Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Continuous Popups[RESOLVED]


  • This topic is locked This topic is locked

#1
jrsummersill1

jrsummersill1

    Member

  • Member
  • PipPipPip
  • 136 posts
Hello,

I performed all of the necessary preliminary steps before posting the hijack log below. I would really appreciate it if someone could help me stop all of these annoying popups. Thank you in advance.

Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:14:32 PM, on 2/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\PROGRA~1\COMMON~1\AOL\116429~1\EE\AOLHOS~1.EXE
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\COMMON~1\AOL\116429~1\EE\AOLServiceHost.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\MyWebSearch\bar\1.bin\m3IMPipe.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.c...h...TB&M=MX6957
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...h...TB&M=MX6957
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.c...h...TB&M=MX6957
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1164294044\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [My Web Search Community Tools] "C:\Program Files\MyWebSearch\bar\1.bin\m3IMPipe.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ealb] "C:\DOCUME~1\OWNER~1.ARI\APPLIC~1\CROSOF~1\wucrtupd.exe" -vt ndrv
O4 - HKCU\..\Run: [Oepomizz] C:\WINDOWS\a?sembly\m?iexec.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: &Search - http://edits.mywebse...html?p=ZNfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gate...//PCPitStop.CAB
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sur...ge/w4sgeen9.exe
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://passage.cna....llerControl.cab
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://passage.cna....,2007,1001,2139
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - https://passage.cna....,2007,1001,2143
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Movie Maker\profsycyrty.html

--
End of file - 10483 bytes


Here is the AVG report:

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:29:11 PM 2/6/2008

+ Scan result:



C:\Documents and Settings\Owner.Ariel\Desktop\installer-65398-19-LimeWire-English.exe -> Backdoor.Agent.duj : Cleaned.
C:\Documents and Settings\Owner.Ariel\Application Data\Міcrosoft\wucrtupd.exe -> Downloader.PurityScan.fj : Cleaned.
C:\Program Files\Movie Maker\profsycyrty.html -> Hijacker.IFrame.dn : Cleaned.
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe -> Not-A-Virus.Adware.PurityScan : Cleaned.
C:\Program Files\Outerinfo\FF\components\FF.dll -> Not-A-Virus.Adware.ZenoSearch : Cleaned.
C:\Documents and Settings\Owner.Ariel\Desktop\_bWU5bnR0aGVfbWE5X21iMQ_aW50bA_a2V5aW4_.exe -> Not-A-Virus.Hoax.Win32.Renos.vm : Cleaned.
:mozilla.42:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.630:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.631:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.632:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.633:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.634:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.635:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.636:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt -> TrackingCookie.Adtrak : Cleaned.
:mozilla.225:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.171:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.172:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.173:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt -> TrackingCookie.Clickbank : Cleaned.
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.182:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.183:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.292:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.294:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.354:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.7:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.8:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.501:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Tracking101 : Cleaned.
:mozilla.372:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.511:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.
:mozilla.90:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe -> Trojan.Scapur.k : Cleaned.


::Report end

Here is the SuperAntiSyware report:

SUPERAntiSpyware Scan Log
Generated 02/06/2008 at 08:08 PM

Application Version : 3.6.1000

Core Rules Database Version : 3396
Trace Rules Database Version: 1388

Scan type : Complete Scan
Total Scan Time : 03:43:05

Memory items scanned : 512
Memory threats detected : 6
Registry items scanned : 5920
Registry threats detected : 54
File items scanned : 79875
File threats detected : 76

Unclassified.Unknown Origin/System
C:\WINDOWS\SYSTEM32\MLJGE.DLL
C:\WINDOWS\SYSTEM32\MLJGE.DLL

Adware.WebBuying Assistant-Installer
C:\PROGRAM FILES\WEB BUYING\V1.8.8\WEBBUYING.EXE
C:\PROGRAM FILES\WEB BUYING\V1.8.8\WEBBUYING.EXE
[WebBuying] C:\PROGRAM FILES\WEB BUYING\V1.8.8\WEBBUYING.EXE
C:\WINDOWS\Prefetch\WEBBUYING.EXE-18F13C4F.pf

Adware.ClickSpring/Resident
C:\WINDOWS\ASEMBL~1\MIEXEC~1.EXE
C:\WINDOWS\ASEMBL~1\MIEXEC~1.EXE

Adware.StarsDoor
C:\PROGRAM FILES\DRMUPGDS\DRMUPGDS.EXE
C:\PROGRAM FILES\DRMUPGDS\DRMUPGDS.EXE
[Drmupgds] C:\PROGRAM FILES\DRMUPGDS\DRMUPGDS.EXE
C:\WINDOWS\Prefetch\DRMUPGDS.EXE-04F55F5B.pf

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\FTLGVUAL.DLL
C:\WINDOWS\SYSTEM32\FTLGVUAL.DLL
HKLM\Software\Classes\CLSID\{3D4592CC-0724-0CDB-0461-5A00B7BB81BD}
HKCR\CLSID\{3D4592CC-0724-0CDB-0461-5A00B7BB81BD}
HKCR\CLSID\{3D4592CC-0724-0CDB-0461-5A00B7BB81BD}\InprocServer32
HKCR\CLSID\{3D4592CC-0724-0CDB-0461-5A00B7BB81BD}\InprocServer32#ThreadingModel
HKCR\CLSID\{3D4592CC-0724-0CDB-0461-5A00B7BB81BD}\Programmable
HKCR\CLSID\{3D4592CC-0724-0CDB-0461-5A00B7BB81BD}\TypeLib
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3D4592CC-0724-0CDB-0461-5A00B7BB81BD}

Adware.WebBuying Assistant
C:\WINDOWS\SYSTEM32\ATWQHIA.DLL
C:\WINDOWS\SYSTEM32\ATWQHIA.DLL
HKLM\Software\Classes\CLSID\{256ccc3c-559a-4ef9-a663-6dc5556b7692}
HKCR\CLSID\{256CCC3C-559A-4EF9-A663-6DC5556B7692}
HKCR\CLSID\{256CCC3C-559A-4EF9-A663-6DC5556B7692}\InprocServer32
HKCR\CLSID\{256CCC3C-559A-4EF9-A663-6DC5556B7692}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{6e30e8f2-920c-4765-9204-62aa31042dfe}
HKCR\CLSID\{6E30E8F2-920C-4765-9204-62AA31042DFE}
HKCR\CLSID\{6E30E8F2-920C-4765-9204-62AA31042DFE}\InprocServer32
HKCR\CLSID\{6E30E8F2-920C-4765-9204-62AA31042DFE}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{256ccc3c-559a-4ef9-a663-6dc5556b7692}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6e30e8f2-920c-4765-9204-62aa31042dfe}

Adware.MyWebSearch
HKLM\Software\Classes\CLSID\{00A6FAF1-072E-44cf-8957-5838F569A31D}
HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}
HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}
HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}\InprocServer32
HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}\InprocServer32#ThreadingModel
HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}\Programmable
C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL
HKLM\Software\Classes\CLSID\{00A6FAF6-072E-44cf-8957-5838F569A31D}
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}\InprocServer32
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}\InprocServer32#ThreadingModel
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}\Programmable
HKLM\Software\Classes\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}\InprocServer32
HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}\InprocServer32#ThreadingModel
C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL
HKLM\Software\Classes\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\InprocServer32
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
HKU\S-1-5-21-706670013-1408919803-415327136-1006\Software\Microsoft\Internet Explorer\URLSearchHooks#{00A6FAF6-072E-44cf-8957-5838F569A31D}
C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.EXE

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{934DD3D4-F5BF-4FCA-BF2B-C3B8CE9E9C82}
HKCR\CLSID\{934DD3D4-F5BF-4FCA-BF2B-C3B8CE9E9C82}
HKCR\CLSID\{934DD3D4-F5BF-4FCA-BF2B-C3B8CE9E9C82}\InprocServer32
HKCR\CLSID\{934DD3D4-F5BF-4FCA-BF2B-C3B8CE9E9C82}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{934DD3D4-F5BF-4FCA-BF2B-C3B8CE9E9C82}

Adware.Tracking Cookie
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt

Adware.ClickSpring/Outer Info Network
C:\Program Files\Outerinfo\FF\chrome.manifest
C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\Outerinfo\FF\components
C:\Program Files\Outerinfo\FF\install.rdf
C:\Program Files\Outerinfo\FF
C:\Program Files\Outerinfo\Terms.rtf
C:\Program Files\Outerinfo
C:\Documents and Settings\Owner.Ariel\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Owner.Ariel\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\Owner.Ariel\Start Menu\Programs\Outerinfo

Adware.Web Buying
C:\Program Files\Web Buying\v1.8.8\wbuninst.exe
C:\Program Files\Web Buying\v1.8.8
C:\Program Files\Web Buying
HKU\S-1-5-21-706670013-1408919803-415327136-1006\Software\WebBuying
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebBuying
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebBuying#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebBuying#UninstallString

RootKit.TnCore/Trace
C:\WINDOWS\system32\drivers\core.cache.dsk

Adware.VXGame-Trace
HKU\S-1-5-21-706670013-1408919803-415327136-1006\Software\kernelexe

Trojan.Downloader-Gen/SnapSNet
C:\DOCUMENTS AND SETTINGS\OWNER.ARIEL\LOCAL SETTINGS\TEMP\SNAPSNET.EXE

Adware.ClickSpring
C:\DOCUMENTS AND SETTINGS\OWNER.ARIEL\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\GZRY564E\!UPDATE-4495[1].0000
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E015214-6BB0-4181-B365-456CF1DEC069}\RP287\A0262954.EXE

Trojan.Unclassified/KernInst
C:\PROGRAM FILES\TEMPORARY\KERNINST.EXE

Rogue.MalwareAlarm-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E015214-6BB0-4181-B365-456CF1DEC069}\RP287\A0262957.EXE

Trojan.Downloader-Gen/Bundle Installer
C:\WINDOWS\B122.EXE

Trojan.Downloader-Gen/MROFIN
C:\WINDOWS\MROFINU1000106.EXE
C:\WINDOWS\MROFINU572.EXE

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\EGJLM.INI

Trojan.REGSCAN
C:\WINDOWS\SYSTEM32\REGSCAN.EXE


and here is the Panda Scan:


Incident Status Location

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt[.i.screensavers.com/]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt[.did-it.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt[.terra.com.br/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt
Spyware:Cookie/AdvancedCleaner Not disinfected C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt
Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\Owner.Ariel\Local Settings\Temp\yazzsnet.exe
Virus:Trj/Downloader.PLF Disinfected C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe



As I am trying to copy and paste this info, 6 popups happened simultaneously. This is absolutely crazy!! I look forward to hearing from you.

Jenny
  • 0

Advertisements


#2
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi there,

Welcome to GeeksToGo. My name is RatHat, and I will help you get through the process of cleaning the malware from your computer.


OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with.

Next, I would like to make sure that you can view hidden files and folders;
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading SELECT Show hidden files and folders.
  • UNCHECK the Hide protected operating system files (recommended) option.
  • UNCHECK the Hide extensions for known file types option.
  • Click Yes to confirm.
  • Click OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please post me an Uninstall List from HijackThis:
  • Re-Open HijackThis, click Config, click Misc Tools
  • Click "Open Uninstall Manager"
  • Click "Save List" (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please read this Combofix tutorial before continuing, then follow the instructions below.

Download ComboFix from Here, Here or Here to your Desktop. (If you already have ComboFix, please delete it and download this new version).

When asked to "Save As" save Combofix.exe as Combo-Fix.exe
  • Now physically disconnect from the internet and STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields)
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Save this log to your desktop as Combofix.txt and post it in your next reply.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please run an online scan with Kaspersky WebScanner. Note: You must use Internet Explorer to run this scan.

Click the Accept button.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display the results if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop as Kaspersky.txt.
  • Copy and paste that information in your next post along with a fresh HijackThis log, taken after completing all of the above.


Regards,
RatHat
  • 0

#3
jrsummersill1

jrsummersill1

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 136 posts
Thanks for your help RatHat! I performed the requested steps and here are the results:


Hijack Uninstall Log--I'm not sure if it matters, but I was unable to perform this step at first, but I tried it again before posting this reply and it worked. So this was actually the last thing that I did.

3D Groove Playback Engine
Ad-Aware 2007
Adobe Flash Player ActiveX
Adobe Reader 7.0
Adobe Shockwave Player
AIM 6
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Connectivity Services
AOL Spyware Protection
AOL Uninstaller (Choose which Products to Remove)
AOL You've Got Pictures Screensaver
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoStudio 5.5
Avanquest update
AVG Anti-Spyware 7.5
Bejeweled 2 Deluxe
BigFix
Blackhawk Striker 2
Blasterball 2 Revolution
Browser Address Error Redirector
CSI-3 Dimensions of Murder 1.0
Diner Dash
DVD Solution
EuroTalk Talk Now Plus!
FATE
FLV Player 1.3.3
Gateway Game Console
Google Desktop
Google Toolbar for Internet Explorer
Google Video Player
gtw_logo
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB909095)
Hotfix for Windows XP (KB910728)
Hotfix for Windows XP (KB912024)
Hotfix for Windows XP (KB914906)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Intel Matrix Storage Manager
Intel® Graphics Media Accelerator Driver
Intel® PROSet/Wireless Software
iPod for Windows 2006-03-23
iTunes
J2SE Runtime Environment 5.0 Update 2
Java™ 6 Update 2
Kaspersky Online Scanner
LimeWire 4.16.4
McAfee Uninstall Wizard
mCore
mDriver
mDrWiFi
mHelp
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Starter Edition 2006
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Money 2006
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
mIWA
mLogView
mMHouse
Motorola Driver Installation
Motorola SM56 Data Fax Modem
Mozilla Firefox (2.0.0.11)
mPfMgr
mPfWiz
mProSafe
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
mWlsSafe
mXML
My Web Search (Smiley Central)
MySpaceIM
mZConfig
Nancy Drew: Danger by Design
Nancy Drew: Message in a Haunted Mansion
Nancy Drew: The Creature of Kapu Cave
Napster
Napster Burn Engine
OPSWAT AntiVirus and Firewall Integration Libraries
Panda ActiveScan
Penguins!
PhotoFilter 1.0
Picasa 2
Polar Bowler
Polar Golfer
Power2Go 4.0
PowerDVD
Pure Networks Port Magic
QuickTime
RealPlayer Basic
Rhapsody
Rhapsody Player Engine
SCRABBLE
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
SigmaTel Audio
SIW version 1.73
Sonic Encoders
SUPERAntiSpyware Free Edition
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
Tradewinds
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Manager (Remove Only)
Viewpoint Media Player
WildTangent Web Driver
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Hotfix - KB886185
Windows XP Media Center Edition 2005 KB925766
Zune
Zune Language Pack (ES)
Zune Language Pack (FR)


Combo-Fix log


ComboFix 08-02.05.3 - Owner 2008-02-07 19:13:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.194 [GMT -5:00]
Running from: C:\Documents and Settings\Owner.Ariel\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\cdaudioo.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\gebyaya.dll
C:\WINDOWS\system32\mljge.dll
C:\WINDOWS\system32\winupdate.exe
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Owner.Ariel\Application Data\CROSOF~1
C:\Documents and Settings\Owner.Ariel\Application Data\CROSOF~1\??crosoft\
C:\Documents and Settings\Owner.Ariel\Application Data\FunWebProducts
C:\Documents and Settings\Owner.Ariel\Application Data\FunWebProducts\Data\Owner\avatar.dat
C:\Documents and Settings\Owner.Ariel\Application Data\FunWebProducts\Data\Owner\register.dat
C:\Documents and Settings\Owner.Ariel\Application Data\FunWebProducts\Data\Owner\zbucks.dat
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Shared\Cache\AvatarSmallBtn-new.html
C:\Program Files\FunWebProducts\Shared\Cache\AvatarSmallBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn-new.html
C:\Program Files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\internet explorer\msimg32.dll
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\1.bin\F3BROVLY.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\avatar.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\bgfadel.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\bgfader.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\common-x.css
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\common.css
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\cornerbl.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\cornerbr.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\ext_def.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\ext_roll.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\include.js
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\index.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\loader.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\loading.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\logo.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\max_def.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\max_roll.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\min_def.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\min_roll.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\noflash.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\res_def.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\res_roll.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\spacer.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\spacer.swf
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\topgrad.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\window.ico
C:\Program Files\MyWebSearch\bar\Cache\0003F82C
C:\Program Files\MyWebSearch\bar\Cache\0022D963
C:\Program Files\MyWebSearch\bar\Cache\01396196
C:\Program Files\MyWebSearch\bar\Cache\0384745B
C:\Program Files\MyWebSearch\bar\Cache\0384865C.bin
C:\Program Files\MyWebSearch\bar\Cache\03848776.bin
C:\Program Files\MyWebSearch\bar\Cache\0384889F.bin
C:\Program Files\MyWebSearch\bar\Cache\03849531.bin
C:\Program Files\MyWebSearch\bar\Cache\0384CF3D.bin
C:\Program Files\MyWebSearch\bar\Cache\0384D037.bin
C:\Program Files\MyWebSearch\bar\Cache\0384D1CD.bin
C:\Program Files\MyWebSearch\bar\Cache\0384D305.bin
C:\Program Files\MyWebSearch\bar\Cache\0384DF79
C:\Program Files\MyWebSearch\bar\Cache\04B220CF.bin
C:\Program Files\MyWebSearch\bar\Cache\04B22302.bin
C:\Program Files\MyWebSearch\bar\Cache\04B2240C.bin
C:\Program Files\MyWebSearch\bar\Cache\files.ini
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\icons\CM.ICO
C:\Program Files\MyWebSearch\bar\icons\MFC.ICO
C:\Program Files\MyWebSearch\bar\icons\PSS.ICO
C:\Program Files\MyWebSearch\bar\icons\SMILEY.ICO
C:\Program Files\MyWebSearch\bar\icons\WB.ICO
C:\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO
C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S
C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S
C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S
C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S
C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S
C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\Temporary
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\asembl~1
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\b3
C:\WINDOWS\system32\b3\snmaildriv3.exe
C:\WINDOWS\system32\drivers\cdaudioo.sys
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\system32\drivers\core.cache(3).dsk
C:\WINDOWS\system32\drivers\core.cache(4).dsk
C:\WINDOWS\system32\drivers\core.cache(5).dsk
C:\WINDOWS\system32\drivers\core.cache(6).dsk
C:\WINDOWS\system32\drivers\core.cache(7).dsk
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\egjlm.ini
C:\WINDOWS\system32\egjlm.ini2
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\gebyaya.dll
C:\WINDOWS\system32\jkkklll.dll
C:\WINDOWS\system32\krqvlweu.dll
C:\WINDOWS\system32\m1
C:\WINDOWS\system32\mljge.dll
C:\WINDOWS\system32\opnmklm.dll
C:\WINDOWS\system32\p4
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qynmilsn.dll
C:\WINDOWS\system32\s5
C:\WINDOWS\system32\s5\advcomms3.exe
C:\WINDOWS\system32\uewlvqrk.ini
C:\WINDOWS\system32\winupdate.exe
C:\WINDOWS\system32\wvuvydba.dll
C:\WINDOWS\system32\z6
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://www.download.windowsupdate.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CDAUDIOO
-------\cdaudioo


((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.

2008-02-07 18:48 . 2003-05-27 16:30 245,920 -r-hs---- C:\cmldr
2008-02-07 18:14 . 2004-08-10 14:00 388,608 --a------ C:\kmd.exe
2008-02-07 18:12 . 2008-02-07 18:12 87,552 --a------ C:\WINDOWS\system32\TmpX.exe
2008-02-07 18:12 . 2008-02-07 18:12 111 --a------ C:\WINDOWS\system32\url3
2008-02-07 18:12 . 2008-02-07 18:12 102 --a------ C:\WINDOWS\system32\url1
2008-02-07 18:12 . 2008-02-07 18:12 99 --a------ C:\WINDOWS\system32\url2
2008-02-07 18:12 . 2008-02-07 18:12 8 --a------ C:\WINDOWS\system32\CID
2008-02-07 18:11 . 2008-02-07 18:12 <DIR> d-------- C:\WINDOWS\system32\svcd
2008-02-07 18:11 . 2008-02-07 18:11 4 --a------ C:\WINDOWS\system32\SvcNm
2008-02-06 23:14 . 2008-02-06 23:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-06 21:14 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\idteywllgbyr.sys
2008-02-06 20:40 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\dnntduoxjbcy.sys
2008-02-06 20:27 . 2008-02-06 22:30 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-06 20:27 . 2008-02-06 21:10 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-06 20:27 . 2008-02-06 21:10 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-06 20:27 . 2008-02-06 21:10 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-06 16:19 . 2008-02-06 16:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-06 16:18 . 2008-02-06 21:49 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-06 16:18 . 2008-02-06 16:18 <DIR> d-------- C:\Documents and Settings\Owner.Ariel\Application Data\SUPERAntiSpyware.com
2008-02-06 14:40 . 2008-02-06 14:40 <DIR> d-------- C:\Documents and Settings\Owner.Ariel\Application Data\Grisoft
2008-02-06 14:40 . 2008-02-06 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-06 14:40 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-05 19:34 . 2008-02-07 18:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-05 19:34 . 2008-02-05 19:34 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-05 19:12 . 2008-02-05 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-02-05 19:07 . 2008-02-05 19:07 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-02-05 19:07 . 2008-02-05 20:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-02-05 17:08 . 2008-02-06 20:13 <DIR> d-------- C:\Program Files\Drmupgds
2008-02-05 16:59 . 2008-02-06 22:04 <DIR> d-------- C:\WINDOWS\system32\nGpxx01
2008-02-05 16:59 . 2008-02-05 17:02 <DIR> d-------- C:\Temp\isgTi19
2008-02-05 16:59 . 2008-02-07 19:14 <DIR> d-------- C:\Temp
2008-01-23 22:19 . 2008-01-23 22:19 <DIR> d-------- C:\Program Files\EuroTalk
2008-01-23 22:19 . 2008-01-23 22:19 <DIR> d-------- C:\Documents and Settings\Owner.Ariel\Application Data\EuroTalk
2008-01-13 16:19 . 2008-01-13 16:19 <DIR> d-------- C:\Program Files\SIW
2008-01-10 18:35 . 2008-02-04 18:52 <DIR> d-------- C:\Program Files\LimeWire
2008-01-10 18:35 . 2008-02-04 18:52 <DIR> d-------- C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 02:50 --------- d-----w C:\Program Files\Zune
2008-02-07 02:37 --------- d-----w C:\Program Files\Google
2008-02-07 02:34 --------- d-----w C:\Program Files\Common Files\aolshare
2008-02-07 02:33 --------- d-----w C:\Program Files\AIM6
2008-02-06 21:17 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-16 23:07 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01005.Wdf
2007-12-16 17:07 --------- d-----w C:\Program Files\F5
2007-12-12 02:49 --------- d-----w C:\Documents and Settings\Owner.Ariel\Application Data\AdobeUM
2007-11-01 17:30 1,115,728 ----a-w C:\Documents and Settings\All Users\Application Data\pswi_preloaded.exe
2007-10-14 16:34 160 ----a-w C:\Documents and Settings\Owner.Ariel\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 22:47 68856]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17 50736]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
"Ealb"="C:\DOCUME~1\OWNER~1.ARI\APPLIC~1\CROSOF~1\wucrtupd.exe" [ ]
"Oepomizz"="C:\WINDOWS\a?sembly\m?iexec.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 10:47 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 10:47 688218]
"HostManager"="C:\Program Files\Common Files\AOL\1164294044\EE\AOLHostManager.exe" [2004-11-03 16:03 125528]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 15:30 139264]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 03:38 802816]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 03:32 696320]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 12:05 212992]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43 286720]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [2007-11-15 21:51 166304]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2005-09-22 18:29 303104]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 20:34 5419008]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 20:17 443968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Movie Maker\profsycyrty.html
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-04-27 16:17 50736 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
--a------ 2004-10-18 20:42 79448 C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 22:56 64512 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-11-23 09:53 169984 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2006-03-23 15:13 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2006-03-23 15:17 118784 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2006-03-23 15:17 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 13:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a------ 2005-09-22 18:29 303104 c:\PROGRA~1\mcafee.com\agent\McAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2006-01-11 12:05 212992 c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
--a------ 2005-11-11 17:00 1005096 C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
--a------ 2005-09-26 13:26 110592 C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a------ 2006-11-07 14:49 1121280 C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 18:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Community Tools]
C:\Program Files\MyWebSearch\bar\1.bin\m3IMPipe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-05-29 20:34 5419008 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
--------- 2005-08-12 01:02 53248 C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2007-09-27 20:17 443968 C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-14 23:43 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
%WINDIR%\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2005-12-27 13:20 413696 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
--a------ 2006-05-23 22:22 573440 C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 03:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-30 22:47 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2004-11-22 11:18 307200 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
--------- 2005-08-10 15:49 163840 C:\Program Files\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
--a------ 2005-07-08 18:18 151552 C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2007-11-15 21:38]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2007-11-15 21:51]
S2 SIWF;Security Service;C:\WINDOWS\system32\svcd\svchost.exe []
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2007-11-15 21:51]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-07 01:14:47 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 19:23:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\COMMON~1\AOL\116429~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\116429~1\EE\AOLServiceHost.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2008-02-07 19:25:31 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-02-08 00:25:27
.
2008-01-10 13:50:55 --- E O F ---


Kapersky log


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, February 07, 2008 9:27:16 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/02/2008
Kaspersky Anti-Virus database records: 553665
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 79462
Number of viruses found: 26
Number of infected objects: 89
Number of suspicious objects: 0
Duration of the scan process: 01:03:38

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd000.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner.Ariel\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-4eaa44cf/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Owner.Ariel\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-4eaa44cf ZIP: infected - 1 skipped
C:\Documents and Settings\Owner.Ariel\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-670fc2ec/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Owner.Ariel\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-670fc2ec ZIP: infected - 1 skipped
C:\Documents and Settings\Owner.Ariel\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner.Ariel\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Owner.Ariel\Local Settings\Application Data\AOL OCP\AIM\Storage\data\taraisonaim\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Owner.Ariel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner.Ariel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner.Ariel\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner.Ariel\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner.Ariel\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner.Ariel\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\msimg32.dll.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3BROVLY.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\b3\snmaildriv3.exe.vir Infected: Trojan-Downloader.Win32.Small.iaw skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\f3PSSavr.scr.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jkkklll.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\krqvlweu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\opnmklm.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qynmilsn.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wvuvydba.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\~.exe.vir Infected: Trojan.Win32.Agent.cyt skipped
C:\QooBox\Quarantine\catchme2008-02-07_192233.62.zip/cdaudioo.sys Infected: Rootkit.Win32.Agent.to skipped
C:\QooBox\Quarantine\catchme2008-02-07_192233.62.zip/gebyaya.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-02-07_192233.62.zip/mljge.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-02-07_192233.62.zip ZIP: infected - 3 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP287\A0262956.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP287\A0262958.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP287\A0262958.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP287\A0262959.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP288\A0262975.exe Infected: Trojan-Downloader.Win32.Adload.qy skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP288\A0262976.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP288\A0262981.exe Infected: Trojan-Downloader.Win32.Agent.ipm skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP288\A0262982.exe Infected: Trojan-Downloader.Win32.Agent.haq skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP288\A0262983.exe Infected: Trojan-Downloader.Win32.Agent.idv skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP288\A0262984.exe Infected: Trojan-Downloader.Win32.Agent.idv skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265341.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265343.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265344.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265345.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265346.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265347.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265348.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265349.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265350.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265351.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265352.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265353.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265354.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265355.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265357.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265358.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265360.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265362.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265363.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265364.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265366.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265367.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265368.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265369.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265370.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265379.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265380.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265383.exe Infected: Trojan.Win32.Agent.cyt skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265390.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265391.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265392.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265393.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265394.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265396.exe Infected: Trojan-Downloader.Win32.Small.iaw skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265402.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265403.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Motorola SM56 Data Fax Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D1D7E38D-CAAB-4640-B0C3-736D7B34DCEC}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{C903B2E7-FFB1-4F74-8FCD-A4AC7D5ED31D}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\syste
  • 0

#4
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
The Kaspersky log was cut short, could you post it again, or attach it:

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

Regards,
RatHat
  • 0

#5
jrsummersill1

jrsummersill1

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 136 posts
Sorry about that, here is the Kapersky log again:

KASPERSKY ONLINE SCANNER REPORT
Thursday, February 07, 2008 9:27:16 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/02/2008
Kaspersky Anti-Virus database records: 553665
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 79462
Number of viruses found: 26
Number of infected objects: 89
Number of suspicious objects: 0
Duration of the scan process: 01:03:38

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd000.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner.Ariel\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-4eaa44cf/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Owner.Ariel\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-4eaa44cf ZIP: infected - 1 skipped
C:\Documents and Settings\Owner.Ariel\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-670fc2ec/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Owner.Ariel\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-670fc2ec ZIP: infected - 1 skipped
C:\Documents and Settings\Owner.Ariel\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner.Ariel\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Owner.Ariel\Local Settings\Application Data\AOL OCP\AIM\Storage\data\taraisonaim\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Owner.Ariel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner.Ariel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner.Ariel\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner.Ariel\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner.Ariel\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner.Ariel\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\msimg32.dll.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3BROVLY.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\b3\snmaildriv3.exe.vir Infected: Trojan-Downloader.Win32.Small.iaw skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\f3PSSavr.scr.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jkkklll.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\krqvlweu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\opnmklm.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qynmilsn.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wvuvydba.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\~.exe.vir Infected: Trojan.Win32.Agent.cyt skipped
C:\QooBox\Quarantine\catchme2008-02-07_192233.62.zip/cdaudioo.sys Infected: Rootkit.Win32.Agent.to skipped
C:\QooBox\Quarantine\catchme2008-02-07_192233.62.zip/gebyaya.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-02-07_192233.62.zip/mljge.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-02-07_192233.62.zip ZIP: infected - 3 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP287\A0262956.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP287\A0262958.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP287\A0262958.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP287\A0262959.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP288\A0262975.exe Infected: Trojan-Downloader.Win32.Adload.qy skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP288\A0262976.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP288\A0262981.exe Infected: Trojan-Downloader.Win32.Agent.ipm skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP288\A0262982.exe Infected: Trojan-Downloader.Win32.Agent.haq skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP288\A0262983.exe Infected: Trojan-Downloader.Win32.Agent.idv skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP288\A0262984.exe Infected: Trojan-Downloader.Win32.Agent.idv skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265341.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265343.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265344.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265345.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265346.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265347.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265348.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265349.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265350.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265351.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265352.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265353.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265354.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265355.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265357.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265358.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265360.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265362.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265363.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265364.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265366.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265367.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265368.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265369.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265370.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265379.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265380.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265383.exe Infected: Trojan.Win32.Agent.cyt skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265390.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265391.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265392.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265393.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265394.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265396.exe Infected: Trojan-Downloader.Win32.Small.iaw skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265402.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\A0265403.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Motorola SM56 Data Fax Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D1D7E38D-CAAB-4640-B0C3-736D7B34DCEC}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{C903B2E7-FFB1-4F74-8FCD-A4AC7D5ED31D}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP291\change.log Object is locked skipped

Scan process completed.
  • 0

#6
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Please uninstall the following programs:


J2SE Runtime Environment 5.0 Update 2
LimeWire 4.16.4
My Web Search (Smiley Central) <-- You may get an error here, if so don't worry, continue with the next program to uninstall
Viewpoint Manager (Remove Only)
Viewpoint Media Player

  • Go to Start then Settings, then Control Panel
  • Choose Add or Remove Programs
  • Remove all of the above
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\kmd.exe
C:\WINDOWS\system32\TmpX.exe
C:\WINDOWS\system32\url3
C:\WINDOWS\system32\url1
C:\WINDOWS\system32\url2
C:\WINDOWS\system32\CID
C:\Documents and Settings\Owner.Ariel\Application Data\wklnhst.dat
C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll


Folder::
C:\WINDOWS\system32\nGpxx01
C:\Temp\isgTi19
C:\Program Files\LimeWire
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire
C:\Documents and Settings\Owner.Ariel\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-4eaa44cf
C:\Documents and Settings\Owner.Ariel\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-670fc2ec


Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Oepomizz"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Community Tools]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]

Collect::
C:\WINDOWS\system32\drivers\idteywllgbyr.sys
C:\WINDOWS\system32\drivers\dnntduoxjbcy.sys


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. Combofix may need to reboot your computer, if it asks to, let it.

6. Additonally, ComboFix will generate the following files on your desktop
  • A zipped file on your desktop called Submit [Date Time].zip
  • And another file named - CF-Submit.htm

7. When CF has finished running, it will generate the ComboFix.log which will appear on your screen.

8. If CF-Submit.htm is detected, ComboFix will generate this message box:

Posted Image

Clicking OK will cause the machine's browser to load CF-Submit.htm

Posted Image

9. Click the "Browse" button and locate the Submit [Date Time].zip file on your desktop.
  • Click on the file to Select it.
  • Submit the file by clicking "OK"
10. Once the file has been submitted, please DELETE both files on your desktop.

11. Post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log (run after ComboFix has finished its work.)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Double-click OTMoveIt2.exe to run it.
  • Under the Yellow heading, Paste custom list of Files/Folders to be moved, copy and paste the following:
purity
  • Click the red Moveit! button.
  • Open Notepad, and copy everything in the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
  • Save the Notepad file to your Desktop as OTM.txt.
  • Close OTMoveIt
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please include the contents of OTM.txt in your next reply.

Regards,
RatHat
  • 0

#7
jrsummersill1

jrsummersill1

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 136 posts
RatHat:

I did everything up to this point:


8. If CF-Submit.htm is detected, ComboFix will generate this message box:



Clicking OK will cause the machine's browser to load CF-Submit.htm



9. Click the "Browse" button and locate the Submit [Date Time].zip file on your desktop.
Click on the file to Select it.
Submit the file by clicking "OK"



But then there were no images under #8 (except for some icon telling me something about pro photobucket). However, Mozilla Firefox opened and contained C:\Documents and Settings\Owner.Ariel\Desktop.\[4][email protected] I then copy and pasted this into the address box and clicked the go button and it opened the zip file and showed a file icon, txt icon and two other icons. Is this correct? Is this the same as submitting it? Also, if I click on the same zip file on my desktop, it does the same thing, opens up and there is no "OK" button to submit it. But it did generate a combo-fix log and I saved it.

Just a little confused, :)
jrsummersill1
  • 0

#8
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi Jenny,

Could you submit the files manually for me, as it seems there may be a glitch in the submission file.

Using Internet Explorer, please go Here
  • In Link to topic where this file was requested: insert:
    http://www.geekstogo.com/forum/Continuous-Popups-t186638.html
  • Browse for the file that was saved to your desktop: [4][email protected]
  • In the Leave any comments box, please add: Requested to be uploaded by RatHat
  • Click Send File
  • When the file has been sent, delete it from your desktop, along with the Submit.htm file

After that could you continue with OTMoveIt, then post me the Combofix log, the OTM.txt log, a fresh HijackThis log, and let me know how your computer is behaving.

Regards,
RatHat
  • 0

#9
jrsummersill1

jrsummersill1

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 136 posts
RedHat:

I manually submitted the CF-Submit file. Here are the logs:

Combo-Fix log:

ComboFix 08-02.05.3 - Owner 2008-02-07 19:13:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.194 [GMT -5:00]
Running from: C:\Documents and Settings\Owner.Ariel\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\cdaudioo.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\gebyaya.dll
C:\WINDOWS\system32\mljge.dll
C:\WINDOWS\system32\winupdate.exe
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Owner.Ariel\Application Data\CROSOF~1
C:\Documents and Settings\Owner.Ariel\Application Data\CROSOF~1\??crosoft\
C:\Documents and Settings\Owner.Ariel\Application Data\FunWebProducts
C:\Documents and Settings\Owner.Ariel\Application Data\FunWebProducts\Data\Owner\avatar.dat
C:\Documents and Settings\Owner.Ariel\Application Data\FunWebProducts\Data\Owner\register.dat
C:\Documents and Settings\Owner.Ariel\Application Data\FunWebProducts\Data\Owner\zbucks.dat
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Shared\Cache\AvatarSmallBtn-new.html
C:\Program Files\FunWebProducts\Shared\Cache\AvatarSmallBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn-new.html
C:\Program Files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\internet explorer\msimg32.dll
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\1.bin\F3BROVLY.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\avatar.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\bgfadel.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\bgfader.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\common-x.css
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\common.css
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\cornerbl.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\cornerbr.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\ext_def.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\ext_roll.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\include.js
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\index.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\loader.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\loading.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\logo.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\max_def.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\max_roll.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\min_def.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\min_roll.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\noflash.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\res_def.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\res_roll.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\spacer.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\spacer.swf
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\topgrad.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\window.ico
C:\Program Files\MyWebSearch\bar\Cache\0003F82C
C:\Program Files\MyWebSearch\bar\Cache\0022D963
C:\Program Files\MyWebSearch\bar\Cache\01396196
C:\Program Files\MyWebSearch\bar\Cache\0384745B
C:\Program Files\MyWebSearch\bar\Cache\0384865C.bin
C:\Program Files\MyWebSearch\bar\Cache\03848776.bin
C:\Program Files\MyWebSearch\bar\Cache\0384889F.bin
C:\Program Files\MyWebSearch\bar\Cache\03849531.bin
C:\Program Files\MyWebSearch\bar\Cache\0384CF3D.bin
C:\Program Files\MyWebSearch\bar\Cache\0384D037.bin
C:\Program Files\MyWebSearch\bar\Cache\0384D1CD.bin
C:\Program Files\MyWebSearch\bar\Cache\0384D305.bin
C:\Program Files\MyWebSearch\bar\Cache\0384DF79
C:\Program Files\MyWebSearch\bar\Cache\04B220CF.bin
C:\Program Files\MyWebSearch\bar\Cache\04B22302.bin
C:\Program Files\MyWebSearch\bar\Cache\04B2240C.bin
C:\Program Files\MyWebSearch\bar\Cache\files.ini
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\icons\CM.ICO
C:\Program Files\MyWebSearch\bar\icons\MFC.ICO
C:\Program Files\MyWebSearch\bar\icons\PSS.ICO
C:\Program Files\MyWebSearch\bar\icons\SMILEY.ICO
C:\Program Files\MyWebSearch\bar\icons\WB.ICO
C:\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO
C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S
C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S
C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S
C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S
C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S
C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\Temporary
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\asembl~1
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\b3
C:\WINDOWS\system32\b3\snmaildriv3.exe
C:\WINDOWS\system32\drivers\cdaudioo.sys
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\system32\drivers\core.cache(3).dsk
C:\WINDOWS\system32\drivers\core.cache(4).dsk
C:\WINDOWS\system32\drivers\core.cache(5).dsk
C:\WINDOWS\system32\drivers\core.cache(6).dsk
C:\WINDOWS\system32\drivers\core.cache(7).dsk
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\egjlm.ini
C:\WINDOWS\system32\egjlm.ini2
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\gebyaya.dll
C:\WINDOWS\system32\jkkklll.dll
C:\WINDOWS\system32\krqvlweu.dll
C:\WINDOWS\system32\m1
C:\WINDOWS\system32\mljge.dll
C:\WINDOWS\system32\opnmklm.dll
C:\WINDOWS\system32\p4
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qynmilsn.dll
C:\WINDOWS\system32\s5
C:\WINDOWS\system32\s5\advcomms3.exe
C:\WINDOWS\system32\uewlvqrk.ini
C:\WINDOWS\system32\winupdate.exe
C:\WINDOWS\system32\wvuvydba.dll
C:\WINDOWS\system32\z6
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://www.download.windowsupdate.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CDAUDIOO
-------\cdaudioo


((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.

2008-02-07 18:48 . 2003-05-27 16:30 245,920 -r-hs---- C:\cmldr
2008-02-07 18:14 . 2004-08-10 14:00 388,608 --a------ C:\kmd.exe
2008-02-07 18:12 . 2008-02-07 18:12 87,552 --a------ C:\WINDOWS\system32\TmpX.exe
2008-02-07 18:12 . 2008-02-07 18:12 111 --a------ C:\WINDOWS\system32\url3
2008-02-07 18:12 . 2008-02-07 18:12 102 --a------ C:\WINDOWS\system32\url1
2008-02-07 18:12 . 2008-02-07 18:12 99 --a------ C:\WINDOWS\system32\url2
2008-02-07 18:12 . 2008-02-07 18:12 8 --a------ C:\WINDOWS\system32\CID
2008-02-07 18:11 . 2008-02-07 18:12 <DIR> d-------- C:\WINDOWS\system32\svcd
2008-02-07 18:11 . 2008-02-07 18:11 4 --a------ C:\WINDOWS\system32\SvcNm
2008-02-06 23:14 . 2008-02-06 23:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-06 21:14 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\idteywllgbyr.sys
2008-02-06 20:40 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\dnntduoxjbcy.sys
2008-02-06 20:27 . 2008-02-06 22:30 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-06 20:27 . 2008-02-06 21:10 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-06 20:27 . 2008-02-06 21:10 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-06 20:27 . 2008-02-06 21:10 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-06 16:19 . 2008-02-06 16:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-06 16:18 . 2008-02-06 21:49 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-06 16:18 . 2008-02-06 16:18 <DIR> d-------- C:\Documents and Settings\Owner.Ariel\Application Data\SUPERAntiSpyware.com
2008-02-06 14:40 . 2008-02-06 14:40 <DIR> d-------- C:\Documents and Settings\Owner.Ariel\Application Data\Grisoft
2008-02-06 14:40 . 2008-02-06 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-06 14:40 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-05 19:34 . 2008-02-07 18:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-05 19:34 . 2008-02-05 19:34 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-05 19:12 . 2008-02-05 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-02-05 19:07 . 2008-02-05 19:07 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-02-05 19:07 . 2008-02-05 20:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-02-05 17:08 . 2008-02-06 20:13 <DIR> d-------- C:\Program Files\Drmupgds
2008-02-05 16:59 . 2008-02-06 22:04 <DIR> d-------- C:\WINDOWS\system32\nGpxx01
2008-02-05 16:59 . 2008-02-05 17:02 <DIR> d-------- C:\Temp\isgTi19
2008-02-05 16:59 . 2008-02-07 19:14 <DIR> d-------- C:\Temp
2008-01-23 22:19 . 2008-01-23 22:19 <DIR> d-------- C:\Program Files\EuroTalk
2008-01-23 22:19 . 2008-01-23 22:19 <DIR> d-------- C:\Documents and Settings\Owner.Ariel\Application Data\EuroTalk
2008-01-13 16:19 . 2008-01-13 16:19 <DIR> d-------- C:\Program Files\SIW
2008-01-10 18:35 . 2008-02-04 18:52 <DIR> d-------- C:\Program Files\LimeWire
2008-01-10 18:35 . 2008-02-04 18:52 <DIR> d-------- C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 02:50 --------- d-----w C:\Program Files\Zune
2008-02-07 02:37 --------- d-----w C:\Program Files\Google
2008-02-07 02:34 --------- d-----w C:\Program Files\Common Files\aolshare
2008-02-07 02:33 --------- d-----w C:\Program Files\AIM6
2008-02-06 21:17 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-16 23:07 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01005.Wdf
2007-12-16 17:07 --------- d-----w C:\Program Files\F5
2007-12-12 02:49 --------- d-----w C:\Documents and Settings\Owner.Ariel\Application Data\AdobeUM
2007-11-01 17:30 1,115,728 ----a-w C:\Documents and Settings\All Users\Application Data\pswi_preloaded.exe
2007-10-14 16:34 160 ----a-w C:\Documents and Settings\Owner.Ariel\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 22:47 68856]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17 50736]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
"Ealb"="C:\DOCUME~1\OWNER~1.ARI\APPLIC~1\CROSOF~1\wucrtupd.exe" [ ]
"Oepomizz"="C:\WINDOWS\a?sembly\m?iexec.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 10:47 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 10:47 688218]
"HostManager"="C:\Program Files\Common Files\AOL\1164294044\EE\AOLHostManager.exe" [2004-11-03 16:03 125528]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 15:30 139264]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 03:38 802816]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 03:32 696320]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 12:05 212992]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43 286720]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [2007-11-15 21:51 166304]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2005-09-22 18:29 303104]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 20:34 5419008]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 20:17 443968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Movie Maker\profsycyrty.html
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-04-27 16:17 50736 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
--a------ 2004-10-18 20:42 79448 C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 22:56 64512 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-11-23 09:53 169984 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2006-03-23 15:13 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2006-03-23 15:17 118784 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2006-03-23 15:17 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 13:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a------ 2005-09-22 18:29 303104 c:\PROGRA~1\mcafee.com\agent\McAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2006-01-11 12:05 212992 c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
--a------ 2005-11-11 17:00 1005096 C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
--a------ 2005-09-26 13:26 110592 C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a------ 2006-11-07 14:49 1121280 C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 18:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Community Tools]
C:\Program Files\MyWebSearch\bar\1.bin\m3IMPipe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-05-29 20:34 5419008 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
--------- 2005-08-12 01:02 53248 C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2007-09-27 20:17 443968 C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-14 23:43 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
%WINDIR%\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2005-12-27 13:20 413696 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
--a------ 2006-05-23 22:22 573440 C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 03:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-30 22:47 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2004-11-22 11:18 307200 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
--------- 2005-08-10 15:49 163840 C:\Program Files\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
--a------ 2005-07-08 18:18 151552 C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2007-11-15 21:38]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2007-11-15 21:51]
S2 SIWF;Security Service;C:\WINDOWS\system32\svcd\svchost.exe []
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2007-11-15 21:51]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-07 01:14:47 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 19:23:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\COMMON~1\AOL\116429~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\116429~1\EE\AOLServiceHost.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2008-02-07 19:25:31 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-02-08 00:25:27
.
2008-01-10 13:50:55 --- E O F ---


OTMoveit2 log:

[Custom Input]
< purity >

OTMoveIt2 v1.0.19 log created on 02102008_110208

Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:41 AM, on 2/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\COMMON~1\AOL\116429~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\116429~1\EE\AOLServiceHost.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.c...h...TB&M=MX6957
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...h...TB&M=MX6957
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.c...h...TB&M=MX6957
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1164294044\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ealb] "C:\DOCUME~1\OWNER~1.ARI\APPLIC~1\CROSOF~1\wucrtupd.exe" -vt ndrv
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: &Search - http://edits.mywebse...html?p=ZNfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gate...//PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sur...ge/w4sgeen9.exe
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://passage.cna....llerControl.cab
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://passage.cna....,2007,1001,2139
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - https://passage.cna....,2007,1001,2143
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Security Service (SIWF) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\Movie Maker\profsycyrty.html

--
End of file - 10429 bytes


I think that the combo-fix log is an old one. I can't seem to find the one from 2/8/08 (I did it real late at night/early in the morning and must not have saved it where I should have :) . Do you need me to get another log? If I find where I saved the other, I will post it. In any event, I haven't used this computer except to do what you instruct, but the last few times I have been on to perform your instructions, I haven't had any popups. However, I still want to make sure that the system is completely clean.

Thanks,

jrsummersill1
  • 0

#10
jrsummersill1

jrsummersill1

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 136 posts
RedHat:


Here are two combo-fix logs that I found from 2-8-08. I was not sure which one you needed:

ComboFix Quarantined files:

2004-08-10 14:00 388608 --a------ C:\Qoobox\Quarantine\C\kmd.exe.vir
2004-09-13 13:15 53 --a------ C:\Qoobox\Quarantine\D\Autorun.inf.vir
2007-06-08 09:44 8576 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\dnntduoxjbcy.sys.vir
2007-06-08 09:44 8576 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\idteywllgbyr.sys.vir
2007-08-08 14:40 10134 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\icons\PSS.ICO.vir
2007-08-08 14:40 1024 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\History\search2.vir
2007-08-08 14:40 106998 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Notifier\FISH.F3S.vir
2007-08-08 14:40 113081 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S.vir
2007-08-08 14:40 116 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\0384DF79.vir
2007-08-08 14:40 118784 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL.vir
2007-08-08 14:40 118784 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL.vir
2007-08-08 14:40 122747 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Notifier\MAID.F3S.vir
2007-08-08 14:40 12782 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO.vir
2007-08-08 14:40 1284 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\0384889F.bin.vir
2007-08-08 14:40 129559 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S.vir
2007-08-08 14:40 139264 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL.vir
2007-08-08 14:40 140 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST.vir
2007-08-08 14:40 140 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST.vir
2007-08-08 14:40 143360 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL.vir
2007-08-08 14:40 143421 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL.vir
2007-08-08 14:40 147456 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL.vir
2007-08-08 14:40 149817 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S.vir
2007-08-08 14:40 155471 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S.vir
2007-08-08 14:40 16 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Settings\s_pid.dat.vir
2007-08-08 14:40 16384 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE.vir
2007-08-08 14:40 1668 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\03848776.bin.vir
2007-08-08 14:40 1724 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\0384865C.bin.vir
2007-08-08 14:40 1928 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\0384CF3D.bin.vir
2007-08-08 14:40 1940 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\03849531.bin.vir
2007-08-08 14:40 20164 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG.vir
2007-08-08 14:40 20480 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL.vir
2007-08-08 14:40 243509 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S.vir
2007-08-08 14:40 244 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\0384D305.bin.vir
2007-08-08 14:40 24576 --a------ C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\msimg32.dll.vir
2007-08-08 14:40 24576 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL.vir
2007-08-08 14:40 24576 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL.vir
2007-08-08 14:40 24576 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE.vir
2007-08-08 14:40 24673 --a------ C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll.vir
2007-08-08 14:40 24673 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL.vir
2007-08-08 14:40 24675 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE.vir
2007-08-08 14:40 24677 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE.vir
2007-08-08 14:40 249856 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL.vir
2007-08-08 14:40 272367 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S.vir
2007-08-08 14:40 28672 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR.vir
2007-08-08 14:40 28672 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL.vir
2007-08-08 14:40 28672 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\f3PSSavr.scr.vir
2007-08-08 14:40 290816 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL.vir
2007-08-08 14:40 301118 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S.vir
2007-08-08 14:40 305 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT.vir
2007-08-08 14:40 319560 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL.vir
2007-08-08 14:40 34118 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Message\COMMON.F3S.vir
2007-08-08 14:40 40960 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL.vir
2007-08-08 14:40 43287 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S.vir
2007-08-08 14:40 4814 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR.vir
2007-08-08 14:40 49245 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL.vir
2007-08-08 14:40 5446 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV.vir
2007-08-08 14:40 56438 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S.vir
2007-08-08 14:40 56688 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Game\REVERSI.F3S.vir
2007-08-08 14:40 57344 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL.vir
2007-08-08 14:40 6462 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR.vir
2007-08-08 14:40 65536 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3BROVLY.DLL.vir
2007-08-08 14:40 65536 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE.vir
2007-08-08 14:40 66726 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Game\CHESS.F3S.vir
2007-08-08 14:40 71675 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Notifier\DOG.F3S.vir
2007-08-08 14:40 73728 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL.vir
2007-08-08 14:40 7406 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\icons\CM.ICO.vir
2007-08-08 14:40 7406 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\icons\MFC.ICO.vir
2007-08-08 14:40 7406 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\icons\SMILEY.ICO.vir
2007-08-08 14:40 7406 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\icons\WB.ICO.vir
2007-08-08 14:40 78964 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm.vir
2007-08-08 14:40 86078 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL.vir
2007-08-08 14:40 86085 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL.vir
2007-08-08 14:40 89655 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S.vir
2007-08-08 14:40 94208 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL.vir
2007-08-08 14:40 944 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\0384D037.bin.vir
2007-08-08 14:40 976 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\0384D1CD.bin.vir
2007-08-14 17:38 116 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\0384745B.vir
2007-08-14 17:38 1192 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\04B2240C.bin.vir
2007-08-14 17:38 1644 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\04B220CF.bin.vir
2007-08-14 17:38 920 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\04B22302.bin.vir
2007-08-21 04:12 0 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\01396196.vir
2007-08-21 18:33 24026 --a------ C:\Qoobox\Quarantine\C\Program Files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html.vir
2007-08-21 18:33 31236 --a------ C:\Qoobox\Quarantine\C\Program Files\FunWebProducts\Shared\Cache\AvatarSmallBtn.html.vir
2007-08-23 19:34 24026 --a------ C:\Qoobox\Quarantine\C\Program Files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn-new.html.vir
2007-08-23 19:34 31236 --a------ C:\Qoobox\Quarantine\C\Program Files\FunWebProducts\Shared\Cache\AvatarSmallBtn-new.html.vir
2007-08-24 20:19 47487 --a------ C:\Qoobox\Quarantine\C\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html.vir
2007-08-24 20:19 56777 --a------ C:\Qoobox\Quarantine\C\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html.vir
2007-08-30 18:02 12782 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Avatar\COMMON\window.ico.vir
2007-08-30 18:02 1331 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Avatar\COMMON\topgrad.gif.vir
2007-08-30 18:02 1436 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Avatar\COMMON\cornerbr.gif.vir
2007-08-30 18:02 1470 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Avatar\COMMON\bgfader.gif.vir
2007-08-30 18:02 1698 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Avatar\COMMON\loading.gif.vir
2007-08-30 18:02 2157 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Avatar\COMMON\cornerbl.gif.vir
2007-08-30 18:02 2234 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Avatar\COMMON\common-x.css.vir
2007-08-30 18:02 2247 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Avatar\COMMON\bgfadel.gif.vir
2007-08-30 18:02 25 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Avatar\COMMON\spacer.swf.vir
2007-08-30 18:02 2648 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Avatar\COMMON\common.css.vir
2007-08-30 18:02 3129 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Avatar\COMMON\loader.htm.vir
2007-08-30 18:02 3340 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Avatar\COMMON\noflash.htm.vir
2007-08-30 18:02 3370 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Avatar\COMMON\logo.gif.vir
2007-08-30 18:02 38969 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Avatar\COMMON\include.js.vir
2007-08-30 18:02 4973 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Avatar\COMMON\avatar.htm.vir
2007-08-30 18:02 522 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Avatar\COMMON\res_def.gif.vir
2007-08-30 18:02 663 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Avatar\COMMON\index.htm.vir
2007-08-30 18:02 730 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Avatar\COMMON\res_roll.gif.vir
2007-08-30 18:02 735 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Avatar\COMMON\min_roll.gif.vir
2007-08-30 18:02 754 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Avatar\COMMON\max_roll.gif.vir
2007-08-30 18:02 755 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Avatar\COMMON\max_def.gif.vir
2007-08-30 18:02 762 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Avatar\COMMON\min_def.gif.vir
2007-08-30 18:02 784 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Avatar\COMMON\ext_roll.gif.vir
2007-08-30 18:02 790 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Avatar\COMMON\ext_def.gif.vir
2007-08-30 18:02 80 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Avatar\COMMON\spacer.gif.vir
2007-09-23 20:05 279600 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pac.txt.vir
2007-10-14 11:34 160 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\wklnhst.dat.vir
2007-11-24 01:34 493 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\FunWebProducts\Data\Owner\register.dat.vir
2007-12-22 12:16 255 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\FunWebProducts\Data\Owner\zbucks.dat.vir
2007-12-22 12:18 52641 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\FunWebProducts\Data\Owner\avatar.dat.vir
2007-12-26 00:09 402440 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir
2008-01-05 16:48 126976 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\s5\advcomms3.exe.vir
2008-01-09 00:44 28747 --a------ C:\Qoobox\Quarantine\C\Temp\1cb\syscheck.log.vir
2008-01-10 18:39 704 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\fileurns.bak.vir
2008-01-10 18:43 87 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\filters.props.vir
2008-01-17 17:16 124861 --a------ C:\Qoobox\Quarantine\C\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html.vir
2008-01-17 17:16 430398 --a------ C:\Qoobox\Quarantine\C\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html.vir
2008-01-28 12:52 106 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\0022D963.vir
2008-01-31 05:29 9302 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\b3\snmaildriv3.exe.vir
2008-02-01 14:15 11575 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\simpp.xml.vir
2008-02-04 18:45 1910 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\version.xml.vir
2008-02-04 18:46 333 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\createtimes.cache.vir
2008-02-04 18:46 4499000 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\.NetworkShare\LimeWireWin4.16.4.exe.vir
2008-02-04 18:51 1362 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\ttrees.cache.vir
2008-02-04 18:51 18626 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\gnutella.net.vir
2008-02-04 18:51 331 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\ttroot.cache.vir
2008-02-04 18:51 82 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\responses.cache.vir
2008-02-04 18:51 82 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\spam.dat.vir
2008-02-04 18:52 104 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\kill_on.gif.vir
2008-02-04 18:52 1174 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\fileurns.cache.vir
2008-02-04 18:52 143 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\warning.gif.vir
2008-02-04 18:52 167 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\question.gif.vir
2008-02-04 18:52 2091 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\notsearching.png.vir
2008-02-04 18:52 236 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\01_star.gif.vir
2008-02-04 18:52 27070 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme.lwtp.vir
2008-02-04 18:52 291 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\02_star.gif.vir
2008-02-04 18:52 325 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\03_star.gif.vir
2008-02-04 18:52 365 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\04_star.gif.vir
2008-02-04 18:52 374 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\05_star.gif.vir
2008-02-04 18:52 4400 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\logo.png.vir
2008-02-04 18:52 520 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\chat.gif.vir
2008-02-04 18:52 5762 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\searching.gif.vir
2008-02-04 18:52 6 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\version.txt.vir
2008-02-04 18:52 789 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\theme.txt.vir
2008-02-04 18:52 883 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\stop_dn.gif.vir
2008-02-04 18:52 883 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\stop_up.gif.vir
2008-02-04 18:52 889 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\play_dn.gif.vir
2008-02-04 18:52 889 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\play_up.gif.vir
2008-02-04 18:52 892 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\pause_dn.gif.vir
2008-02-04 18:52 892 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\pause_up.gif.vir
2008-02-04 18:52 920 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif.vir
2008-02-04 18:52 920 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\rewind_up.gif.vir
2008-02-04 18:52 922 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\forward_dn.gif.vir
2008-02-04 18:52 922 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\forward_up.gif.vir
2008-02-04 18:52 99 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\kill.gif.vir
2008-02-04 19:36 11572 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\limewire.props.vir
2008-02-04 19:36 130 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\mojito.props.vir
2008-02-04 19:36 268 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\installation.props.vir
2008-02-04 19:36 295 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\tables.props.vir
2008-02-04 19:36 89 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\questions.props.vir
2008-02-05 09:23 402 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Ariel\Application Data\LimeWire\library.dat.vir
2008-02-05 16:59 40960 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\gebyaya.dll.vir
2008-02-05 16:59 40960 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\jkkklll.dll.vir
2008-02-05 16:59 40960 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\opnmklm.dll.vir
2008-02-05 17:01 167545 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\core.cache(2).dsk.vir
2008-02-05 17:01 167545 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\core.cache(3).dsk.vir
2008-02-05 17:01 167545 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\core.cache(4).dsk.vir
2008-02-05 17:01 167545 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\core.cache(5).dsk.vir
2008-02-05 17:01 167545 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\core.cache(6).dsk.vir
2008-02-05 17:01 167545 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\core.cache(7).dsk.vir
2008-02-05 17:01 86016 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\cdaudioo.sys.vir
2008-02-05 17:02 1858 --a------ C:\Qoobox\Quarantine\C\Temp\isgTi19\lPig.log.vir
2008-02-05 17:05 331264 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\mljge.dll.vir
2008-02-06 13:00 92224 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wvuvydba.dll.vir
2008-02-06 16:11 106 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\0003F82C.vir
2008-02-06 16:51 1318 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\files.ini.vir
2008-02-06 20:16 167545 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\core.cache.dsk.vir
2008-02-06 22:53 4232 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat.vir
2008-02-06 22:53 5470 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat.vir
2008-02-07 17:57 87616 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\krqvlweu.dll.vir
2008-02-07 17:57 95808 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\qynmilsn.dll.vir
2008-02-07 18:12 102 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\url1.vir
2008-02-07 18:12 111 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\url3.vir
2008-02-07 18:12 8 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\CID.vir
2008-02-07 18:12 87552 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\TmpX.exe.vir
2008-02-07 18:12 87552 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\winupdate.exe.vir
2008-02-07 18:12 99 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\url2.vir
2008-02-07 18:46 247 --a------ C:\Qoobox\Quarantine\C\WINDOWS\cookies.ini.vir
2008-02-07 19:11 1219603 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\uewlvqrk.ini.vir
2008-02-07 19:13 318439 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\egjlm.ini.vir
2008-02-07 19:13 318439 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\egjlm.ini2.vir
2008-02-07 19:15 1026 --a------ C:\Qoobox\Quarantine\Registry_backups\services_cdaudioo.reg.dat
2008-02-07 19:15 1100 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_CDAUDIOO.reg.dat
2008-02-07 19:16 650273 --a------ C:\Qoobox\Quarantine\catchme2008-02-07_192233.62.zip
2008-02-07 19:16 898 --a------ C:\Qoobox\Quarantine\catchme.log


ComboFix log:

ComboFix 08-02.05.3 - Owner 2008-02-08 7:22:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.160 [GMT -5:00]
Running from: C:\Documents and Settings\Owner.Ariel\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.Ariel\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\Owner.Ariel\Application Data\wklnhst.dat
C:\kmd.exe
C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll
C:\WINDOWS\system32\CID
C:\WINDOWS\system32\TmpX.exe
C:\WINDOWS\system32\url1
C:\WINDOWS\system32\url2
C:\WINDOWS\system32\url3
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\.NetworkShare\LimeWireWin4.16.4.exe
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\createtimes.cache
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\fileurns.bak
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\fileurns.cache
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\filters.props
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\gnutella.net
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\installation.props
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\library.dat
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\limewire.props
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\mojito.props
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\questions.props
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\responses.cache
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\simpp.xml
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\spam.dat
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\tables.props
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme.lwtp
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\01_star.gif
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\02_star.gif
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\03_star.gif
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\04_star.gif
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\05_star.gif
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\chat.gif
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\forward_up.gif
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\kill.gif
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\kill_on.gif
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\logo.png
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\notsearching.png
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\pause_up.gif
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\play_dn.gif
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\play_up.gif
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\question.gif
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\searching.gif
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\stop_up.gif
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\theme.txt
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\version.txt
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\themes\windows_theme\warning.gif
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\ttrees.cache
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\ttroot.cache
C:\Documents and Settings\Owner.Ariel\Application Data\LimeWire\version.xml
C:\Documents and Settings\Owner.Ariel\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-4eaa44cf\
C:\Documents and Settings\Owner.Ariel\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-670fc2ec\
C:\Documents and Settings\Owner.Ariel\Application Data\wklnhst.dat
C:\kmd.exe
C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll
C:\Temp\isgTi19
C:\Temp\isgTi19\lPig.log
C:\WINDOWS\system32\CID
C:\WINDOWS\system32\drivers\dnntduoxjbcy.sys
C:\WINDOWS\system32\drivers\idteywllgbyr.sys
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\TmpX.exe
C:\WINDOWS\system32\url1
C:\WINDOWS\system32\url2
C:\WINDOWS\system32\url3

.
((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.

2008-02-07 19:33 . 2008-02-07 19:33 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-07 19:33 . 2008-02-07 19:33 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-07 19:33 . 2008-02-07 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-07 18:48 . 2003-05-27 16:30 245,920 -r-hs---- C:\cmldr
2008-02-07 18:11 . 2008-02-07 18:12 <DIR> d-------- C:\WINDOWS\system32\svcd
2008-02-07 18:11 . 2008-02-07 18:11 4 --a------ C:\WINDOWS\system32\SvcNm
2008-02-06 23:14 . 2008-02-06 23:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-06 20:27 . 2008-02-06 22:30 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-06 20:27 . 2008-02-06 21:10 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-06 20:27 . 2008-02-06 21:10 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-06 20:27 . 2008-02-06 21:10 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-06 16:19 . 2008-02-06 16:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-06 16:18 . 2008-02-06 21:49 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-06 16:18 . 2008-02-06 16:18 <DIR> d-------- C:\Documents and Settings\Owner.Ariel\Application Data\SUPERAntiSpyware.com
2008-02-06 14:40 . 2008-02-06 14:40 <DIR> d-------- C:\Documents and Settings\Owner.Ariel\Application Data\Grisoft
2008-02-06 14:40 . 2008-02-06 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-06 14:40 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-05 19:34 . 2008-02-07 18:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-05 19:34 . 2008-02-05 19:34 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-05 19:12 . 2008-02-05 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-02-05 19:07 . 2008-02-05 19:07 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-02-05 19:07 . 2008-02-05 20:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-02-05 17:08 . 2008-02-06 20:13 <DIR> d-------- C:\Program Files\Drmupgds
2008-02-05 16:59 . 2008-02-08 07:23 <DIR> d-------- C:\Temp
2008-01-23 22:19 . 2008-01-23 22:19 <DIR> d-------- C:\Program Files\EuroTalk
2008-01-23 22:19 . 2008-01-23 22:19 <DIR> d-------- C:\Documents and Settings\Owner.Ariel\Application Data\EuroTalk
2008-01-13 16:19 . 2008-01-13 16:19 <DIR> d-------- C:\Program Files\SIW

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 12:13 --------- d-----w C:\Program Files\Viewpoint
2008-02-08 12:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-07 02:50 --------- d-----w C:\Program Files\Zune
2008-02-07 02:37 --------- d-----w C:\Program Files\Google
2008-02-07 02:34 --------- d-----w C:\Program Files\Common Files\aolshare
2008-02-07 02:33 --------- d-----w C:\Program Files\AIM6
2008-02-06 21:17 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-16 23:07 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01005.Wdf
2007-12-16 17:07 --------- d-----w C:\Program Files\F5
2007-12-12 02:49 --------- d-----w C:\Documents and Settings\Owner.Ariel\Application Data\AdobeUM
2007-11-16 02:51 80,288 ----a-w C:\WINDOWS\system32\ZuneIpTransport.dll
2007-11-16 02:51 72,608 ----a-w C:\WINDOWS\system32\ZuneUsbTransport.dll
2007-11-16 02:51 59,296 ----a-w C:\WINDOWS\system32\ZuneBusEnum.exe
2007-11-16 02:51 45,472 ----a-w C:\WINDOWS\system32\ZuneUsbConnection.dll
2007-11-16 02:51 245,664 ----a-w C:\WINDOWS\system32\ZuneWlanCfgSvc.exe
2007-11-16 02:51 155,552 ----a-w C:\WINDOWS\system32\ZuneMTPZ.dll
2007-11-01 17:30 1,115,728 ----a-w C:\Documents and Settings\All Users\Application Data\pswi_preloaded.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 22:47 68856]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17 50736]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
"Ealb"="C:\DOCUME~1\OWNER~1.ARI\APPLIC~1\CROSOF~1\wucrtupd.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 10:47 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 10:47 688218]
"HostManager"="C:\Program Files\Common Files\AOL\1164294044\EE\AOLHostManager.exe" [2004-11-03 16:03 125528]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 15:30 139264]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 03:38 802816]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 03:32 696320]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 12:05 212992]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43 286720]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [2007-11-15 21:51 166304]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2005-09-22 18:29 303104]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 20:34 5419008]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 20:17 443968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Movie Maker\profsycyrty.html
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-04-27 16:17 50736 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
--a------ 2004-10-18 20:42 79448 C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 22:56 64512 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-11-23 09:53 169984 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2006-03-23 15:13 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2006-03-23 15:17 118784 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2006-03-23 15:17 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 13:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a------ 2005-09-22 18:29 303104 c:\PROGRA~1\mcafee.com\agent\McAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2006-01-11 12:05 212992 c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
--a------ 2005-11-11 17:00 1005096 C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
--a------ 2005-09-26 13:26 110592 C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a------ 2006-11-07 14:49 1121280 C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 18:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-05-29 20:34 5419008 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
--------- 2005-08-12 01:02 53248 C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2007-09-27 20:17 443968 C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-14 23:43 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
%WINDIR%\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2005-12-27 13:20 413696 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
--a------ 2006-05-23 22:22 573440 C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 03:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-30 22:47 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2004-11-22 11:18 307200 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
--------- 2005-08-10 15:49 163840 C:\Program Files\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
--a------ 2005-07-08 18:18 151552 C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe

R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2007-11-15 21:38]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2007-11-15 21:51]
S2 SIWF;Security Service;C:\WINDOWS\system32\svcd\svchost.exe []
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2007-11-15 21:51]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-07 01:14:47 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-08 07:25:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-08 7:25:50
ComboFix-quarantined-files.txt 2008-02-08 12:25:42
ComboFix2.txt 2008-02-08 00:25:31
.
2008-01-10 13:50:55 --- E O F ---
  • 0

Advertisements


#11
jrsummersill1

jrsummersill1

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 136 posts
Sorry about calling you RedHat instead of RatHat. It has been a long weekend!! :)
  • 0

#12
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKCU\..\Run: [Ealb] "C:\DOCUME~1\OWNER~1.ARI\APPLIC~1\CROSOF~1\wucrtupd.exe" -vt ndrv
O8 - Extra context menu item: &Search - http://edits.mywebse...html?p=ZNfox000
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sur...ge/w4sgeen9.exe
O23 - Service: Security Service (SIWF) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Documents and Settings\Owner.Ariel\Application Data\CROSOF~1\wucrtupd.exe

Folder::
C:\Program Files\Viewpoint

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ealb"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Next, download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Start Update" link under Manual Update.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Do Not Automatically generate report"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

Regards,
RedHat :)
  • 0

#13
jrsummersill1

jrsummersill1

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 136 posts
RatHat, here you go....


Combofix log:

ComboFix 08-02.05.3 - Owner 2008-02-10 20:24:16.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.185 [GMT -5:00]
Running from: C:\Documents and Settings\Owner.Ariel\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.Ariel\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\Owner.Ariel\Application Data\CROSOF~1\wucrtupd.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Viewpoint

.
((((((((((((((((((((((((( Files Created from 2008-01-11 to 2008-02-11 )))))))))))))))))))))))))))))))
.

2008-02-10 11:02 . 2008-02-10 11:02 <DIR> d-------- C:\_OTMoveIt
2008-02-08 07:21 . 2004-08-10 14:00 388,608 --a------ C:\kmd.exe
2008-02-07 19:33 . 2008-02-07 19:33 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-07 19:33 . 2008-02-07 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-07 18:48 . 2003-05-27 16:30 245,920 -r-hs---- C:\cmldr
2008-02-07 18:11 . 2008-02-07 18:12 <DIR> d-------- C:\WINDOWS\system32\svcd
2008-02-07 18:11 . 2008-02-07 18:11 4 --a------ C:\WINDOWS\system32\SvcNm
2008-02-06 23:14 . 2008-02-06 23:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-06 20:27 . 2008-02-06 22:30 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-06 20:27 . 2008-02-06 21:10 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-06 20:27 . 2008-02-06 21:10 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-06 20:27 . 2008-02-06 21:10 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-06 16:19 . 2008-02-06 16:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-06 16:18 . 2008-02-06 21:49 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-06 16:18 . 2008-02-06 16:18 <DIR> d-------- C:\Documents and Settings\Owner.Ariel\Application Data\SUPERAntiSpyware.com
2008-02-06 14:40 . 2008-02-06 14:40 <DIR> d-------- C:\Documents and Settings\Owner.Ariel\Application Data\Grisoft
2008-02-06 14:40 . 2008-02-06 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-06 14:40 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-05 19:34 . 2008-02-07 18:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-05 19:34 . 2008-02-05 19:34 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-05 19:12 . 2008-02-05 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-02-05 19:07 . 2008-02-05 19:07 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-02-05 19:07 . 2008-02-05 20:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-02-05 17:08 . 2008-02-06 20:13 <DIR> d-------- C:\Program Files\Drmupgds
2008-02-05 16:59 . 2008-02-08 07:23 <DIR> d-------- C:\Temp
2008-01-23 22:19 . 2008-01-23 22:19 <DIR> d-------- C:\Program Files\EuroTalk
2008-01-23 22:19 . 2008-01-23 22:19 <DIR> d-------- C:\Documents and Settings\Owner.Ariel\Application Data\EuroTalk
2008-01-13 16:19 . 2008-01-13 16:19 <DIR> d-------- C:\Program Files\SIW

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 12:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-07 02:50 --------- d-----w C:\Program Files\Zune
2008-02-07 02:37 --------- d-----w C:\Program Files\Google
2008-02-07 02:34 --------- d-----w C:\Program Files\Common Files\aolshare
2008-02-07 02:33 --------- d-----w C:\Program Files\AIM6
2008-02-06 21:17 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-16 23:07 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01005.Wdf
2007-12-16 17:07 --------- d-----w C:\Program Files\F5
2007-12-12 02:49 --------- d-----w C:\Documents and Settings\Owner.Ariel\Application Data\AdobeUM
2007-11-16 02:51 80,288 ----a-w C:\WINDOWS\system32\ZuneIpTransport.dll
2007-11-16 02:51 72,608 ----a-w C:\WINDOWS\system32\ZuneUsbTransport.dll
2007-11-16 02:51 59,296 ----a-w C:\WINDOWS\system32\ZuneBusEnum.exe
2007-11-16 02:51 45,472 ----a-w C:\WINDOWS\system32\ZuneUsbConnection.dll
2007-11-16 02:51 245,664 ----a-w C:\WINDOWS\system32\ZuneWlanCfgSvc.exe
2007-11-16 02:51 155,552 ----a-w C:\WINDOWS\system32\ZuneMTPZ.dll
2007-11-01 17:30 1,115,728 ----a-w C:\Documents and Settings\All Users\Application Data\pswi_preloaded.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 22:47 68856]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17 50736]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 10:47 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 10:47 688218]
"HostManager"="C:\Program Files\Common Files\AOL\1164294044\EE\AOLHostManager.exe" [2004-11-03 16:03 125528]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 15:30 139264]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 03:38 802816]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 03:32 696320]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 12:05 212992]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43 286720]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [2007-11-15 21:51 166304]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2005-09-22 18:29 303104]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 20:34 5419008]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 20:17 443968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Movie Maker\profsycyrty.html
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-04-27 16:17 50736 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
--a------ 2004-10-18 20:42 79448 C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 22:56 64512 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-11-23 09:53 169984 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2006-03-23 15:13 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2006-03-23 15:17 118784 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2006-03-23 15:17 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 13:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a------ 2005-09-22 18:29 303104 c:\PROGRA~1\mcafee.com\agent\McAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2006-01-11 12:05 212992 c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
--a------ 2005-11-11 17:00 1005096 C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
--a------ 2005-09-26 13:26 110592 C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a------ 2006-11-07 14:49 1121280 C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 18:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-05-29 20:34 5419008 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
--------- 2005-08-12 01:02 53248 C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2007-09-27 20:17 443968 C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-14 23:43 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
%WINDIR%\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2005-12-27 13:20 413696 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
--a------ 2006-05-23 22:22 573440 C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 03:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-30 22:47 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2004-11-22 11:18 307200 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
--------- 2005-08-10 15:49 163840 C:\Program Files\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
--a------ 2005-07-08 18:18 151552 C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe

R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2007-11-15 21:38]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2007-11-15 21:51]
S2 SIWF;Security Service;C:\WINDOWS\system32\svcd\svchost.exe []
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2007-11-15 21:51]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-07 01:14:47 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-10 20:27:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\PROGRA~1\Google\GOOGLE~1\GOA66E~1.DLL
.
Completion time: 2008-02-10 20:27:58
ComboFix-quarantined-files.txt 2008-02-11 01:27:44
ComboFix2.txt 2008-02-08 12:25:51
ComboFix3.txt 2008-02-08 00:25:31
.
2008-01-10 13:50:55 --- E O F ---


AVG Antispyware report:


AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:43:49 PM 2/10/2008

+ Scan result:



C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP287\A0262955.exe -> Backdoor.Agent.duj : Cleaned.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP287\A0262958.exe -> Not-A-Virus.Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP287\A0262959.dll -> Not-A-Virus.Adware.ZenoSearch : Cleaned.
:mozilla.141:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.93:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.96:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.97:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.67:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.68:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.69:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.71:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.123:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt -> TrackingCookie.Dealtime : Cleaned.
:mozilla.51:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.36:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.37:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.38:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.39:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.40:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.41:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.138:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.65:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][2].txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.10:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.11:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.7:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.8:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.9:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.126:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.133:C:\Documents and Settings\Owner.Ariel\Application Data\Mozilla\Firefox\Profiles\h52qvpgv.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Owner.Ariel\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP287\A0262956.exe -> Trojan.Scapur.k : Cleaned.


::Report end



and Hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:37 PM, on 2/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\AOL\116429~1\EE\AOLHOS~1.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\COMMON~1\AOL\116429~1\EE\AOLServiceHost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.c...h...TB&M=MX6957
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...h...TB&M=MX6957
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.c...h...TB&M=MX6957
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1164294044\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gate...//PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://passage.cna....llerControl.cab
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://passage.cna....,2007,1001,2139
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - https://passage.cna....,2007,1001,2143
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Security Service (SIWF) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\Movie Maker\profsycyrty.html

--
End of file - 10063 bytes


Thanks,

Jenny
  • 0

#14
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Jenny,

There is a service remaining that I want to get rid of. To do this, copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.

@echo off
sc stop Security Service
sc delete Security Service
exit

Save it to your desktop as File name: Service.cmd
Save as type: All Files

Once done, double click Service.cmd to run it. A command window will open briefly, then close. This is quite normal.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now, re-open HiJackThis and scan. Check the box next to the entry listed below if it remains.

O23 - Service: Security Service (SIWF) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now lets uninstall Combofix:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
The above procedure will do the following:
  • Delete ComboFix and its associated files and folders.
  • Delete VundoFix backups, if present
  • Delete the C:\Deckard folder, if present
  • Delete the C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.

Post me a fresh HijackThis log when complete.

Regards,
RatHat
  • 0

#15
jrsummersill1

jrsummersill1

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 136 posts
RatHat, here is the hijack log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:19 PM, on 2/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\AOL\116429~1\EE\AOLHOS~1.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\COMMON~1\AOL\116429~1\EE\AOLServiceHost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.c...h...TB&M=MX6957
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...h...TB&M=MX6957
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.c...h...TB&M=MX6957
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1164294044\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gate...//PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://passage.cna....llerControl.cab
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://passage.cna....,2007,1001,2139
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - https://passage.cna....,2007,1001,2143
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Security Service (SIWF) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\Movie Maker\profsycyrty.html

--
End of file - 10064 bytes

By the way, I ran Hijack twice and tried to remove "O23 - Service: Security Service (SIWF) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe (file missing)", and, as you can see, it is still there.


Thanks,
Jenny
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP