe
C:\WINDOWS\system32\lt.res
C:\WINDOWS\system32\sft.res

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
Panda only works if you are using Internet Explorer.

This will clean out all cookies and Temp file, making the Panda Scan a little quicker.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you also use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you also use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

  • 0

#7
KingzJnky22
Posted 24 November 2007 - 11:23 AM

KingzJnky22

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
here are my reports - it would not let me scan my comp with 'panda' tried using the 'scan pc now' & 'scan pc' buttons.
usually at the bottom of my IE browser is shows an address when I run my pointer over a link of somesorts - on the panda website - it shows nothing going over the 'scan' buttons? maybe I am doing something wrong? Tried everything I could think of...



ComboFix 07-11-19.3 - Owner 2007-11-24 10:58:05.4 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\combofix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\ahoiuyjj.ini
C:\WINDOWS\System32\alertic.exe
C:\WINDOWS\system32\cytyfwud.ini
C:\WINDOWS\system32\gsbxgwxk.ini
C:\WINDOWS\system32\htqwwcqu.ini
C:\WINDOWS\system32\htqwwcqu.tmp
C:\WINDOWS\system32\igqctitb.ini
C:\WINDOWS\system32\jqlbrqim.ini
C:\WINDOWS\system32\jxltwfla.ini
C:\WINDOWS\system32\lmfvrkua.ini
C:\WINDOWS\system32\lt.res
C:\WINDOWS\system32\mlagmddl.ini
C:\WINDOWS\system32\mutlwpua.ini
C:\WINDOWS\system32\pfsndxje.ini
C:\WINDOWS\system32\qekvmhtr.ini
C:\WINDOWS\system32\qjrmopss.ini
C:\WINDOWS\system32\qxcudjhk.ini
C:\WINDOWS\system32\sft.res
C:\WINDOWS\System32\winaltet.exe
C:\WINDOWS\system32\xcvldbob.ini
C:\WINDOWS\system32\xrdanqsk.ini
C:\WINDOWS\system32\xrdanqsk.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ahoiuyjj.ini
C:\WINDOWS\system32\cytyfwud.ini
C:\WINDOWS\system32\gsbxgwxk.ini
C:\WINDOWS\system32\htqwwcqu.ini
C:\WINDOWS\system32\htqwwcqu.tmp
C:\WINDOWS\system32\igqctitb.ini
C:\WINDOWS\system32\jqlbrqim.ini
C:\WINDOWS\system32\jxltwfla.ini
C:\WINDOWS\system32\lmfvrkua.ini
C:\WINDOWS\system32\lt.res
C:\WINDOWS\system32\mlagmddl.ini
C:\WINDOWS\system32\mutlwpua.ini
C:\WINDOWS\system32\pfsndxje.ini
C:\WINDOWS\system32\qekvmhtr.ini
C:\WINDOWS\system32\qjrmopss.ini
C:\WINDOWS\system32\qxcudjhk.ini
C:\WINDOWS\system32\sft.res
C:\WINDOWS\system32\xcvldbob.ini
C:\WINDOWS\system32\xrdanqsk.ini
C:\WINDOWS\system32\xrdanqsk.tmp

.
((((((((((((((((((((((((( Files Created from 2007-10-24 to 2007-11-24 )))))))))))))))))))))))))))))))
.

2007-11-21 22:03 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-21 22:03 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-04 19:57 <DIR> d-------- C:\Deckard
2007-11-04 18:29 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-11-04 18:27 <DIR> d-------- C:\{00004495-0000-0000-5942-503B070B6CD8}
2007-11-04 18:23 <DIR> d-------- C:\{8001BC26-0000-0000-C2BC-E5AC2E094943}
2007-11-04 15:58 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-11-04 15:54 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-04 15:50 5,387 --a------ C:\WINDOWS\system32\jupdate-1.6.0_03-b05.log
2007-11-04 15:48 <DIR> d-------- C:\Program Files\Java
2007-11-04 15:47 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-04 12:04 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-11-04 09:36 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-11-04 09:35 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-11-04 09:35 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-11-04 09:35 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-11-04 09:35 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-11-04 09:34 <DIR> d-------- C:\Program Files\Webroot
2007-11-04 09:34 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2007-11-04 09:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-11-04 09:34 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2007-10-30 21:16 <DIR> d-------- C:\Program Files\InCode Solutions
2007-10-30 14:18 478,128 ---hs---- C:\WINDOWS\system32\wpagsjor.ini
2007-10-29 06:25 34,304 --a------ C:\WINDOWS\system32\NTSVC.ocx
2007-10-24 20:15 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-24 20:15 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-24 19:23 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-10-24 19:17 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-24 18:52 <DIR> d-------- C:\Program Files\Norton Password Manager
2007-10-24 18:51 10,344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2007-10-24 18:50 <DIR> d-------- C:\Program Files\Symantec
2007-10-24 17:21 <DIR> d-------- C:\WINDOWS\system32\acespy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-24 13:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-22 03:04 3,728 ----a-w C:\WINDOWS\system32\tmp.reg
2007-11-14 16:25 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-13 00:29 --------- d-----w C:\Program Files\GREETING CARDS
2007-11-04 16:38 --------- d-----w C:\Program Files\Web Publish
2007-10-25 01:19 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-25 01:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-24 23:54 --------- d-----w C:\Documents and Settings\Owner\Application Data\Symantec
2007-10-16 19:40 --------- d-----w C:\Program Files\Coupons
2007-10-01 18:49 98,184 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2007-10-01 18:49 542,088 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-10-01 18:49 31,624 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2007-10-01 18:49 28,040 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2007-10-01 18:49 23,944 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2007-10-01 18:49 189,320 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2007-10-01 18:49 161,160 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-10-01 18:48 12,680 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2007-09-06 04:22 289,144 ----a-w C:\WINDOWS\system32\VCCLSID.exe
2005-08-06 23:32 5,182,784 ----a-w C:\Documents and Settings\Owner\PeerAnia.com.exe
2005-07-24 02:35 28,680 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2005-01-13 20:12 877,056 ----a-w C:\Program Files\iview395.exe
2004-12-21 08:00 274,664 ----a-w C:\Program Files\aolsupp.exe
2004-08-19 15:11 2,855,552 ----a-w C:\Program Files\PPView97.exe
2004-08-19 14:51 2,483,605 ----a-w C:\Program Files\PowerPakSampler.exe
2004-08-19 14:48 808,200 ----a-w C:\Program Files\ppt2ksec.exe
2004-08-18 14:52 683,132 ----a-w C:\Program Files\flashplayer7installer.exe
2004-08-17 21:55 6,688 ----a-w C:\Program Files\livelog-2004-08-17.html
2004-08-17 00:03 9,828,946 ----a-w C:\Program Files\QuickTimeInstallCache.qdat
2004-08-16 23:56 574,632 ----a-w C:\Program Files\QuickTimeInstaller.exe
2004-08-03 21:13 1,096,455 ----a-w C:\Program Files\ashampoo_burnitaudiocd111_se.exe
2004-08-03 20:56 4,325,376 ----a-w C:\Program Files\ashampoo_mediaplayer185_fe.exe
2004-08-03 20:54 1,003 ----a-w C:\Program Files\ashampoo_mediaplayer_fe.exe
2004-07-21 20:42 182,424 ----a-w C:\Program Files\ratmigptoy.exe
2004-07-06 21:17 93 ----a-w C:\Program Files\browser.ini
2004-07-06 21:17 4,766,724 ----a-w C:\Program Files\gecko.exe
2002-02-20 06:29 712,384 ----a-w C:\Program Files\DATA1.CAB
2002-02-20 06:29 47,970 ----a-w C:\Program Files\DATA1.HDR
2002-02-20 06:29 434 ----a-w C:\Program Files\LAYOUT.BIN
2002-02-20 06:29 2,449,328 ----a-w C:\Program Files\DATA2.CAB
2002-02-20 06:29 145,619 ----a-w C:\Program Files\SETUP.INX
2002-02-20 06:29 103 ----a-w C:\Program Files\SETUP.INI
2002-01-15 02:16 561,656 ----a-w C:\Program Files\SETUP.BMP
2001-09-05 18:06 344,923 ----a-w C:\Program Files\IKERNEL.EX_
2000-05-15 08:23 41,472 ----a-w C:\Program Files\SETUP.EXE
.

((((((((((((((((((((((((((((( snapshot@2007-11-21_22.59.19.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-16 14:20:06 3,432 ----a-w C:\WINDOWS\Temp\slu3bc7.tmp\CATALOG.DAT
+ 2007-10-16 14:20:06 2,454,576 ----a-w C:\WINDOWS\Temp\slu3bc7.tmp\CCERASER.DLL
+ 2007-10-16 14:20:06 284,016 ----a-w C:\WINDOWS\Temp\slu3bc7.tmp\ECMSVR32.DLL
+ 2007-10-16 14:20:06 395,312 ----a-w C:\WINDOWS\Temp\slu3bc7.tmp\EECTRL.SYS
+ 2007-10-16 14:20:06 112,688 ----a-w C:\WINDOWS\Temp\slu3bc7.tmp\ERASER.SYS
+ 2007-11-21 09:00:00 4,815,633 ----a-w C:\WINDOWS\Temp\slu3bc7.tmp\ESRDEF.BIN
+ 2007-11-14 09:00:00 81,232 ----a-w C:\WINDOWS\Temp\slu3bc7.tmp\NAVENG.SYS
+ 2007-11-14 09:00:00 124,272 ----a-w C:\WINDOWS\Temp\slu3bc7.tmp\NAVENG32.DLL
+ 2007-11-14 09:00:00 865,904 ----a-w C:\WINDOWS\Temp\slu3bc7.tmp\NAVEX15.SYS
+ 2007-11-14 09:00:00 914,800 ----a-w C:\WINDOWS\Temp\slu3bc7.tmp\NAVEX32A.DLL
+ 2007-10-16 14:20:06 97,776 ----a-w C:\WINDOWS\Temp\slu3bc7.tmp\SCRAUTH.DAT
+ 2007-11-21 09:00:00 400,641 ----a-w C:\WINDOWS\Temp\slu3bc7.tmp\TCDEFS.DAT
+ 2007-11-21 09:00:00 2,361,417 ----a-w C:\WINDOWS\Temp\slu3bc7.tmp\TCSCAN7.DAT
+ 2007-11-21 09:00:00 413,635 ----a-w C:\WINDOWS\Temp\slu3bc7.tmp\TCSCAN8.DAT
+ 2007-11-21 09:00:00 974,754 ----a-w C:\WINDOWS\Temp\slu3bc7.tmp\TCSCAN9.DAT
+ 2007-11-21 09:00:00 68,335 ----a-w C:\WINDOWS\Temp\slu3bc7.tmp\TSCAN1.DAT
+ 2007-10-16 14:20:06 3,240 ----a-w C:\WINDOWS\Temp\slu3bc7.tmp\TSCAN1HD.DAT
+ 2007-11-21 09:00:00 996,239 ----a-w C:\WINDOWS\Temp\slu3bc7.tmp\VIRSCAN1.DAT
+ 2007-11-21 09:00:00 570,966 ----a-w C:\WINDOWS\Temp\slu3bc7.tmp\VIRSCAN2.DAT
+ 2007-11-21 09:00:00 150,608 ----a-w C:\WINDOWS\Temp\slu3bc7.tmp\VIRSCAN3.DAT
+ 2007-11-21 09:00:00 320,253 ----a-w C:\WINDOWS\Temp\slu3bc7.tmp\VIRSCAN4.DAT
+ 2007-11-21 09:00:00 4,899,735 ----a-w C:\WINDOWS\Temp\slu3bc7.tmp\VIRSCAN5.DAT
+ 2007-11-21 09:00:00 392,228 ----a-w C:\WINDOWS\Temp\slu3bc7.tmp\VIRSCAN6.DAT
+ 2007-11-21 09:00:00 15,204,398 ----a-w C:\WINDOWS\Temp\slu3bc7.tmp\VIRSCAN7.DAT
+ 2007-11-21 09:00:00 1,866,655 ----a-w C:\WINDOWS\Temp\slu3bc7.tmp\VIRSCAN8.DAT
+ 2007-11-21 09:00:00 5,291,270 ----a-w C:\WINDOWS\Temp\slu3bc7.tmp\VIRSCAN9.DAT
+ 2007-10-16 14:20:06 3,432 ----a-w C:\WINDOWS\Temp\slu3c61.tmp\CATALOG.DAT
+ 2007-10-16 14:20:06 2,454,576 ----a-w C:\WINDOWS\Temp\slu3c61.tmp\CCERASER.DLL
+ 2007-10-16 14:20:06 284,016 ----a-w C:\WINDOWS\Temp\slu3c61.tmp\ECMSVR32.DLL
+ 2007-10-16 14:20:06 395,312 ----a-w C:\WINDOWS\Temp\slu3c61.tmp\EECTRL.SYS
+ 2007-10-16 14:20:06 112,688 ----a-w C:\WINDOWS\Temp\slu3c61.tmp\ERASER.SYS
+ 2007-11-21 09:00:00 4,815,633 ----a-w C:\WINDOWS\Temp\slu3c61.tmp\ESRDEF.BIN
+ 2007-11-14 09:00:00 81,232 ----a-w C:\WINDOWS\Temp\slu3c61.tmp\NAVENG.SYS
+ 2007-11-14 09:00:00 124,272 ----a-w C:\WINDOWS\Temp\slu3c61.tmp\NAVENG32.DLL
+ 2007-11-14 09:00:00 865,904 ----a-w C:\WINDOWS\Temp\slu3c61.tmp\NAVEX15.SYS
+ 2007-11-14 09:00:00 914,800 ----a-w C:\WINDOWS\Temp\slu3c61.tmp\NAVEX32A.DLL
+ 2007-10-16 14:20:06 97,776 ----a-w C:\WINDOWS\Temp\slu3c61.tmp\SCRAUTH.DAT
+ 2007-11-21 09:00:00 400,641 ----a-w C:\WINDOWS\Temp\slu3c61.tmp\TCDEFS.DAT
+ 2007-11-21 09:00:00 2,361,417 ----a-w C:\WINDOWS\Temp\slu3c61.tmp\TCSCAN7.DAT
+ 2007-11-21 09:00:00 413,635 ----a-w C:\WINDOWS\Temp\slu3c61.tmp\TCSCAN8.DAT
+ 2007-11-21 09:00:00 974,754 ----a-w C:\WINDOWS\Temp\slu3c61.tmp\TCSCAN9.DAT
+ 2007-11-21 09:00:00 68,335 ----a-w C:\WINDOWS\Temp\slu3c61.tmp\TSCAN1.DAT
+ 2007-10-16 14:20:06 3,240 ----a-w C:\WINDOWS\Temp\slu3c61.tmp\TSCAN1HD.DAT
+ 2007-11-21 09:00:00 996,239 ----a-w C:\WINDOWS\Temp\slu3c61.tmp\VIRSCAN1.DAT
+ 2007-11-21 09:00:00 570,966 ----a-w C:\WINDOWS\Temp\slu3c61.tmp\VIRSCAN2.DAT
+ 2007-11-21 09:00:00 150,608 ----a-w C:\WINDOWS\Temp\slu3c61.tmp\VIRSCAN3.DAT
+ 2007-11-21 09:00:00 320,253 ----a-w C:\WINDOWS\Temp\slu3c61.tmp\VIRSCAN4.DAT
+ 2007-11-21 09:00:00 4,899,735 ----a-w C:\WINDOWS\Temp\slu3c61.tmp\VIRSCAN5.DAT
+ 2007-11-21 09:00:00 392,228 ----a-w C:\WINDOWS\Temp\slu3c61.tmp\VIRSCAN6.DAT
+ 2007-11-21 09:00:00 15,204,398 ----a-w C:\WINDOWS\Temp\slu3c61.tmp\VIRSCAN7.DAT
+ 2007-11-21 09:00:00 1,866,655 ----a-w C:\WINDOWS\Temp\slu3c61.tmp\VIRSCAN8.DAT
+ 2007-11-21 09:00:00 5,291,270 ----a-w C:\WINDOWS\Temp\slu3c61.tmp\VIRSCAN9.DAT
+ 2007-10-16 14:20:06 3,432 ----a-w C:\WINDOWS\Temp\slu5e79.tmp\CATALOG.DAT
+ 2007-10-16 14:20:06 2,454,576 ----a-w C:\WINDOWS\Temp\slu5e79.tmp\CCERASER.DLL
+ 2007-10-16 14:20:06 284,016 ----a-w C:\WINDOWS\Temp\slu5e79.tmp\ECMSVR32.DLL
+ 2007-10-16 14:20:06 395,312 ----a-w C:\WINDOWS\Temp\slu5e79.tmp\EECTRL.SYS
+ 2007-10-16 14:20:06 112,688 ----a-w C:\WINDOWS\Temp\slu5e79.tmp\ERASER.SYS
+ 2007-11-21 09:00:00 4,815,633 ----a-w C:\WINDOWS\Temp\slu5e79.tmp\ESRDEF.BIN
+ 2007-11-14 09:00:00 81,232 ----a-w C:\WINDOWS\Temp\slu5e79.tmp\NAVENG.SYS
+ 2007-11-14 09:00:00 124,272 ----a-w C:\WINDOWS\Temp\slu5e79.tmp\NAVENG32.DLL
+ 2007-11-14 09:00:00 865,904 ----a-w C:\WINDOWS\Temp\slu5e79.tmp\NAVEX15.SYS
+ 2007-11-14 09:00:00 914,800 ----a-w C:\WINDOWS\Temp\slu5e79.tmp\NAVEX32A.DLL
+ 2007-10-16 14:20:06 97,776 ----a-w C:\WINDOWS\Temp\slu5e79.tmp\SCRAUTH.DAT
+ 2007-11-21 09:00:00 400,641 ----a-w C:\WINDOWS\Temp\slu5e79.tmp\TCDEFS.DAT
+ 2007-11-21 09:00:00 2,361,417 ----a-w C:\WINDOWS\Temp\slu5e79.tmp\TCSCAN7.DAT
+ 2007-11-21 09:00:00 413,635 ----a-w C:\WINDOWS\Temp\slu5e79.tmp\TCSCAN8.DAT
+ 2007-11-21 09:00:00 974,754 ----a-w C:\WINDOWS\Temp\slu5e79.tmp\TCSCAN9.DAT
+ 2007-11-21 09:00:00 68,335 ----a-w C:\WINDOWS\Temp\slu5e79.tmp\TSCAN1.DAT
+ 2007-10-16 14:20:06 3,240 ----a-w C:\WINDOWS\Temp\slu5e79.tmp\TSCAN1HD.DAT
+ 2007-11-21 09:00:00 996,239 ----a-w C:\WINDOWS\Temp\slu5e79.tmp\VIRSCAN1.DAT
+ 2007-11-21 09:00:00 570,966 ----a-w C:\WINDOWS\Temp\slu5e79.tmp\VIRSCAN2.DAT
+ 2007-11-21 09:00:00 150,608 ----a-w C:\WINDOWS\Temp\slu5e79.tmp\VIRSCAN3.DAT
+ 2007-11-21 09:00:00 320,253 ----a-w C:\WINDOWS\Temp\slu5e79.tmp\VIRSCAN4.DAT
+ 2007-11-21 09:00:00 4,899,735 ----a-w C:\WINDOWS\Temp\slu5e79.tmp\VIRSCAN5.DAT
+ 2007-11-21 09:00:00 392,228 ----a-w C:\WINDOWS\Temp\slu5e79.tmp\VIRSCAN6.DAT
+ 2007-11-21 09:00:00 15,204,398 ----a-w C:\WINDOWS\Temp\slu5e79.tmp\VIRSCAN7.DAT
+ 2007-11-21 09:00:00 1,866,655 ----a-w C:\WINDOWS\Temp\slu5e79.tmp\VIRSCAN8.DAT
+ 2007-11-21 09:00:00 5,291,270 ----a-w C:\WINDOWS\Temp\slu5e79.tmp\VIRSCAN9.DAT
+ 2007-10-16 14:20:06 3,432 ----a-w C:\WINDOWS\Temp\slu5f81.tmp\CATALOG.DAT
+ 2007-10-16 14:20:06 2,454,576 ----a-w C:\WINDOWS\Temp\slu5f81.tmp\CCERASER.DLL
+ 2007-10-16 14:20:06 284,016 ----a-w C:\WINDOWS\Temp\slu5f81.tmp\ECMSVR32.DLL
+ 2007-10-16 14:20:06 395,312 ----a-w C:\WINDOWS\Temp\slu5f81.tmp\EECTRL.SYS
+ 2007-10-16 14:20:06 112,688 ----a-w C:\WINDOWS\Temp\slu5f81.tmp\ERASER.SYS
+ 2007-11-21 09:00:00 4,815,633 ----a-w C:\WINDOWS\Temp\slu5f81.tmp\ESRDEF.BIN
+ 2007-11-14 09:00:00 81,232 ----a-w C:\WINDOWS\Temp\slu5f81.tmp\NAVENG.SYS
+ 2007-11-14 09:00:00 124,272 ----a-w C:\WINDOWS\Temp\slu5f81.tmp\NAVENG32.DLL
+ 2007-11-14 09:00:00 865,904 ----a-w C:\WINDOWS\Temp\slu5f81.tmp\NAVEX15.SYS
+ 2007-11-14 09:00:00 914,800 ----a-w C:\WINDOWS\Temp\slu5f81.tmp\NAVEX32A.DLL
+ 2007-10-16 14:20:06 97,776 ----a-w C:\WINDOWS\Temp\slu5f81.tmp\SCRAUTH.DAT
+ 2007-11-21 09:00:00 400,641 ----a-w C:\WINDOWS\Temp\slu5f81.tmp\TCDEFS.DAT
+ 2007-11-21 09:00:00 2,361,417 ----a-w C:\WINDOWS\Temp\slu5f81.tmp\TCSCAN7.DAT
+ 2007-11-21 09:00:00 413,635 ----a-w C:\WINDOWS\Temp\slu5f81.tmp\TCSCAN8.DAT
+ 2007-11-21 09:00:00 974,754 ----a-w C:\WINDOWS\Temp\slu5f81.tmp\TCSCAN9.DAT
+ 2007-11-21 09:00:00 68,335 ----a-w C:\WINDOWS\Temp\slu5f81.tmp\TSCAN1.DAT
+ 2007-10-16 14:20:06 3,240 ----a-w C:\WINDOWS\Temp\slu5f81.tmp\TSCAN1HD.DAT
+ 2007-11-21 09:00:00 996,239 ----a-w C:\WINDOWS\Temp\slu5f81.tmp\VIRSCAN1.DAT
+ 2007-11-21 09:00:00 570,966 ----a-w C:\WINDOWS\Temp\slu5f81.tmp\VIRSCAN2.DAT
+ 2007-11-21 09:00:00 150,608 ----a-w C:\WINDOWS\Temp\slu5f81.tmp\VIRSCAN3.DAT
+ 2007-11-21 09:00:00 320,253 ----a-w C:\WINDOWS\Temp\slu5f81.tmp\VIRSCAN4.DAT
+ 2007-11-21 09:00:00 4,899,735 ----a-w C:\WINDOWS\Temp\slu5f81.tmp\VIRSCAN5.DAT
+ 2007-11-21 09:00:00 392,228 ----a-w C:\WINDOWS\Temp\slu5f81.tmp\VIRSCAN6.DAT
+ 2007-11-21 09:00:00 15,204,398 ----a-w C:\WINDOWS\Temp\slu5f81.tmp\VIRSCAN7.DAT
+ 2007-11-21 09:00:00 1,866,655 ----a-w C:\WINDOWS\Temp\slu5f81.tmp\VIRSCAN8.DAT
+ 2007-11-21 09:00:00 5,291,270 ----a-w C:\WINDOWS\Temp\slu5f81.tmp\VIRSCAN9.DAT
+ 2007-10-16 14:20:06 3,432 ----a-w C:\WINDOWS\Temp\slu7290.tmp\CATALOG.DAT
+ 2007-10-16 14:20:06 2,454,576 ----a-w C:\WINDOWS\Temp\slu7290.tmp\CCERASER.DLL
+ 2007-10-16 14:20:06 284,016 ----a-w C:\WINDOWS\Temp\slu7290.tmp\ECMSVR32.DLL
+ 2007-10-16 14:20:06 395,312 ----a-w C:\WINDOWS\Temp\slu7290.tmp\EECTRL.SYS
+ 2007-10-16 14:20:06 112,688 ----a-w C:\WINDOWS\Temp\slu7290.tmp\ERASER.SYS
+ 2007-11-21 09:00:00 4,815,633 ----a-w C:\WINDOWS\Temp\slu7290.tmp\ESRDEF.BIN
+ 2007-11-14 09:00:00 81,232 ----a-w C:\WINDOWS\Temp\slu7290.tmp\NAVENG.SYS
+ 2007-11-14 09:00:00 124,272 ----a-w C:\WINDOWS\Temp\slu7290.tmp\NAVENG32.DLL
+ 2007-11-14 09:00:00 865,904 ----a-w C:\WINDOWS\Temp\slu7290.tmp\NAVEX15.SYS
+ 2007-11-14 09:00:00 914,800 ----a-w C:\WINDOWS\Temp\slu7290.tmp\NAVEX32A.DLL
+ 2007-10-16 14:20:06 97,776 ----a-w C:\WINDOWS\Temp\slu7290.tmp\SCRAUTH.DAT
+ 2007-11-21 09:00:00 400,641 ----a-w C:\WINDOWS\Temp\slu7290.tmp\TCDEFS.DAT
+ 2007-11-21 09:00:00 2,361,417 ----a-w C:\WINDOWS\Temp\slu7290.tmp\TCSCAN7.DAT
+ 2007-11-21 09:00:00 413,635 ----a-w C:\WINDOWS\Temp\slu7290.tmp\TCSCAN8.DAT
+ 2007-11-21 09:00:00 974,754 ----a-w C:\WINDOWS\Temp\slu7290.tmp\TCSCAN9.DAT
+ 2007-11-21 09:00:00 68,335 ----a-w C:\WINDOWS\Temp\slu7290.tmp\TSCAN1.DAT
+ 2007-10-16 14:20:06 3,240 ----a-w C:\WINDOWS\Temp\slu7290.tmp\TSCAN1HD.DAT
+ 2007-11-21 09:00:00 996,239 ----a-w C:\WINDOWS\Temp\slu7290.tmp\VIRSCAN1.DAT
+ 2007-11-21 09:00:00 570,966 ----a-w C:\WINDOWS\Temp\slu7290.tmp\VIRSCAN2.DAT
+ 2007-11-21 09:00:00 150,608 ----a-w C:\WINDOWS\Temp\slu7290.tmp\VIRSCAN3.DAT
+ 2007-11-21 09:00:00 320,253 ----a-w C:\WINDOWS\Temp\slu7290.tmp\VIRSCAN4.DAT
+ 2007-11-21 09:00:00 4,899,735 ----a-w C:\WINDOWS\Temp\slu7290.tmp\VIRSCAN5.DAT
+ 2007-11-21 09:00:00 392,228 ----a-w C:\WINDOWS\Temp\slu7290.tmp\VIRSCAN6.DAT
+ 2007-11-21 09:00:00 15,204,398 ----a-w C:\WINDOWS\Temp\slu7290.tmp\VIRSCAN7.DAT
+ 2007-11-21 09:00:00 1,866,655 ----a-w C:\WINDOWS\Temp\slu7290.tmp\VIRSCAN8.DAT
+ 2007-11-21 09:00:00 5,291,270 ----a-w C:\WINDOWS\Temp\slu7290.tmp\VIRSCAN9.DAT
+ 2007-10-16 14:20:06 3,432 ----a-w C:\WINDOWS\Temp\slu73ac.tmp\CATALOG.DAT
+ 2007-10-16 14:20:06 2,454,576 ----a-w C:\WINDOWS\Temp\slu73ac.tmp\CCERASER.DLL
+ 2007-10-16 14:20:06 284,016 ----a-w C:\WINDOWS\Temp\slu73ac.tmp\ECMSVR32.DLL
+ 2007-10-16 14:20:06 395,312 ----a-w C:\WINDOWS\Temp\slu73ac.tmp\EECTRL.SYS
+ 2007-10-16 14:20:06 112,688 ----a-w C:\WINDOWS\Temp\slu73ac.tmp\ERASER.SYS
+ 2007-11-21 09:00:00 4,815,633 ----a-w C:\WINDOWS\Temp\slu73ac.tmp\ESRDEF.BIN
+ 2007-11-14 09:00:00 81,232 ----a-w C:\WINDOWS\Temp\slu73ac.tmp\NAVENG.SYS
+ 2007-11-14 09:00:00 124,272 ----a-w C:\WINDOWS\Temp\slu73ac.tmp\NAVENG32.DLL
+ 2007-11-14 09:00:00 865,904 ----a-w C:\WINDOWS\Temp\slu73ac.tmp\NAVEX15.SYS
+ 2007-11-14 09:00:00 914,800 ----a-w C:\WINDOWS\Temp\slu73ac.tmp\NAVEX32A.DLL
+ 2007-10-16 14:20:06 97,776 ----a-w C:\WINDOWS\Temp\slu73ac.tmp\SCRAUTH.DAT
+ 2007-11-21 09:00:00 400,641 ----a-w C:\WINDOWS\Temp\slu73ac.tmp\TCDEFS.DAT
+ 2007-11-21 09:00:00 2,361,417 ----a-w C:\WINDOWS\Temp\slu73ac.tmp\TCSCAN7.DAT
+ 2007-11-21 09:00:00 413,635 ----a-w C:\WINDOWS\Temp\slu73ac.tmp\TCSCAN8.DAT
+ 2007-11-21 09:00:00 974,754 ----a-w C:\WINDOWS\Temp\slu73ac.tmp\TCSCAN9.DAT
+ 2007-11-21 09:00:00 68,335 ----a-w C:\WINDOWS\Temp\slu73ac.tmp\TSCAN1.DAT
+ 2007-10-16 14:20:06 3,240 ----a-w C:\WINDOWS\Temp\slu73ac.tmp\TSCAN1HD.DAT
+ 2007-11-21 09:00:00 996,239 ----a-w C:\WINDOWS\Temp\slu73ac.tmp\VIRSCAN1.DAT
+ 2007-11-21 09:00:00 570,966 ----a-w C:\WINDOWS\Temp\slu73ac.tmp\VIRSCAN2.DAT
+ 2007-11-21 09:00:00 150,608 ----a-w C:\WINDOWS\Temp\slu73ac.tmp\VIRSCAN3.DAT
+ 2007-11-21 09:00:00 320,253 ----a-w C:\WINDOWS\Temp\slu73ac.tmp\VIRSCAN4.DAT
+ 2007-11-21 09:00:00 4,899,735 ----a-w C:\WINDOWS\Temp\slu73ac.tmp\VIRSCAN5.DAT
+ 2007-11-21 09:00:00 392,228 ----a-w C:\WINDOWS\Temp\slu73ac.tmp\VIRSCAN6.DAT
+ 2007-11-21 09:00:00 15,204,398 ----a-w C:\WINDOWS\Temp\slu73ac.tmp\VIRSCAN7.DAT
+ 2007-11-21 09:00:00 1,866,655 ----a-w C:\WINDOWS\Temp\slu73ac.tmp\VIRSCAN8.DAT
+ 2007-11-21 09:00:00 5,291,270 ----a-w C:\WINDOWS\Temp\slu73ac.tmp\VIRSCAN9.DAT
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2005-08-29 12:51]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-30 20:49]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"RemoveIT Pro XT"="C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GWMDMMSG"="GWMDMMSG.exe" [2004-07-03 09:37 C:\WINDOWS\GWMDMMSG.exe]
"GWMDMpi"="C:\WINDOWS\GWMDMpi.exe" [2004-07-03 09:37]
"ATIModeChange"="Ati2mdxx.exe" [2004-07-03 09:37 C:\WINDOWS\system32\Ati2mdxx.exe]
"Multi-function Keyboard"="GWHotKey.exe" [2001-08-28 11:13 C:\WINDOWS\GWHotKey.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-08-16 19:11]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-10-03 18:50]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2004-12-20 13:41]
"Atari Launcher 2"="C:\Program Files\Atari\Atari Arcade Hits 2\Atari icon.exe" [2000-03-08 10:21]
"Atari Launcher"="C:\Program Files\Hasbro Interactive\Atari Arcade Hits 1\Atari icon.exe" [1999-06-25 14:41]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"AcctMgr"="C:\Program Files\Norton Password Manager\AcctMgr.exe" [2005-07-29 09:32]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 21:19]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digimax Viewer 1.0.lnk - C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe [2005-04-26 19:58:36]
Event Planner Reminders Tray Icon.lnk - C:\Program Files\Sierra\Planner\PLNRnote.exe [2006-11-06 21:53:37]
Forget Me Not.lnk - C:\Program Files\GREETING CARDS\AG CreataCard\agremind.exe [2006-11-06 21:14:08]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-05-30 20:49:43]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-05 23:37:10]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders rpasspc.dll, msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\WINDOWS\system32\Drivers\SSFS0BB9.SYS
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\CBTNDIS5.SYS
S3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys
S4 Winalert;Windows Alert Service;C:\WINDOWS\System32\alertic.exe -srv
S4 Winaltet;Windows Notification Service;C:\WINDOWS\System32\winaltet.exe -srv

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-11-07 01:00:01 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job"
- C:\PROGRA~1\NORTON~2\NORTON~1\Navw32.exeh/TASK:
"2007-10-29 14:49:05 C:\WINDOWS\Tasks\Norton AntiVirus - Run Norton QuickScan - Owner.job"
- C:\PROGRA~1\NORTON~2\NORTON~1\NAVW32.EXEg/TASK:
"2007-11-19 08:00:00 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.exe
- C:\Program Files\SpywareBot
"2007-11-23 05:00:03 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-24 11:01:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-24 11:03:06
C:\ComboFix2.txt ... 2007-11-21 23:14
C:\ComboFix3.txt ... 2007-11-21 23:00
.
--- E O F ---













Logfile of HijackThis v1.99.1
Scan saved at 12:12:30 PM, on 11/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\GWMDMMSG.exe
C:\WINDOWS\GWHotKey.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Atari\Atari Arcade Hits 2\Atari icon.exe
C:\Program Files\Hasbro Interactive\Atari Arcade Hits 1\Atari icon.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe
C:\Program Files\Sierra\Planner\PLNRnote.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 68.114.167.217
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Atari Launcher 2] "C:\Program Files\Atari\Atari Arcade Hits 2\Atari icon.exe"
O4 - HKLM\..\Run: [Atari Launcher] "C:\Program Files\Hasbro Interactive\Atari Arcade Hits 1\Atari icon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AcctMgr] "C:\Program Files\Norton Password Manager\AcctMgr.exe" /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RemoveIT Pro XT] C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe
O4 - Global Startup: Digimax Viewer 1.0.lnk = ?
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Program Files\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Forget Me Not.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/st2_x.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1167266843915
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
  • 0

#8
racenutalways
Posted 27 November 2007 - 11:27 AM

racenutalways

    Member 1K

  • Retired Staff
  • 1,675 posts

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\wpagsjor.ini
C:\WINDOWS\system32\tmp.reg
C:\Documents and Settings\Owner\PeerAnia.com.exe



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

SUPERAntiSpyware Home Edition (free version) - Download - Home Page

1. Install it and double-click the icon on your desktop to run it.
2. It will ask if you want to update the program definitions, click Yes.
3. Under Configuration and Preferences, click the Preferences button.
4. Click the Scanning Control tab.
5. Under Scanner Options make sure the following are checked:

1. Close browsers before scanning
2. Scan for tracking cookies
3. Terminate memory threats before quarantining.
4. Please leave the others unchecked.
5. Click the Close button to leave the control center screen.

6. On the main screen, under Scan for Harmful Software click Scan your computer.
7. On the left check C:\Fixed Drive.
8. On the right, under Complete Scan, choose Perform Complete Scan.
9. Click Next to start the scan. Please be patient while it scans your computer.
10. After the scan is complete a summary box will appear. Click OK.
11. Make sure everything in the white box has a check next to it, then click Next.
12. It will quarantine what it found and if it asks if you want to reboot, click Yes.
13. To retrieve the removal information for me please do the following:

1. After reboot, double-click the SUPERAntispyware icon on your desktop.
2. Click Preferences. Click the Statistics/Logs tab.
3. Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
4. It will open in your default text editor (such as Notepad/Wordpad).
5. Please highlight everything in the notepad, then right-click and choose copy.

14. Click close and close again to exit the program.
15. Save the log information. If needed (still infected) paste this info along with your HijackThis log.

Now, let's try this online scanner and see if it runs ok

TrendMicro™ HouseCall Java Scan
  • Please go HERE to run the Trend Micro™ HouseCall Scan.
  • Click Scan now. It's free!
  • Read and put a Check next to Yes I accept the terms of use.
  • Click the Launching HouseCall>> button.
  • Under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
  • You may receive a Security Warning about the TrendMicro Java applet, click YES.
  • Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
  • Please be patient while it installs, updates, and scans your system.
  • Once the scan is complete, it will take you to the summary page.
  • Under Cleanup options, choose clean all detected infections automatically.
  • Click the Clean now>> button.
  • If anything was found you may be prompted to run the scan again, you can just close the browser window.


  • 0

#9
KingzJnky22
Posted 02 December 2007 - 10:21 PM

KingzJnky22

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Here are my logs as requested - It would not let me load the 'House Call' scanner - I tried to load v.6.5 and the page loads half way and locks up - I tried to load v.6.6 and tells me that is experience problems...

After I ran the 'Super Anti Spyware' scan (before reboot)- my 'Norton' popped up and told me that it found a virus and then told me that it deleted it 'TROJAN.METJUAN' (hasn't shown up after reboot) don't know if it relevent or not...

but here are the rest of my logs you asked for...


ComboFix 07-12-02.7 - Owner 2007-12-02 20:08:00.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.116 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\Owner\PeerAnia.com.exe
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\wpagsjor.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\PeerAnia.com.exe
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\wpagsjor.ini

.
((((((((((((((((((((((((( Files Created from 2007-11-03 to 2007-12-03 )))))))))))))))))))))))))))))))
.

2007-11-24 12:21 . 2007-11-24 12:21 <DIR> d-------- C:\Program Files\Universal
2007-11-21 22:03 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-21 22:03 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-21 22:03 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-21 22:03 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-21 22:03 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-04 19:57 . 2007-11-04 19:57 <DIR> d-------- C:\Deckard
2007-11-04 18:29 . 2007-11-04 18:30 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-11-04 18:27 . 2007-11-04 18:27 <DIR> d-------- C:\{00004495-0000-0000-5942-503B070B6CD8}
2007-11-04 18:23 . 2007-11-04 18:23 <DIR> d-------- C:\{8001BC26-0000-0000-C2BC-E5AC2E094943}
2007-11-04 15:58 . 2007-11-04 18:29 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-11-04 15:54 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-04 15:48 . 2007-11-24 12:33 <DIR> d-------- C:\Program Files\Java
2007-11-04 15:47 . 2007-11-04 15:47 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-04 12:04 . 2007-11-04 12:04 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-11-04 09:36 . 2007-11-04 09:36 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-11-04 09:35 . 2007-10-01 16:24 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-11-04 09:35 . 2007-10-01 16:24 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-11-04 09:35 . 2007-10-01 16:24 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-11-04 09:35 . 2007-10-01 16:24 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-11-04 09:34 . 2007-11-04 09:34 <DIR> d-------- C:\Program Files\Webroot
2007-11-04 09:34 . 2007-11-04 09:34 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2007-11-04 09:34 . 2007-11-04 09:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-11-04 09:34 . 2007-10-01 16:40 1,526,072 --a------ C:\WINDOWS\WRSetup.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-02 20:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-24 17:34 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-13 00:29 --------- d-----w C:\Program Files\GREETING CARDS
2007-11-04 16:38 --------- d-----w C:\Program Files\Web Publish
2007-11-02 22:19 --------- d-----w C:\Program Files\Norton Internet Security
2007-10-31 03:23 --------- d-----w C:\Program Files\InCode Solutions
2007-10-25 21:38 --------- d-----w C:\Program Files\Norton Password Manager
2007-10-25 01:19 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-25 01:19 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-25 01:19 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-25 01:19 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-25 01:19 --------- d-----w C:\Program Files\Symantec
2007-10-25 01:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-25 00:27 10,344 ----a-w C:\WINDOWS\system32\drivers\symlcbrd.sys
2007-10-24 23:54 --------- d-----w C:\Documents and Settings\Owner\Application Data\Symantec
2007-10-16 19:40 --------- d-----w C:\Program Files\Coupons
2007-10-01 18:49 542,088 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-10-01 18:49 161,160 ----a-w C:\WINDOWS\system32\SymRedir.dll
2005-07-24 02:35 28,680 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2005-01-13 20:12 877,056 ----a-w C:\Program Files\iview395.exe
2004-12-21 08:00 274,664 ----a-w C:\Program Files\aolsupp.exe
2004-08-19 15:11 2,855,552 ----a-w C:\Program Files\PPView97.exe
2004-08-19 14:51 2,483,605 ----a-w C:\Program Files\PowerPakSampler.exe
2004-08-19 14:48 808,200 ----a-w C:\Program Files\ppt2ksec.exe
2004-08-18 14:52 683,132 ----a-w C:\Program Files\flashplayer7installer.exe
2004-08-17 21:55 6,688 ----a-w C:\Program Files\livelog-2004-08-17.html
2004-08-17 00:03 9,828,946 ----a-w C:\Program Files\QuickTimeInstallCache.qdat
2004-08-16 23:56 574,632 ----a-w C:\Program Files\QuickTimeInstaller.exe
2004-08-03 21:13 1,096,455 ----a-w C:\Program Files\ashampoo_burnitaudiocd111_se.exe
2004-08-03 20:56 4,325,376 ----a-w C:\Program Files\ashampoo_mediaplayer185_fe.exe
2004-08-03 20:54 1,003 ----a-w C:\Program Files\ashampoo_mediaplayer_fe.exe
2004-07-21 20:42 182,424 ----a-w C:\Program Files\ratmigptoy.exe
2004-07-06 21:17 93 ----a-w C:\Program Files\browser.ini
2004-07-06 21:17 4,766,724 ----a-w C:\Program Files\gecko.exe
2002-02-20 06:29 712,384 ----a-w C:\Program Files\DATA1.CAB
2002-02-20 06:29 47,970 ----a-w C:\Program Files\DATA1.HDR
2002-02-20 06:29 434 ----a-w C:\Program Files\LAYOUT.BIN
2002-02-20 06:29 2,449,328 ----a-w C:\Program Files\DATA2.CAB
2002-02-20 06:29 145,619 ----a-w C:\Program Files\SETUP.INX
2002-02-20 06:29 103 ----a-w C:\Program Files\SETUP.INI
2002-01-15 02:16 561,656 ----a-w C:\Program Files\SETUP.BMP
2001-09-05 18:06 344,923 ----a-w C:\Program Files\IKERNEL.EX_
2000-05-15 08:23 41,472 ----a-w C:\Program Files\SETUP.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2005-08-29 12:51]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-30 20:49]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"RemoveIT Pro XT"="C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GWMDMMSG"="GWMDMMSG.exe" [2004-07-03 09:37 C:\WINDOWS\GWMDMMSG.exe]
"GWMDMpi"="C:\WINDOWS\GWMDMpi.exe" [2004-07-03 09:37]
"ATIModeChange"="Ati2mdxx.exe" [2004-07-03 09:37 C:\WINDOWS\system32\Ati2mdxx.exe]
"Multi-function Keyboard"="GWHotKey.exe" [2001-08-28 11:13 C:\WINDOWS\GWHotKey.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-08-16 19:11]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-10-03 18:50]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2004-12-20 13:41]
"Atari Launcher 2"="C:\Program Files\Atari\Atari Arcade Hits 2\Atari icon.exe" [2000-03-08 10:21]
"Atari Launcher"="C:\Program Files\Hasbro Interactive\Atari Arcade Hits 1\Atari icon.exe" [1999-06-25 14:41]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"AcctMgr"="C:\Program Files\Norton Password Manager\AcctMgr.exe" [2005-07-29 09:32]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 21:19]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digimax Viewer 1.0.lnk - C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe [2005-04-26 19:58:36]
Event Planner Reminders Tray Icon.lnk - C:\Program Files\Sierra\Planner\PLNRnote.exe [2006-11-06 21:53:37]
Forget Me Not.lnk - C:\Program Files\GREETING CARDS\AG CreataCard\agremind.exe [2006-11-06 21:14:08]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-05-30 20:49:43]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-05 23:37:10]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders rpasspc.dll, msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\WINDOWS\system32\Drivers\SSFS0BB9.SYS
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\CBTNDIS5.SYS
S3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys
S4 Winalert;Windows Alert Service;C:\WINDOWS\System32\alertic.exe -srv
S4 Winaltet;Windows Notification Service;C:\WINDOWS\System32\winaltet.exe -srv

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-11-07 01:00:01 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job"
- C:\PROGRA~1\NORTON~2\NORTON~1\Navw32.exe
"2007-10-29 14:49:05 C:\WINDOWS\Tasks\Norton AntiVirus - Run Norton QuickScan - Owner.job"
- C:\PROGRA~1\NORTON~2\NORTON~1\NAVW32.EXE
"2007-11-19 08:00:00 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.exe
- C:\Program Files\SpywareBot








SUPERAntiSpyware Scan Log
Generated 12/02/2007 at 10:24 PM

Application Version : 3.6.1000

Core Rules Database Version : 3353
Trace Rules Database Version: 1352

Scan type : Complete Scan
Total Scan Time : 01:51:25

Memory items scanned : 545
Memory threats detected : 0
Registry items scanned : 5717
Registry threats detected : 1
File items scanned : 59506
File threats detected : 23

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@keywordmax[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@tacoda[2].txt
C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Unclassified.SpywareBot (Not A Threat)
HKU\S-1-5-21-1708537768-113007714-854245398-1003\Software\SpywareBot

Trojan.Downloader-Gen/DDC
C:\DECKARD\SYSTEM SCANNER\20071113123351\BACKUP\DOCUME~1\OWNER\LOCALS~1\TEMP\OKKVSOTW.EXE
C:\DECKARD\SYSTEM SCANNER\20071113123351\BACKUP\DOCUME~1\OWNER\LOCALS~1\TEMP\QMMRIGWQ.EXE
C:\DECKARD\SYSTEM SCANNER\20071113123351\BACKUP\DOCUME~1\OWNER\LOCALS~1\TEMP\SSCMCPYA.EXE
C:\DECKARD\SYSTEM SCANNER\20071113123351\BACKUP\DOCUME~1\OWNER\LOCALS~1\TEMP\WDRGYYBH.EXE
C:\DECKARD\SYSTEM SCANNER\20071113123351\BACKUP\DOCUME~1\OWNER\LOCALS~1\TEMP\XVUMIIVF.EXE
C:\DECKARD\SYSTEM SCANNER\20071113123351\BACKUP\DOCUME~1\OWNER\LOCALS~1\TEMP\YKOXFGQR.EXE
C:\DECKARD\SYSTEM SCANNER\20071113123351\BACKUP\DOCUME~1\OWNER\LOCALS~1\TEMP\YQJVMUDU.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP14\A0003453.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP14\A0003455.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP14\A0003482.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP14\A0003486.EXE

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP13\A0002428.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP13\A0002429.DLL







Logfile of HijackThis v1.99.1
Scan saved at 10:40:44 PM, on 12/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\GWMDMMSG.exe
C:\WINDOWS\GWHotKey.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Atari\Atari Arcade Hits 2\Atari icon.exe
C:\Program Files\Hasbro Interactive\Atari Arcade Hits 1\Atari icon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe
C:\Program Files\Sierra\Planner\PLNRnote.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 68.114.167.217
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Atari Launcher 2] "C:\Program Files\Atari\Atari Arcade Hits 2\Atari icon.exe"
O4 - HKLM\..\Run: [Atari Launcher] "C:\Program Files\Hasbro Interactive\Atari Arcade Hits 1\Atari icon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AcctMgr] "C:\Program Files\Norton Password Manager\AcctMgr.exe" /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RemoveIT Pro XT] C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Digimax Viewer 1.0.lnk = ?
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Program Files\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Forget Me Not.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/st2_x.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1167266843915
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe



thanks again...
  • 0

#10
racenutalways
Posted 03 December 2007 - 02:03 PM

racenutalways

    Member 1K

  • Retired Staff
  • 1,675 posts
Let me know how the PC is behaving, any pop ups etc...

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Let's try one more online scanner, if it doesn't work, I will have to ask my colleagues for assistance.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

    • Posted Image
  • When shown the disclaimer, Select "2"
The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.

  • 0

Advertisements

#11
KingzJnky22
Posted 03 December 2007 - 09:36 PM

KingzJnky22

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
The Pop-ups stopped instantly after disabling the 'windows notification service'

The PC is actually running great the last few days or so.

I was able to us the 'kaspersky' online scanner! here is my log for that and another 'hijack this' log after the scans were done...



Monday, December 03, 2007 10:21:48 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 4/12/2007
Kaspersky Anti-Virus database records: 471564


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\

Scan Statistics
Total number of scanned objects 61389
Number of viruses found 21
Number of infected objects 61
Number of suspicious objects 0
Duration of the scan process 01:18:29

Infected Object Name Virus Name Last Action
C:\4FC.tmp/stream/data0004 Infected: not-a-virus:AdWare.Win32.Agent.qi skipped

C:\4FC.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.qi skipped

C:\4FC.tmp NSIS: infected - 2 skipped

C:\Deckard\System Scanner\20071113123351\backup\DOCUME~1\Owner\LOCALS~1\Temp\xxuwdlno.exe Infected: Trojan.Win32.Agent.bck skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\HPPAppActivity.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\HPPHomePageActivity.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-12-03_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\29480D59.exe Infected: Trojan-Downloader.Win32.Agent.ehg skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3BC0235D Infected: Trojan.Win32.BHO.re skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3BCA2152 Infected: Trojan.Win32.BHO.re skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3C80672F.dll Infected: Trojan.Win32.BHO.re skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3E6A0114.dll Infected: Trojan.Win32.BHO.re skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\51633137.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\51633137.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\51633137.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\51633137.exe NSIS: infected - 3 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\51633137.exe CryptFF: infected - 3 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7439384E.dll Infected: Trojan-Spy.Win32.Goldun.sm skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Application Data\Symantec\PendingAlertsQueue.log Object is locked skipped

C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Desktop\Virus Stuff\dss.exe Infected: Trojan-Downloader.Win32.Agent.fpg skipped

C:\Documents and Settings\Owner\Desktop\Virus Stuff\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Owner\Desktop\Virus Stuff\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Owner\Desktop\Virus Stuff\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Owner\Desktop\Virus Stuff\SmitfraudFix.exe RarSFX: infected - 2 skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Adobe\Acrobat\8.0\Updater\updater.log Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Adobe\Updater5\aumLib.log Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\AntiSpam\Log\Spam.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsys.dll Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\Savrt\0758NAV~.TMP Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\Savrt\0845NAV~.TMP Object is locked skipped

C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped

C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped

C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped

C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP11\A0001411.dll Infected: Trojan-Spy.Win32.Agent.ags skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP11\A0001412.exe Infected: Trojan-Downloader.Win32.Agent.enr skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP13\A0002460.dll Infected: Trojan.Win32.BHO.rg skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP13\A0002461.dll Infected: Trojan.Win32.BHO.rg skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP13\A0002462.dll Infected: Trojan.Win32.BHO.rf skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP13\A0002463.dll Infected: Trojan.Win32.BHO.rf skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP14\A0003454.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP2\A0000041.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP20\A0005978.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP20\A0005979.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP20\A0005980.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP20\A0005981.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP20\A0005982.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP20\A0005983.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP20\A0005984.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP20\change.log Object is locked skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP3\A0000055.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP3\A0000057.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP3\A0000059.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP3\A0000060.exe Infected: Trojan.Win32.VB.azo skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP3\A0000062.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP3\A0000063.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP3\A0000064.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP3\A0000065.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP3\A0000066.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP3\A0000067.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP3\A0000068.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP3\A0000069.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP3\A0000070.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP3\A0000071.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP3\A0000072.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP3\A0000084.exe/WISE0023.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP3\A0000084.exe/WISE0023.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP3\A0000084.exe/WISE0023.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP3\A0000084.exe/WISE0027.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP3\A0000084.exe WiseSFX: infected - 4 skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP3\A0000084.exe WiseSFX Dropper: infected - 4 skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP3\A0000090.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP3\A0000091.exe/clientax.dll Infected: not-a-virus:AdWare.Win32.180Solutions.ao skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP3\A0000091.exe CAB: infected - 1 skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP3\A0000091.exe CryptFF: infected - 1 skipped

C:\System Volume Information\_restore{B710A6CB-99C5-419E-BCA6-294A2D975C9D}\RP3\A0000094.exe Infected: Trojan-Downloader.Win32.Agent.erh skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{3E0F8FC5-975F-4B3F-919A-F69F8E7A85F8}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.








Logfile of HijackThis v1.99.1
Scan saved at 10:34:13 PM, on 12/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\WINDOWS\GWHotKey.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Atari\Atari Arcade Hits 2\Atari icon.exe
C:\Program Files\Hasbro Interactive\Atari Arcade Hits 1\Atari icon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe
C:\Program Files\Sierra\Planner\PLNRnote.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 68.114.167.217
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Atari Launcher 2] "C:\Program Files\Atari\Atari Arcade Hits 2\Atari icon.exe"
O4 - HKLM\..\Run: [Atari Launcher] "C:\Program Files\Hasbro Interactive\Atari Arcade Hits 1\Atari icon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AcctMgr] "C:\Program Files\Norton Password Manager\AcctMgr.exe" /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RemoveIT Pro XT] C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Digimax Viewer 1.0.lnk = ?
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Program Files\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Forget Me Not.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/st2_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1167266843915
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe




thanks...
  • 0

#12
racenutalways
Posted 05 December 2007 - 09:12 AM

racenutalways

    Member 1K

  • Retired Staff
  • 1,675 posts
Glad to hear everything is running good, delete this file, C:\4FC.tmp and you are good to go. :)

Now that you are ready to surf the net peacefully, here are things I like to suggest to users;

There are different browsers available on the net, other than Internet Explorer, we believe!! these are better for security purposes :

Firefox
Opera

Google Toolbar <= Get the free google toolbar to help stop pop up windows.

SpywareBlaster to help prevent spyware from installing in the first place.
SpywareGuard to catch and block spyware before it can execute.
MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer

You should also have a good firewall. Here are 2 free ones available for personal use:

Kerio Personal Firewall
ZoneAlarm

To keep your operating system up to date visit monthly

Microsoft Windows Update

And to keep your system clean run these free malware scanners

AdAware SE Personal........How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
Spybot Search & Destroy............How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

And lastly, read Tony Klein's article: So how DID you get infected in the first place?
  • 0

#13
KingzJnky22
Posted 05 December 2007 - 09:59 PM

KingzJnky22

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Thank You SO MUCH for helping me!

I deleted the C:\4FC.tmp file as instructed

and looking into the other browsers and spyware tools

I still have a question - during this whole procedure I have 4 files that ended up on my desktop that I can't get rid of...

they are CAENGN5A. - CAC1K94V. - CAXWN6B5. - CA79TZAE.

If I try and delete them, says 'cannot delete file: cannot read from the source file or disk'

If I try and move them, says the same...

they have 0kb not sure why it won't let me do anything with them. not sure I they were there before I contacted GTG or not? I downloaded a few things to try and eliminate the virus myself (obviously that didn't work... lol)

I tried doing a search on these 4 files - unable to find anything?

have any suggestions?

thanks
  • 0

#14
racenutalways
Posted 06 December 2007 - 10:17 AM

racenutalways

    Member 1K

  • Retired Staff
  • 1,675 posts
Did you try deleting them in safe mode?
  • 0

#15
KingzJnky22
Posted 06 December 2007 - 07:57 PM

KingzJnky22

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Actually I did try to delete them while in safe mode. still no change. I forgot to mention that in my previous post....

I'm not sure how to get rid of them?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP