[ferynd]

Hello, I have recently downloaded HiJack This and i needed some help in removing some Virus(es). The problem is that internet ads will pop-up using internet explorer, also if i close limewire it will automatically reopen. my first thought was that the virus was there so i went and un-installed limewire. the problem still occurs except i get a message saying that limewire can not open because one or more files is corrupt, and the pop-ups still keep coming. below i posted my Hijack This log, any help to remove this virus(es) would be great and i would appreciate it

________________________________________________________________

Original Hijack This log. New one is posted in a reply below

Logfile of HijackThis v1.99.1
Scan saved at 12:34:22 AM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\eM\Bay Reader\Shwicon2k.exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\eM\Bay Reader\Shwicon2k .exe
C:\WINDOWS\RmVyeW5k\command.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Fonts\svchost .exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Ferynd\Desktop\HiJackThis_v2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
F3 - REG:win.ini: load=C:\WINDOWS\system32\ddccd.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\spads.dll" DllVerify
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RmVyeW5k\command.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

Edited by ferynd, 16 January 2008 - 07:05 PM.

[Advertisements]

Hello

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

[Rorschach112]

Hello

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

[ferynd]

Thank you for taking the time to look at my logs and helping me to fix the computer i posted both a ComboFix log and a Hijack This log. The Hijack This log was taken after i ran combo fix.

________________________________________________________________________________

Combo Fix Log

ComboFix 08-01-17.1 - 01/16/2008 17:21:53.1 - NTFSx86
Running from: C:\Documents and Settings\LocalService\Desktop\ComboFix(3).exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Ferynd\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Ferynd\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Ferynd\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\Common Files\mrfz\mrfza.exe
C:\Program Files\Common Files\mrfz\mrfza.lck
C:\Program Files\Common Files\mrfz\mrfzd\class-barrel
C:\Program Files\Common Files\mrfz\mrfzd\mrfzc.dll
C:\Program Files\Common Files\mrfz\mrfzd\vocabulary
C:\Program Files\Common Files\mrfz\mrfzl.exe
C:\Program Files\Common Files\mrfz\mrfzl.lck
C:\Program Files\Common Files\mrfz\mrfzm.exe
C:\Program Files\Common Files\mrfz\mrfzm.lck
C:\Program Files\Common Files\mrfz\mrfzp.exe
C:\Program Files\Common Files\stem~1\??stem\
C:\Program Files\Common Files\stem~1\mshta .exe
C:\Program Files\Common Files\stem~1\mshta.exe
C:\Program Files\Common Files\Yazzle1560OinAdmin.exe
C:\Program Files\Common Files\Yazzle1560OinUninstaller.exe
C:\Program Files\inetget2
C:\Program Files\inetget2\FINAL -- Fort 5.6_MST-ONLY.exe
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\Router
C:\Program Files\Router\Router .exe
C:\Program Files\Router\Router.exe
C:\Program Files\Router\UnInstall.exe
C:\Program Files\Temporary
C:\Program Files\Temporary\kernInst.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\b103.exe
C:\WINDOWS\b104.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b128.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\b149.exe
C:\WINDOWS\b151.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\mrfz
C:\WINDOWS\mrfz\mrfz.dat
C:\WINDOWS\mrfz\wu
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\RmVyeW5k\
C:\WINDOWS\RmVyeW5k\\asappsrv.dll
C:\WINDOWS\RmVyeW5k\\command.exe
C:\WINDOWS\RmVyeW5k\\lApVyqc4.vbs
C:\WINDOWS\RmVyeW5k\command.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\bkmqeqi.dll
C:\WINDOWS\system32\byxvuro.dll
C:\WINDOWS\system32\cbxyaxu.dll
C:\WINDOWS\system32\dccdd.ini
C:\WINDOWS\system32\dccdd.ini2
C:\WINDOWS\system32\ddccd.dll
C:\WINDOWS\system32\ddccd.exe
C:\WINDOWS\system32\fcccbxw.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\RCX25.tmp
C:\WINDOWS\system32\RCX2C.tmp
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\wnscpsv.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\ymante~1
C:\WINDOWS\ymante~1\?hkntfs.exe
C:\WINDOWS\Fonts\-
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\Network Monitor


((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-17 17:54 . 2008-01-17 17:54 <DIR> d-------- C:\Temp\tn3
2008-01-16 17:13 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-16 07:30 . 2008-01-16 07:30 <DIR> d-------- C:\WINDOWS\system32\060607FF010A0
2008-01-16 07:29 . 2007-12-14 07:40 120,832 --a------ C:\WINDOWS\system32\18181912131C1.exe
2008-01-13 00:58 . 2008-01-13 01:50 <DIR> d-------- C:\LuniaGSP
2008-01-12 23:52 . 2008-01-12 23:52 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Talkback
2008-01-12 04:04 . 2008-01-12 04:04 24 --a------ C:\WINDOWS\wininit.ini
2008-01-12 04:02 . 2008-01-12 04:02 2 --a------ C:\WINDOWS\msoffice.ini
2008-01-12 03:55 . 2008-01-12 03:55 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-01-12 03:53 . 2008-01-12 03:53 <DIR> d-------- C:\WINDOWS\system32\vt8
2008-01-12 03:53 . 2008-01-12 03:53 <DIR> d-------- C:\WINDOWS\system32\mp2
2008-01-12 03:53 . 2008-01-12 04:49 <DIR> d-------- C:\WINDOWS\system32\ez4
2008-01-12 03:53 . 2008-01-12 03:53 <DIR> d-------- C:\WINDOWS\system32\che9
2008-01-12 03:53 . 2008-01-13 05:15 379,904 --a------ C:\WINDOWS\mrofinu1000106.exe.tmp
2008-01-12 03:53 . 2008-01-12 03:53 86,016 --a------ C:\WINDOWS\system32\drivers\atinmdxxx.sys
2008-01-12 03:53 . 2008-01-14 17:55 36,864 -ra------ C:\WINDOWS\mrofinu1188.exe.tmp
2008-01-12 03:53 . 2008-01-17 17:54 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-12 03:52 . 2008-01-12 03:52 <DIR> d-------- C:\WINDOWS\system32\edcA18
2008-01-12 03:52 . 2008-01-12 03:53 <DIR> d-------- C:\Temp\Ryuan1
2008-01-12 03:52 . 2008-01-17 17:54 <DIR> d-------- C:\Temp
2008-01-12 03:35 . 2008-01-13 18:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-12 03:35 . 2008-01-12 03:35 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-04 19:56 . 2008-01-04 19:57 82 --a------ C:\WINDOWS\mafosav.INI
2008-01-03 02:12 . 2008-01-03 02:12 <DIR> d-------- C:\WINDOWS\Sun
2008-01-02 23:48 . 2008-01-12 14:42 <DIR> d-------- C:\Documents and Settings\Ferynd\Shared
2008-01-02 23:48 . 2008-01-12 14:47 <DIR> d-------- C:\Documents and Settings\Ferynd\Incomplete
2008-01-02 23:48 . 2008-01-15 22:20 <DIR> d-------- C:\Documents and Settings\Ferynd\Application Data\LimeWire
2008-01-02 23:48 . 2007-07-12 02:22 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-02 23:47 . 2008-01-12 14:46 <DIR> d-------- C:\Program Files\LimeWire
2008-01-02 23:47 . 2008-01-02 23:48 <DIR> d-------- C:\Program Files\Java
2008-01-02 23:47 . 2008-01-02 23:47 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-02 09:43 . 2008-01-10 18:54 848 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-01-02 09:43 . 2008-01-10 18:54 56 -r-hs---- C:\WINDOWS\system32\9383E19219.sys
2008-01-02 09:39 . 2008-01-02 09:42 <DIR> d-------- C:\Program Files\Enterbrain
2007-12-29 14:23 . 2007-12-30 12:07 <DIR> d-------- C:\Program Files\Savage
2007-12-29 13:42 . 2007-12-29 13:52 <DIR> d-------- C:\Documents and Settings\Ferynd\.xmoto
2007-12-26 21:26 . 2007-12-26 21:26 <DIR> d-------- C:\Documents and Settings\Ferynd\Application Data\DivX
2007-12-22 04:44 . 2008-01-04 00:14 <DIR> d-------- C:\Program Files\Conquer 2.0
2007-12-20 03:38 . 2007-09-18 23:41 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2007-12-20 03:34 . 2007-12-20 03:39 <DIR> d-------- C:\Program Files\PerfectWorld
2007-12-17 06:25 . 2007-12-17 06:25 <DIR> d-------- C:\Program Files\Orban

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-17 22:22 --------- d-----w C:\Program Files\QuickTime
2008-01-17 22:22 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-13 10:24 10 ----a-w C:\Program Files\.autoreg
2008-01-04 05:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-04 05:16 --------- d-----w C:\Program Files\ICQ
2008-01-04 05:12 --------- d-----w C:\Program Files\BigFix
2007-12-19 06:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Outspark
2007-12-12 05:48 --------- d-----w C:\Program Files\Outspark
2007-12-12 05:47 --------- d-----w C:\Program Files\OGPlanet
2007-11-19 14:37 --------- d-----w C:\Documents and Settings\Ferynd\Application Data\MSN6
2007-11-19 14:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
2007-11-18 14:46 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-17 10:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-17 10:15 --------- d-----w C:\Program Files\DivX
2007-11-17 05:13 --------- d-----w C:\Program Files\Common Files\DirectX
2007-11-05 23:41 118,784 ----a-w C:\WINDOWS\dsdxirmv.exe
2007-08-02 13:43 282,624 ----a-w C:\Program Files\TTC.dll
2003-08-13 13:23 32 --sha-w C:\WINDOWS\{A24287D9-C5C5-449A-A4D7-455BE6CFA48E}.dat
2003-08-13 13:23 32 --sha-w C:\WINDOWS\system32\{4AEF2316-1DFF-4F96-BEDB-54E5AA72AE7B}.dat
.
CODE
<pre>
----a-w 185,632 2008-01-17 22:54:54 C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w 65,536 2008-01-17 22:54:54 C:\Program Files\Common Files\Roxio Shared\System\EngUtil .exe
----a-w 50,880 2008-01-17 22:54:50 C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w 34,504 2008-01-17 22:54:54 C:\Program Files\Common Files\Symantec Shared\ccRegVfy .exe
----a-w 135,168 2008-01-17 22:54:55 C:\Program Files\eM\Bay Reader\Shwicon2k .exe
----a-w 132,496 2008-01-17 22:54:55 C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
----a-w 200,704 2008-01-17 22:54:54 C:\Program Files\Microsoft Money\System\mnyexpr .exe
----a-w 652,800 2008-01-17 22:55:31 C:\Program Files\QuickTime\qttask .exe
----a-w 652,800 2008-01-17 22:22:58 C:\Program Files\QuickTime\qttask .exe
----a-w 652,800 2008-01-16 03:14:35 C:\Program Files\QuickTime\qttask .exe
----a-w 868,352 2008-01-17 22:54:57 C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc .exe
----a-w 3,411,968 2008-01-17 22:55:03 C:\Program Files\Veoh Networks\Veoh\VeohClient .exe
----a-w 290,821 2008-01-16 03:14:52 C:\WINDOWS\Fonts\svchost .exe
</pre>



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32B1B799-DDE6-4661-9A11-42C0ADD8870A}]
2008-01-17 17:54 335360 --a------ C:\WINDOWS\system32\ddccd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64DF53E2-D4B3-4297-80FA-D54F2F2B2F5C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{757DBB88-003C-46D6-9227-EAD730371E28}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E015787-B1E3-404a-95DE-3E71E1FA0305}]
2007-11-19 05:36 64000 --a------ C:\WINDOWS\system32\spads.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2008-01-17 17:22 551936]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-01-15 22:14 4055552]
"Router"="C:\Program Files\Router\Router.exe" [ ]
"Usrr"="C:\PROGRA~1\COMMON~1\STEM~1\mshta.exe" [ ]
"Zpgpo"="C:\WINDOWS\?ymantec\?hkntfs.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"09090A03040D060"="18181912131C1.exe" [2007-12-14 07:40 120832 C:\WINDOWS\system32\18181912131C1.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-15 22:14 390656]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2008-01-17 17:22 374272]
"CHotkey"="mHotkey.exe" [2003-03-21 13:26 483840 C:\WINDOWS\mHotkey.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2007-09-17 00:07 8491008]
"nwiz"="nwiz.exe" [2007-09-17 00:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"showicon2k"="C:\Program Files\\eM\Bay Reader\Shwicon2k.exe" [2008-01-15 22:14 526336]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2008-01-17 17:55 406528]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2008-01-15 22:14 1215488]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2007-09-17 00:07 81920]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-15 22:14 525824]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2008-01-17 17:55 652800]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2008-01-15 22:14 475648]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\ddccd.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\ddccd

R1 atinmdxxx;atinmdxxx;C:\WINDOWS\system32\drivers\atinmdxxx.sys [2008-01-12 03:53]
S3 CEUSBAUD;DigiTech USB MIDI Driver;C:\WINDOWS\system32\Drivers\CEUSBAUD.sys [2003-11-01 15:19]

*Newly Created Service* - HTTPFILTER
.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 03:13:42 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2007-11-05 19:32:08 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 17:54:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\dccdd.ini2 319 bytes
C:\WINDOWS\system32\ddccd.exe 338944 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\ddccd.dll
.
Completion time: 2008-01-17 18:01:36 - machine was rebooted [Ferynd]
ComboFix-quarantined-files.txt 2008-01-17 23:01:32
.
2008-01-10 16:35:16 --- E O F ---

________________________________________________________________________________

Hijack This Log after running combo fix

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:13, on 2008-01-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\18181912131C1.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\eM\Bay Reader\Shwicon2k.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc .exe
C:\Program Files\eM\Bay Reader\Shwicon2k .exe
C:\Program Files\Veoh Networks\Veoh\VeohClient .exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
F3 - REG:win.ini: load=C:\WINDOWS\system32\ddccd.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [09090A03040D060] 18181912131C1.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\spads.dll" DllVerify
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [Usrr] "C:\PROGRA~1\COMMON~1\STEM~1\mshta.exe" -vt ndrv
O4 - HKCU\..\Run: [Zpgpo] C:\WINDOWS\?ymantec\?hkntfs.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 5127 bytes

Edited by ferynd, 16 January 2008 - 07:02 PM.

[Rorschach112]

Hello

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.





Download the file & save it as it's originally named, next to ComboFix.exe.






Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.

[ferynd]

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=5
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

[Rorschach112]

Ok

Can you run ComboFix.exe now and post the log it produces.

[ferynd]

ComboFix 08-01-17.3 - Ferynd 2008-01-18 10:58:32.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.144 [GMT -5:00]
Running from: C:\Documents and Settings\Ferynd\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\\eM\Bay Reader\Shwicon2k.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
C:\Program Files\eM\Bay Reader\Shwicon2k .exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\temp\tn3
C:\WINDOWS\system32\dccdd.ini
C:\WINDOWS\system32\dccdd.ini2
C:\WINDOWS\system32\ddccd.dll
C:\WINDOWS\system32\ddccd.exe
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

<pre>
C:\Program Files\Common Files\Real\Update_OB\realsched .exe ---> realsched.exe
C:\Program Files\Common Files\Roxio Shared\System\EngUtil .exe ---> EngUtil.exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe ---> ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccRegVfy .exe ---> ccRegVfy.exe
C:\Program Files\eM\Bay Reader\Shwicon2k .exe ---> QooBox
C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe ---> jusched.exe
C:\Program Files\Microsoft Money\System\mnyexpr .exe ---> mnyexpr.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc .exe ---> DrgToDsc.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient .exe ---> VeohClient.exe
</pre>

.
.
((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
.

2008-01-18 11:04 . 2008-01-18 11:04 <DIR> d-------- C:\Temp\tn3
2008-01-17 21:06 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-17 21:06 . 2007-11-17 22:50 211 --a------ C:\Boot.bak
2008-01-17 19:13 . 2008-01-17 19:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-16 17:13 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-16 07:30 . 2008-01-16 07:30 <DIR> d-------- C:\WINDOWS\system32\060607FF010A0
2008-01-16 07:29 . 2007-12-14 07:40 120,832 --a------ C:\WINDOWS\system32\18181912131C1.exe
2008-01-13 00:58 . 2008-01-13 01:50 <DIR> d-------- C:\LuniaGSP
2008-01-12 23:52 . 2008-01-12 23:52 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Talkback
2008-01-12 04:04 . 2008-01-12 04:04 24 --a------ C:\WINDOWS\wininit.ini
2008-01-12 04:02 . 2008-01-12 04:02 2 --a------ C:\WINDOWS\msoffice.ini
2008-01-12 03:55 . 2008-01-12 03:55 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-01-12 03:53 . 2008-01-12 03:53 <DIR> d-------- C:\WINDOWS\system32\vt8
2008-01-12 03:53 . 2008-01-12 03:53 <DIR> d-------- C:\WINDOWS\system32\mp2
2008-01-12 03:53 . 2008-01-12 04:49 <DIR> d-------- C:\WINDOWS\system32\ez4
2008-01-12 03:53 . 2008-01-12 03:53 <DIR> d-------- C:\WINDOWS\system32\che9
2008-01-12 03:53 . 2008-01-13 05:15 379,904 --a------ C:\WINDOWS\mrofinu1000106.exe.tmp
2008-01-12 03:53 . 2008-01-12 03:53 86,016 --a------ C:\WINDOWS\system32\drivers\atinmdxxx.sys
2008-01-12 03:53 . 2008-01-14 17:55 36,864 -ra------ C:\WINDOWS\mrofinu1188.exe.tmp
2008-01-12 03:53 . 2008-01-18 11:04 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-12 03:52 . 2008-01-12 03:52 <DIR> d-------- C:\WINDOWS\system32\edcA18
2008-01-12 03:52 . 2008-01-12 03:53 <DIR> d-------- C:\Temp\Ryuan1
2008-01-12 03:52 . 2008-01-18 11:04 <DIR> d-------- C:\Temp
2008-01-12 03:35 . 2008-01-13 18:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-12 03:35 . 2008-01-12 03:35 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-04 19:56 . 2008-01-04 19:57 82 --a------ C:\WINDOWS\mafosav.INI
2008-01-03 02:12 . 2008-01-03 02:12 <DIR> d-------- C:\WINDOWS\Sun
2008-01-02 23:48 . 2008-01-12 14:42 <DIR> d-------- C:\Documents and Settings\Ferynd\Shared
2008-01-02 23:48 . 2008-01-12 14:47 <DIR> d-------- C:\Documents and Settings\Ferynd\Incomplete
2008-01-02 23:48 . 2008-01-15 22:20 <DIR> d-------- C:\Documents and Settings\Ferynd\Application Data\LimeWire
2008-01-02 23:48 . 2007-07-12 02:22 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-02 23:47 . 2008-01-12 14:46 <DIR> d-------- C:\Program Files\LimeWire
2008-01-02 23:47 . 2008-01-02 23:48 <DIR> d-------- C:\Program Files\Java
2008-01-02 23:47 . 2008-01-02 23:47 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-02 09:43 . 2008-01-10 18:54 848 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-01-02 09:43 . 2008-01-10 18:54 56 -r-hs---- C:\WINDOWS\system32\9383E19219.sys
2008-01-02 09:39 . 2008-01-02 09:42 <DIR> d-------- C:\Program Files\Enterbrain
2007-12-29 14:23 . 2007-12-30 12:07 <DIR> d-------- C:\Program Files\Savage
2007-12-29 13:42 . 2007-12-29 13:52 <DIR> d-------- C:\Documents and Settings\Ferynd\.xmoto
2007-12-26 21:26 . 2007-12-26 21:26 <DIR> d-------- C:\Documents and Settings\Ferynd\Application Data\DivX
2007-12-22 04:44 . 2008-01-04 00:14 <DIR> d-------- C:\Program Files\Conquer 2.0
2007-12-20 03:38 . 2007-09-18 23:41 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2007-12-20 03:34 . 2007-12-20 03:39 <DIR> d-------- C:\Program Files\PerfectWorld

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 16:04 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-18 16:02 --------- d-----w C:\Program Files\QuickTime
2008-01-13 10:24 10 ----a-w C:\Program Files\.autoreg
2008-01-04 05:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-04 05:16 --------- d-----w C:\Program Files\ICQ
2008-01-04 05:12 --------- d-----w C:\Program Files\BigFix
2007-12-19 06:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Outspark
2007-12-17 11:25 --------- d-----w C:\Program Files\Orban
2007-12-12 05:48 --------- d-----w C:\Program Files\Outspark
2007-12-12 05:47 --------- d-----w C:\Program Files\OGPlanet
2007-11-19 14:37 --------- d-----w C:\Documents and Settings\Ferynd\Application Data\MSN6
2007-11-19 14:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
2007-11-18 14:46 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-05 23:41 118,784 ----a-w C:\WINDOWS\dsdxirmv.exe
2007-08-02 13:43 282,624 ----a-w C:\Program Files\TTC.dll
2003-08-13 13:23 32 --sha-w C:\WINDOWS\{A24287D9-C5C5-449A-A4D7-455BE6CFA48E}.dat
2003-08-13 13:23 32 --sha-w C:\WINDOWS\system32\{4AEF2316-1DFF-4F96-BEDB-54E5AA72AE7B}.dat
.

<pre>
----a-w		   290,821 2008-01-16 03:14:52  C:\WINDOWS\Fonts\svchost .exe
</pre>

((((((((((((((((((((((((((((( snapshot@2008-01-17_17.58.23.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-16 22:17:18 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-18 02:05:18 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-16 22:17:18 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-18 02:05:18 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-16 22:17:21 2,453,504 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-18 02:05:18 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-16 22:17:21 200,704 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-18 02:05:18 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-16 22:17:22 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-18 02:05:18 2,457,600 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-16 22:17:22 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-18 02:05:19 200,704 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64DF53E2-D4B3-4297-80FA-D54F2F2B2F5C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{757DBB88-003C-46D6-9227-EAD730371E28}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E015787-B1E3-404a-95DE-3E71E1FA0305}]
2007-11-19 05:36 64000 --a------ C:\WINDOWS\system32\spads.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2008-01-17 17:54 200704]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-01-17 17:55 3411968]
"Router"="C:\Program Files\Router\Router.exe" [ ]
"Usrr"="C:\PROGRA~1\COMMON~1\STEM~1\mshta.exe" [ ]
"Zpgpo"="C:\WINDOWS\?ymantec\?hkntfs.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"09090A03040D060"="18181912131C1.exe" [2007-12-14 07:40 120832 C:\WINDOWS\system32\18181912131C1.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 17:54 50880]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2008-01-17 17:54 34504]
"CHotkey"="mHotkey.exe" [2003-03-21 13:26 483840 C:\WINDOWS\mHotkey.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2007-09-17 00:07 8491008]
"nwiz"="nwiz.exe" [2007-09-17 00:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"showicon2k"="C:\Program Files\\eM\Bay Reader\Shwicon2k.exe" [ ]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2008-01-17 17:54 65536]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2008-01-17 17:54 868352]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2007-09-17 00:07 81920]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-17 17:54 185632]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2008-01-17 17:54 132496]

R1 atinmdxxx;atinmdxxx;C:\WINDOWS\system32\drivers\atinmdxxx.sys [2008-01-12 03:53]
S3 CEUSBAUD;DigiTech USB MIDI Driver;C:\WINDOWS\system32\Drivers\CEUSBAUD.sys [2003-11-01 15:19]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 03:13:42 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2007-11-05 19:32:08 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 11:04:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-18 11:08:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-18 16:08:01
ComboFix2.txt 2008-01-17 23:01:37
.
2008-01-10 16:35:16 --- E O F ---

[Rorschach112]

Hello

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go here:
The Spy Killer Forum

• Click on "New Topic"
• Put your name, e-mail address, and this as the title: "C:\WINDOWS\system32\drivers\atinmdxxx.sys"
• Put a link to this topic in the description box.
• Then next to the file box, at the bottom, click the browse button, then navigate to this file:
  
  
  
  • C:\WINDOWS\system32\drivers\atinmdxxx.sys
  
  
• Click Open.
• Click Post.

Thank you!

Repeat that for this file

C:\WINDOWS\system32\18181912131C1.exe



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\system32\18181912131C1.exe
C:\WINDOWS\mrofinu1000106.exe.tmp
C:\WINDOWS\system32\drivers\atinmdxxx.sys
C:\WINDOWS\mrofinu1188.exe.tmp
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\Fonts\svchost .exe
C:\WINDOWS\Fonts\svchost.exe

Folder::
C:\Temp\tn3
C:\WINDOWS\?ymantec
C:\WINDOWS\system32\vt8
C:\WINDOWS\system32\mp2
C:\WINDOWS\system32\ez4
C:\WINDOWS\system32\che9
C:\WINDOWS\system32\edcA18
C:\Temp\Ryuan1

Driver::
atinmdxxx

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Also post a new HijackThis log

[ferynd]

ComboFix 08-01-17.3 - Ferynd 2008-01-18 11:37:36.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.304 [GMT -5:00]
Running from: C:\Documents and Settings\Ferynd\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ferynd\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\Fonts\svchost .exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\mrofinu1000106.exe.tmp
C:\WINDOWS\mrofinu1188.exe.tmp
C:\WINDOWS\system32\18181912131C1.exe
C:\WINDOWS\system32\drivers\atinmdxxx.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\Ryuan1
C:\Temp\Ryuan1\tepU.log
C:\temp\tn3
C:\WINDOWS\Fonts\svchost .exe
C:\WINDOWS\mrofinu1000106.exe.tmp
C:\WINDOWS\mrofinu1188.exe.tmp
C:\WINDOWS\system32\18181912131C1.exe
C:\WINDOWS\system32\che9
C:\WINDOWS\system32\che9\farstadcom2.exe
C:\WINDOWS\system32\drivers\atinmdxxx.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\edcA18
C:\WINDOWS\system32\edcA18\edcA182328.exe
C:\WINDOWS\system32\ez4
C:\WINDOWS\system32\mp2
C:\WINDOWS\system32\mp2\oedvers112.exe
C:\WINDOWS\system32\vt8
C:\WINDOWS\system32\vt8\tycodllz83122.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_ATINMDXXX
-------\atinmdxxx


((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
.

2008-01-17 21:06 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-17 21:06 . 2007-11-17 22:50 211 --a------ C:\Boot.bak
2008-01-17 19:13 . 2008-01-17 19:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-16 17:13 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-16 07:30 . 2008-01-16 07:30 <DIR> d-------- C:\WINDOWS\system32\060607FF010A0
2008-01-13 00:58 . 2008-01-13 01:50 <DIR> d-------- C:\LuniaGSP
2008-01-12 23:52 . 2008-01-12 23:52 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Talkback
2008-01-12 04:04 . 2008-01-12 04:04 24 --a------ C:\WINDOWS\wininit.ini
2008-01-12 04:02 . 2008-01-12 04:02 2 --a------ C:\WINDOWS\msoffice.ini
2008-01-12 03:55 . 2008-01-12 03:55 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-01-12 03:52 . 2008-01-18 11:40 <DIR> d-------- C:\Temp
2008-01-12 03:35 . 2008-01-13 18:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-12 03:35 . 2008-01-12 03:35 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-04 19:56 . 2008-01-04 19:57 82 --a------ C:\WINDOWS\mafosav.INI
2008-01-03 02:12 . 2008-01-03 02:12 <DIR> d-------- C:\WINDOWS\Sun
2008-01-02 23:48 . 2008-01-12 14:42 <DIR> d-------- C:\Documents and Settings\Ferynd\Shared
2008-01-02 23:48 . 2008-01-12 14:47 <DIR> d-------- C:\Documents and Settings\Ferynd\Incomplete
2008-01-02 23:48 . 2008-01-15 22:20 <DIR> d-------- C:\Documents and Settings\Ferynd\Application Data\LimeWire
2008-01-02 23:48 . 2007-07-12 02:22 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-02 23:47 . 2008-01-12 14:46 <DIR> d-------- C:\Program Files\LimeWire
2008-01-02 23:47 . 2008-01-02 23:48 <DIR> d-------- C:\Program Files\Java
2008-01-02 23:47 . 2008-01-02 23:47 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-02 09:43 . 2008-01-10 18:54 848 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-01-02 09:43 . 2008-01-10 18:54 56 -r-hs---- C:\WINDOWS\system32\9383E19219.sys
2008-01-02 09:39 . 2008-01-02 09:42 <DIR> d-------- C:\Program Files\Enterbrain
2007-12-29 14:23 . 2007-12-30 12:07 <DIR> d-------- C:\Program Files\Savage
2007-12-29 13:42 . 2007-12-29 13:52 <DIR> d-------- C:\Documents and Settings\Ferynd\.xmoto
2007-12-26 21:26 . 2007-12-26 21:26 <DIR> d-------- C:\Documents and Settings\Ferynd\Application Data\DivX
2007-12-22 04:44 . 2008-01-04 00:14 <DIR> d-------- C:\Program Files\Conquer 2.0
2007-12-20 03:38 . 2007-09-18 23:41 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2007-12-20 03:34 . 2007-12-20 03:39 <DIR> d-------- C:\Program Files\PerfectWorld

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 16:04 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-18 16:02 --------- d-----w C:\Program Files\QuickTime
2008-01-16 03:20 118,336 ----a-w C:\WINDOWS\Fonts\x.zip
2008-01-13 10:24 10 ----a-w C:\Program Files\.autoreg
2008-01-04 05:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-04 05:16 --------- d-----w C:\Program Files\ICQ
2008-01-04 05:12 --------- d-----w C:\Program Files\BigFix
2007-12-19 06:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Outspark
2007-12-17 11:25 --------- d-----w C:\Program Files\Orban
2007-12-12 05:48 --------- d-----w C:\Program Files\Outspark
2007-12-12 05:47 --------- d-----w C:\Program Files\OGPlanet
2007-11-19 14:37 --------- d-----w C:\Documents and Settings\Ferynd\Application Data\MSN6
2007-11-19 14:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
2007-11-18 14:46 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-05 23:41 118,784 ----a-w C:\WINDOWS\dsdxirmv.exe
2007-08-02 13:43 282,624 ----a-w C:\Program Files\TTC.dll
2007-01-10 17:15 290,822 ----a-w C:\WINDOWS\Fonts\Setup.exe
2003-08-13 13:23 32 --sha-w C:\WINDOWS\{A24287D9-C5C5-449A-A4D7-455BE6CFA48E}.dat
2003-08-13 13:23 32 --sha-w C:\WINDOWS\system32\{4AEF2316-1DFF-4F96-BEDB-54E5AA72AE7B}.dat
.

((((((((((((((((((((((((((((( snapshot@2008-01-17_17.58.23.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-16 22:17:18 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-18 16:37:29 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-16 22:17:18 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-18 16:37:29 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-16 22:17:21 2,453,504 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-18 16:37:29 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-16 22:17:21 200,704 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-18 16:37:29 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-16 22:17:22 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-18 16:37:30 2,469,888 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-16 22:17:22 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-18 16:37:30 200,704 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64DF53E2-D4B3-4297-80FA-D54F2F2B2F5C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{757DBB88-003C-46D6-9227-EAD730371E28}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E015787-B1E3-404a-95DE-3E71E1FA0305}]
2007-11-19 05:36 64000 --a------ C:\WINDOWS\system32\spads.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2008-01-17 17:54 200704]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-01-17 17:55 3411968]
"Router"="C:\Program Files\Router\Router.exe" [ ]
"Usrr"="C:\PROGRA~1\COMMON~1\STEM~1\mshta.exe" [ ]
"Zpgpo"="C:\WINDOWS\?ymantec\?hkntfs.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"09090A03040D060"="18181912131C1.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 17:54 50880]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2008-01-17 17:54 34504]
"CHotkey"="mHotkey.exe" [2003-03-21 13:26 483840 C:\WINDOWS\mHotkey.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2007-09-17 00:07 8491008]
"nwiz"="nwiz.exe" [2007-09-17 00:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"showicon2k"="C:\Program Files\\eM\Bay Reader\Shwicon2k.exe" [ ]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2008-01-17 17:54 65536]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2008-01-17 17:54 868352]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2007-09-17 00:07 81920]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-17 17:54 185632]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2008-01-17 17:54 132496]

S3 CEUSBAUD;DigiTech USB MIDI Driver;C:\WINDOWS\system32\Drivers\CEUSBAUD.sys [2003-11-01 15:19]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 03:13:42 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2007-11-05 19:32:08 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 11:42:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-18 11:45:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-18 16:45:32
ComboFix2.txt 2008-01-18 16:08:04
ComboFix3.txt 2008-01-17 23:01:37
.
2008-01-10 16:35:16 --- E O F ---


_________________________________________________________________________



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46, on 2008-01-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {64DF53E2-D4B3-4297-80FA-D54F2F2B2F5C} - \
O2 - BHO: (no name) - {757DBB88-003C-46D6-9227-EAD730371E28} - \
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: browser optimizer superiorads - {8E015787-B1E3-404a-95DE-3E71E1FA0305} - C:\WINDOWS\system32\spads.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [09090A03040D060] 18181912131C1.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [Usrr] "C:\PROGRA~1\COMMON~1\STEM~1\mshta.exe" -vt ndrv
O4 - HKCU\..\Run: [Zpgpo] C:\WINDOWS\?ymantec\?hkntfs.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 5064 bytes

[Rorschach112]

Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\18181912131C1.exe
C:\PROGRA~1\COMMON~1\STEM~1\mshta.exe
C:\WINDOWS\system32\spads.dll

Folder::
C:\WINDOWS\Fonts\x.zip
C:\WINDOWS\?ymantec

Dirlook::
C:\WINDOWS\Fonts

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {64DF53E2-D4B3-4297-80FA-D54F2F2B2F5C} - \
O2 - BHO: (no name) - {757DBB88-003C-46D6-9227-EAD730371E28} - \
O2 - BHO: browser optimizer superiorads - {8E015787-B1E3-404a-95DE-3E71E1FA0305} - C:\WINDOWS\system32\spads.dll
O4 - HKLM\..\Run: [09090A03040D060] 18181912131C1.exe
O4 - HKCU\..\Run: [Usrr] "C:\PROGRA~1\COMMON~1\STEM~1\mshta.exe" -vt ndrv
O4 - HKCU\..\Run: [Zpgpo] C:\WINDOWS\?ymantec\?hkntfs.exe

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Reboot and post a new HijackThis log

[ferynd]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28, on 2008-01-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 4549 bytes

[Rorschach112]

Can you post the ComboFix log as well

[ferynd]

ComboFix 08-01-17.3 - Ferynd 2008-01-17 17:07:41.5 - NTFSx86
Running from: C:\Documents and Settings\Ferynd\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-17 21:06 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-17 21:06 . 2007-11-17 22:50 211 --a------ C:\Boot.bak
2008-01-17 19:13 . 2008-01-17 19:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-16 17:13 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-16 07:30 . 2008-01-16 07:30 <DIR> d-------- C:\WINDOWS\system32\060607FF010A0
2008-01-13 00:58 . 2008-01-13 01:50 <DIR> d-------- C:\LuniaGSP
2008-01-12 23:52 . 2008-01-12 23:52 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Talkback
2008-01-12 04:04 . 2008-01-12 04:04 24 --a------ C:\WINDOWS\wininit.ini
2008-01-12 04:02 . 2008-01-12 04:02 2 --a------ C:\WINDOWS\msoffice.ini
2008-01-12 03:55 . 2008-01-12 03:55 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-01-12 03:52 . 2008-01-18 11:40 <DIR> d-------- C:\Temp
2008-01-12 03:35 . 2008-01-13 18:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-12 03:35 . 2008-01-12 03:35 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-04 19:56 . 2008-01-04 19:57 82 --a------ C:\WINDOWS\mafosav.INI
2008-01-03 02:12 . 2008-01-03 02:12 <DIR> d-------- C:\WINDOWS\Sun
2008-01-02 23:48 . 2008-01-12 14:42 <DIR> d-------- C:\Documents and Settings\Ferynd\Shared
2008-01-02 23:48 . 2008-01-12 14:47 <DIR> d-------- C:\Documents and Settings\Ferynd\Incomplete
2008-01-02 23:48 . 2008-01-15 22:20 <DIR> d-------- C:\Documents and Settings\Ferynd\Application Data\LimeWire
2008-01-02 23:48 . 2007-07-12 02:22 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-02 23:47 . 2008-01-12 14:46 <DIR> d-------- C:\Program Files\LimeWire
2008-01-02 23:47 . 2008-01-02 23:48 <DIR> d-------- C:\Program Files\Java
2008-01-02 23:47 . 2008-01-02 23:47 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-02 09:43 . 2008-01-10 18:54 848 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-01-02 09:43 . 2008-01-10 18:54 56 -r-hs---- C:\WINDOWS\system32\9383E19219.sys
2008-01-02 09:39 . 2008-01-02 09:42 <DIR> d-------- C:\Program Files\Enterbrain
2007-12-29 14:23 . 2007-12-30 12:07 <DIR> d-------- C:\Program Files\Savage
2007-12-29 13:42 . 2007-12-29 13:52 <DIR> d-------- C:\Documents and Settings\Ferynd\.xmoto
2007-12-26 21:26 . 2007-12-26 21:26 <DIR> d-------- C:\Documents and Settings\Ferynd\Application Data\DivX
2007-12-22 04:44 . 2008-01-04 00:14 <DIR> d-------- C:\Program Files\Conquer 2.0
2007-12-20 03:38 . 2007-09-18 23:41 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2007-12-20 03:34 . 2007-12-20 03:39 <DIR> d-------- C:\Program Files\PerfectWorld
2007-12-17 06:25 . 2007-12-17 06:25 <DIR> d-------- C:\Program Files\Orban

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 17:28 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-18 16:02 --------- d-----w C:\Program Files\QuickTime
2008-01-16 03:20 118,336 ----a-w C:\WINDOWS\Fonts\x.zip
2008-01-13 10:24 10 ----a-w C:\Program Files\.autoreg
2008-01-04 05:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-04 05:16 --------- d-----w C:\Program Files\ICQ
2008-01-04 05:12 --------- d-----w C:\Program Files\BigFix
2007-12-19 06:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Outspark
2007-12-12 05:48 --------- d-----w C:\Program Files\Outspark
2007-12-12 05:47 --------- d-----w C:\Program Files\OGPlanet
2007-11-19 14:37 --------- d-----w C:\Documents and Settings\Ferynd\Application Data\MSN6
2007-11-19 14:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
2007-11-18 14:46 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-17 10:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-17 10:15 --------- d-----w C:\Program Files\DivX
2007-11-17 05:13 --------- d-----w C:\Program Files\Common Files\DirectX
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-05 23:41 118,784 ----a-w C:\WINDOWS\dsdxirmv.exe
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-22 08:39 267,272 ----a-w C:\WINDOWS\system32\xactengine2_10.dll
2007-10-22 08:37 66,056 ----a-w C:\WINDOWS\system32\dxdllreg.exe
2007-10-22 08:37 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-20 00:56 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-10-20 00:56 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-10-20 00:56 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-10-20 00:56 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2007-10-20 00:56 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2007-10-20 00:56 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2007-10-20 00:56 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-10-20 00:54 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-10-20 00:54 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-10-20 00:54 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-10-20 00:54 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-10-18 09:06 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-10-18 09:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-10-18 09:03 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-10-18 09:03 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-10-18 09:03 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-10-18 09:02 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-10-17 17:23 10,752 ----a-w C:\WINDOWS\system32\WhoisCL.exe
2007-08-02 13:43 282,624 ----a-w C:\Program Files\TTC.dll
2007-01-10 17:15 290,822 ----a-w C:\WINDOWS\Fonts\Setup.exe
2003-08-13 13:23 32 --sha-w C:\WINDOWS\{A24287D9-C5C5-449A-A4D7-455BE6CFA48E}.dat
2003-08-13 13:23 32 --sha-w C:\WINDOWS\system32\{4AEF2316-1DFF-4F96-BEDB-54E5AA72AE7B}.dat
.

((((((((((((((((((((((((((((( snapshot@2008-01-17_17.58.23.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-16 22:17:18 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-18 17:19:41 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-16 22:17:18 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-18 17:19:41 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-16 22:17:21 2,453,504 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-18 17:19:41 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-16 22:17:21 200,704 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-18 17:19:41 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-16 22:17:22 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-18 17:19:41 2,469,888 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-16 22:17:22 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-18 17:19:41 200,704 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2008-01-17 17:54 200704]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-01-17 17:55 3411968]
"Router"="C:\Program Files\Router\Router.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 17:54 50880]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2008-01-17 17:54 34504]
"CHotkey"="mHotkey.exe" [2003-03-21 13:26 483840 C:\WINDOWS\mHotkey.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2007-09-17 00:07 8491008]
"nwiz"="nwiz.exe" [2007-09-17 00:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"showicon2k"="C:\Program Files\\eM\Bay Reader\Shwicon2k.exe" [ ]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2008-01-17 17:54 65536]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2008-01-17 17:54 868352]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2007-09-17 00:07 81920]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-17 17:54 185632]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2008-01-17 17:54 132496]

S3 CEUSBAUD;DigiTech USB MIDI Driver;C:\WINDOWS\system32\Drivers\CEUSBAUD.sys [2003-11-01 15:19]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 03:13:42 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2007-11-05 19:32:08 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 17:10:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-17 17:18:16
ComboFix-quarantined-files.txt 2008-01-17 22:18:14
ComboFix2.txt 2008-01-18 17:22:22
ComboFix3.txt 2008-01-18 16:45:35
ComboFix4.txt 2008-01-18 16:08:04
ComboFix5.txt 2008-01-17 23:01:37
.
2008-01-10 16:35:16 --- E O F ---

[Rorschach112]

Hello

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Also post a new HijackThis log and tell me how your PC is running

[ferynd]

My computer is running pretty smooth now. Limewire is no longer trying to open it's self up and there are no more pop ups. Here are the logs for Kaspersky and Hijack This
(thank you for taking the tim to help me out i greatly appreciate it.)





-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-01-17 23:13
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/01/2008
Kaspersky Anti-Virus database records: 519055
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 83923
Number of viruses found: 37
Number of infected objects: 285
Number of suspicious objects: 0
Duration of the scan process: 02:29:42

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Ferynd\Application Data\Mozilla\Firefox\Profiles\39nd29rb.default\cert8.db Object is locked skipped
C:\Documents and Settings\Ferynd\Application Data\Mozilla\Firefox\Profiles\39nd29rb.default\history.dat Object is locked skipped
C:\Documents and Settings\Ferynd\Application Data\Mozilla\Firefox\Profiles\39nd29rb.default\key3.db Object is locked skipped
C:\Documents and Settings\Ferynd\Application Data\Mozilla\Firefox\Profiles\39nd29rb.default\parent.lock Object is locked skipped
C:\Documents and Settings\Ferynd\Application Data\Mozilla\Firefox\Profiles\39nd29rb.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Ferynd\Application Data\Mozilla\Firefox\Profiles\39nd29rb.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Ferynd\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ferynd\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ferynd\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ferynd\Local Settings\Application Data\Mozilla\Firefox\Profiles\39nd29rb.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Ferynd\Local Settings\Application Data\Mozilla\Firefox\Profiles\39nd29rb.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Ferynd\Local Settings\Application Data\Mozilla\Firefox\Profiles\39nd29rb.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Ferynd\Local Settings\Application Data\Mozilla\Firefox\Profiles\39nd29rb.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Ferynd\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ferynd\Local Settings\Temp\fla67.tmp Object is locked skipped
C:\Documents and Settings\Ferynd\Local Settings\Temp\~DF6EA7.tmp Object is locked skipped
C:\Documents and Settings\Ferynd\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ferynd\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Ferynd\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\QuickTime\qttask.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\TTC.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Program Files\Veoh Networks\Veoh\client.log Object is locked skipped
C:\Program Files\Veoh Networks\Veoh\upload.log Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\mrfz\mrfza.exe.vir Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\mrfz\mrfzl.exe.vir Infected: Trojan-Downloader.Win32.TSUpdate.r skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\mrfz\mrfzm.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\mrfz\mrfzp.exe.vir Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Real\Update_OB\realsched.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Roxio Shared\System\EngUtil.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\STEM~1\mshta .exe.vir Infected: Trojan-Downloader.Win32.PurityScan.fa skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\STEM~1\mshta.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\STEM~1.vir\mshta.exe Infected: Trojan-Downloader.Win32.PurityScan.fa skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Symantec Shared\ccApp.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Symantec Shared\ccRegVfy.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1560OinAdmin.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.fg skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1560OinUninstaller.exe.vir/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1560OinUninstaller.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\Program Files\eM\Bay Reader\Shwicon2k.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\InetGet2\FINAL -- Fort 5.6_MST-ONLY.exe.vir/mst455101.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\QooBox\Quarantine\C\Program Files\InetGet2\FINAL -- Fort 5.6_MST-ONLY.exe.vir/mst455101.exe Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\QooBox\Quarantine\C\Program Files\InetGet2\FINAL -- Fort 5.6_MST-ONLY.exe.vir InstallCreator: infected - 2 skipped
C:\QooBox\Quarantine\C\Program Files\InetGet2\FINAL -- Fort 5.6_MST-ONLY.exe.vir UPX: infected - 2 skipped
C:\QooBox\Quarantine\C\Program Files\Java\jre1.6.0_02\bin\jusched.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\Microsoft Money\System\mnyexpr.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\Network Monitor\netmon.exe.vir Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\QooBox\Quarantine\C\Program Files\Outerinfo\FF\components\FF.dll.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\Router\Router .exe.vir Infected: Trojan-Downloader.Win32.Agent.gdi skipped
C:\QooBox\Quarantine\C\Program Files\Router\Router.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\Router\UnInstall.exe.vir Infected: Trojan-Downloader.Win32.Delf.dlk skipped
C:\QooBox\Quarantine\C\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\Temporary\kernInst.exe.vir Infected: Trojan.Win32.Agent.dwb skipped
C:\QooBox\Quarantine\C\Program Files\Veoh Networks\Veoh\VeohClient.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\WINDOWS\b103.exe.vir Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir NSIS: infected - 3 skipped
C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir Infected: Trojan-Downloader.Win32.Agent.haq skipped
C:\QooBox\Quarantine\C\WINDOWS\b128.exe.vir Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\QooBox\Quarantine\C\WINDOWS\b138.exe.vir Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\QooBox\Quarantine\C\WINDOWS\b151.exe.vir Infected: Trojan-Downloader.Win32.Agent.fjn skipped
C:\QooBox\Quarantine\C\WINDOWS\Fonts\svchost .exe.vir Infected: Backdoor.Win32.IRCBot.aro skipped
C:\QooBox\Quarantine\C\WINDOWS\Fonts\svchost.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\WINDOWS\mrofinu1000106.exe.tmp.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\WINDOWS\mrofinu1000106.exe.vir Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\QooBox\Quarantine\C\WINDOWS\mrofinu1188.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\WINDOWS\RmVyeW5k\asappsrv.dll.vir Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\QooBox\Quarantine\C\WINDOWS\RmVyeW5k\command.exe.vir Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\bkmqeqi.dll.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gl skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ddccd.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\edcA18\edcA182328.exe.vir Infected: Trojan-Downloader.Win32.VB.ceh skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mp2\oedvers112.exe.vir Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX25.tmp.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX2C.tmp.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\spads.dll.vir Infected: not-a-virus:AdWare.Win32.TrafficSol.o skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vt8\tycodllz83122.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vt8\tycodllz83122.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\YMANTE~1\сhkntfs.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gq skipped
C:\QooBox\Quarantine\catchme2008-01-18_114158.62.zip/atinmdxxx.sys Infected: Rootkit.Win32.Agent.to skipped
C:\QooBox\Quarantine\catchme2008-01-18_114158.62.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP100\A0023074.exe Infected: Trojan-Downloader.Win32.VB.ceh skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP100\A0023075.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP100\A0023076.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP100\A0023076.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP100\A0023077.exe Infected: Backdoor.Win32.IRCBot.aro skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP101\A0023133.dll Infected: not-a-virus:AdWare.Win32.TrafficSol.o skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP102\change.log Object is locked skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP82\A0013910.dll Infected: not-a-virus:AdWare.Win32.BHO.pm skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP82\A0013911.dll Infected: not-a-virus:AdWare.Win32.Agent.yr skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP91\A0020288.exe Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020592.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020594.exe Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020597.dll Infected: not-a-virus:AdWare.Win32.Agent.wx skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020602.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020603.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020605.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020606.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020607.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020608.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020609.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020610.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020612.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020613.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020614.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020615.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020621.exe Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020637.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020638.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020640.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020641.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020642.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020643.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020644.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020645.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020646.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020648.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020650.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020651.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020657.exe Infected: Backdoor.Win32.IRCBot.aro skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020662.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020668.exe Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020669.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020675.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020677.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020678.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020679.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020680.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020681.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020682.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020683.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020684.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020685.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020686.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020687.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020688.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020694.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020697.exe Infected: Backdoor.Win32.IRCBot.aro skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020701.exe Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020707.exe Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020711.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020712.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020714.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020715.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020716.exe Infected: Trojan-Downloader.Win32.Agent.hcn skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020725.exe Infected: Backdoor.Win32.IRCBot.aro skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020728.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0020731.exe Infected: Trojan-Downloader.Win32.Agent.hcm skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0021712.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0021713.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0021714.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0021715.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0021716.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0021717.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0021718.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0021719.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0021720.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0021721.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0021723.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0021724.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0021725.exe Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0021726.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0021736.exe Infected: Backdoor.Win32.IRCBot.aro skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0021739.exe Infected: Trojan-Downloader.Win32.Agent.gdi skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0021740.exe Infected: Trojan-Downloader.Win32.PurityScan.fa skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0021742.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0022711.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0022712.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0022714.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0022715.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0022716.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0022717.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0022718.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0022719.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0022720.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0022721.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0022725.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0022726.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0022727.exe Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0022732.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0022734.exe Infected: Backdoor.Win32.IRCBot.aro skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0022737.exe Infected: Trojan-Downloader.Win32.Agent.gdi skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0022738.exe Infected: Trojan-Downloader.Win32.PurityScan.fa skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0022741.exe Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP92\A0022743.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP93\A0022745.exe Infected: Trojan-Downloader.Win32.PurityScan.fa skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP93\A0022748.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP93\A0022749.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP93\A0022750.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP93\A0022751.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP93\A0022752.exe Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP93\A0022753.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP93\A0022754.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP93\A0022755.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP93\A0022756.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP93\A0022757.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP93\A0022758.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP93\A0022760.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP93\A0022761.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP93\A0022763.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022764.exe Infected: Trojan-Downloader.Win32.PurityScan.fa skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022766.exe Infected: Trojan-Downloader.Win32.PurityScan.fg skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022767.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022767.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022770.exe Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022771.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022773.exe Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022774.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022774.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022774.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022774.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022775.exe Infected: Trojan-Downloader.Win32.Agent.haq skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022776.exe Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022777.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022779.exe Infected: Trojan-Downloader.Win32.Agent.fjn skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022780.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gl skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022781.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022784.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022785.exe Infected: Trojan-Downloader.Win32.Agent.gdi skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022786.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022787.exe Infected: Trojan-Downloader.Win32.Delf.dlk skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022788.exe Infected: Trojan.Win32.Agent.dwb skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022789.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022790.exe/mst455101.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022790.exe/mst455101.exe Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022790.exe InstallCreator: infected - 2 skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022790.exe UPX: infected - 2 skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022791.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022793.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022794.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gq skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022797.exe Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022798.exe Infected: Trojan-Downloader.Win32.TSUpdate.r skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022800.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022801.exe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022803.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022806.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022837.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022838.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022839.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022840.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022841.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022842.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022843.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022844.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP94\A0022845.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP95\A0022852.exe Infected: Backdoor.Win32.IRCBot.aro skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP95\A0022855.exe Infected: not-a-virus:AdWare.Win32.Agent.zk skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP95\A0022856.exe Infected: not-a-virus:AdWare.Win32.Agent.zk skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP95\A0022857.exe/data0009/stream/data0004 Infected: not-a-virus:AdWare.Win32.TrafficSol.o skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP95\A0022857.exe/data0009/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.o skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP95\A0022857.exe/data0009 Infected: not-a-virus:AdWare.Win32.TrafficSol.o skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP95\A0022857.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP95\A0022858.exe/data0009/stream/data0004 Infected: not-a-virus:AdWare.Win32.NewWeb.ay skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP95\A0022858.exe/data0009/stream Infected: not-a-virus:AdWare.Win32.NewWeb.ay skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP95\A0022858.exe/data0009 Infected: not-a-virus:AdWare.Win32.NewWeb.ay skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP95\A0022858.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP95\A0022913.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP95\A0022914.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP95\A0022915.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP95\A0022916.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP95\A0022917.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP95\A0022918.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP95\A0022919.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP95\A0022921.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP95\A0022922.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP95\A0022923.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP95\A0022924.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP97\A0022964.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP97\A0022965.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP97\A0022966.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP97\A0022967.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP97\A0022968.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP97\A0022969.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP97\A0022970.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP97\A0022971.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP97\A0022972.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP97\A0022973.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP97\A0022974.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP98\A0022979.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP98\A0022980.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP98\A0022981.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP98\A0022983.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP98\A0022984.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP98\A0022985.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP98\A0022986.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP98\A0022987.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP98\A0022988.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP98\A0022989.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP98\A0022990.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP99\A0022994.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP99\A0022997.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP99\A0022998.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP99\A0022999.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP99\A0023000.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP99\A0023001.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP99\A0023002.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP99\A0023003.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP99\A0023004.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP99\A0023005.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP99\A0023006.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP99\A0023007.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP99\A0023008.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Fonts\Setup.exe Infected: Backdoor.Win32.IRCBot.aro skipped
C:\WINDOWS\Fonts\x.zip/Setup.exe Infected: Backdoor.Win32.IRCBot.aro skipped
C:\WINDOWS\Fonts\x.zip ZIP: infected - 1 skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{EEB6E7B9-757D-4D00-8474-19A6B9BE2279}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


________________________________________________________________



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:14, on 2008-01-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 4842 bytes