Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

computer can perform almost no tasks. {RESOLVED} [RESOLVED]

Started by iceblood , Feb 07 2008 11:42 PM

This topic is locked

#1
iceblood

Posted 07 February 2008 - 11:42 PM

Member

Member
10 posts

Hello,

I have been given the task of trying to fix this computer. The owner does not have a windows XP home disk so reinstall is out. When booted normally the PC can barely function. most applications will not run, even opening my computer is impossible. viewing the task manager I see that whatever application I try to run consistantly uses 99% of the system resources, for instance idle process will be 99%, I open IE and for however long I wait Iexplore.exe will use 99% of system resources, IE never opens.
I cannot install AVG. The final installtion step of AVG requires a file named something like avg7.sys to start. This step errors because the RPC service is not running. I try manually to start the service but recieve an error that the service does not respond in a timely fasion and never starts. I was unable to install windows defender but I did succeed in networking the PC and scanning the c drive with windows defender with another PC. I thought scanning with AVG would be good however free AVG does not allow scanning of mapped drives.
Via housecall I know the names of the viruses, PE_tras.A and Trojan_agent.toz.

Below I will post the scan from panda AV website and hijack this log (I am only able to run hijackthis from safe mode at the moment so Im not sure how usefull it will be). Panda did say it removed some viruses so I will reboot after this post and rescan then post the results.

Panda

Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\fcccdby.dll
Spyware:spyware/web3000 Not disinfected c:\windows\hh.ico
Adware:adware/commad Not disinfected Windows Registry
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@casalemedia[1].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@revenue[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][3].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][4].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][5].txt
Virus:Trj/Agent.HYR Disinfected C:\Documents and Settings\Ellen Brown\Application Data\Microsoft\Windows\fgbpiyv.exe
Spyware:Cookie/AdvancedCleaner Not disinfected C:\Documents and Settings\Ellen Brown\Cookies\ellen brown@advancedcleaner[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Ellen Brown\Cookies\ellen [email protected][1].txt
Possible Virus. Not disinfected C:\Documents and Settings\Ellen Brown\Local Settings\Temp\TMP15.tmp
Possible Virus. Not disinfected C:\Documents and Settings\Ellen Brown\Local Settings\Temp\TMP17.tmp
Possible Virus. Not disinfected C:\Documents and Settings\Ellen Brown\Local Settings\Temp\TMP19.tmp
Virus:Trj/Downloader.MDW Disinfected C:\Documents and Settings\Ellen Brown\Local Settings\Temporary Internet Files\Content.IE5\C1MVSX2Z\f4d28682d186cc6beb75f106d133f489[1].zip[b128.exe]
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Ellen Brown\Local Settings\Temporary Internet Files\Content.IE5\C1MVSX2Z\ptch[1]
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Ellen Brown\Local Settings\Temporary Internet Files\Content.IE5\CL6F8D6R\ptch[1]
Virus:Trj/Agent.HYR Disinfected C:\Documents and Settings\Ellen Brown\Local Settings\Temporary Internet Files\Content.IE5\SB6FYF41\wtrec.prod.v10006.11dec2007.exe[1].c516a643c558a4d4daa4efafd47eff15
Possible Virus. Not disinfected C:\Documents and Settings\Ellen Brown\Local Settings\Temporary Internet Files\Content.IE5\YJ6DUD23\wintouch.prod.v10015.11dec2007.exe[1].4ccc08fb3ce7ead370a0f9da32f020e7
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Eric Brown\Cookies\eric [email protected][2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Eric Brown\Cookies\eric brown@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Eric Brown\Cookies\eric brown@adrevolver[3].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Eric Brown\Cookies\eric [email protected][1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Eric Brown\Cookies\eric [email protected][1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Eric Brown\Cookies\eric brown@advertising[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Eric Brown\Cookies\eric brown@apmebf[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Eric Brown\Cookies\eric brown@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Eric Brown\Cookies\eric brown@atwola[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Eric Brown\Cookies\eric brown@bluestreak[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Eric Brown\Cookies\eric [email protected][2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Eric Brown\Cookies\eric brown@burstnet[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Eric Brown\Cookies\eric brown@casalemedia[2].txt
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Eric Brown\Cookies\eric [email protected][2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Eric Brown\Cookies\eric brown@com[1].txt
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Eric Brown\Cookies\eric [email protected][1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Eric Brown\Cookies\eric brown@fastclick[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Eric Brown\Cookies\eric brown@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Eric Brown\Cookies\eric brown@overture[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Eric Brown\Cookies\eric [email protected][1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Eric Brown\Cookies\eric brown@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Eric Brown\Cookies\eric brown@realmedia[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Eric Brown\Cookies\eric [email protected][1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Eric Brown\Cookies\eric [email protected][1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Eric Brown\Cookies\eric brown@serving-sys[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Eric Brown\Cookies\eric brown@statcounter[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Eric Brown\Cookies\eric [email protected][1].txt
Spyware:Cookie/TargetSaver Not disinfected C:\Documents and Settings\Eric Brown\Cookies\eric brown@targetsaver[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Eric Brown\Cookies\eric brown@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Eric Brown\Cookies\eric brown@tribalfusion[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Eric Brown\Cookies\eric brown@zedo[1].txt
Virus:Trj/Downloader.MDW Disinfected C:\Documents and Settings\Eric Brown\Local Settings\Temp\0010f9e2.sys
Adware:Adware/TopSpyware Not disinfected C:\Documents and Settings\Eric Brown\Local Settings\Temp\360132hp132a.exe
Possible Virus. Not disinfected C:\Documents and Settings\Eric Brown\Local Settings\Temp\360132hp132b.exe
Virus:Trj/Downloader.PLF Not disinfected C:\Documents and Settings\Eric Brown\Local Settings\Temp\360132hp132d.exe[nGpxx132218.exe]
Adware:Adware/Adband Not disinfected C:\Documents and Settings\Eric Brown\Local Settings\Temp\D109.tmp
Virus:Trj/Downloader.RUZ Disinfected C:\Documents and Settings\Eric Brown\Local Settings\Temp\ismtpa8.exe
Adware:Adware/InternetSpeedMonitor Not disinfected C:\Documents and Settings\Eric Brown\Local Settings\Temp\TMP114.tmp
Adware:Adware/InternetSpeedMonitor Not disinfected C:\Documents and Settings\Eric Brown\Local Settings\Temp\TMP117.tmp
Adware:Adware/Yazzle Not disinfected C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
Adware:Adware/Yazzle Not disinfected C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
Adware:Adware/Adband Not disinfected C:\Program Files\ISM\ism.exe
Adware:Adware/InternetSpeedMonitor Not disinfected C:\Program Files\ISM\Uninstall.exe
Adware:Adware/InternetSpeedMonitor Not disinfected C:\Program Files\QdrDrive\QdrDrive9.dll
Possible Virus. Not disinfected C:\Program Files\QdrDrive\qdrloader.exe
Adware:Adware/InternetSpeedMonitor Not disinfected C:\Program Files\QdrModule\QdrModule11 .exe
Adware:Adware/InternetSpeedMonitor Not disinfected C:\Program Files\QdrModule\QdrModule11.exe
Adware:Adware/InternetSpeedMonitor Not disinfected C:\Program Files\QdrPack\QdrPack11 .exe
Adware:Adware/InternetSpeedMonitor Not disinfected C:\Program Files\QdrPack\QdrPack11.exe
Adware:Adware/Matcash Not disinfected C:\Program Files\Router\UnInstall.exe
Virus:Trj/Downloader.MDW Disinfected C:\WINDOWS\b128.exe
Virus:Generic Malware Disinfected C:\WINDOWS\system32\F?nts\w?nlogon.exe
Virus:Trj/Downloader.PLF Disinfected C:\WINDOWS\system32\nGpxx13\nGpxx132218.exe

Hijack this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:57:13 AM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc .exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 194.54.90.238 www.google.com
O1 - Hosts: 194.54.90.238 www.google.ca
O1 - Hosts: 194.54.90.238 www.google.com.ag
O1 - Hosts: 194.54.90.238 www.google.com.ar
O1 - Hosts: 194.54.90.238 www.google.com.au
O1 - Hosts: 194.54.90.238 www.google.at
O1 - Hosts: 194.54.90.238 www.google.az
O1 - Hosts: 194.54.90.238 www.google.be
O1 - Hosts: 194.54.90.238 www.google.com.br
O1 - Hosts: 194.54.90.238 www.google.vg
O1 - Hosts: 194.54.90.238 www.google.bi
O1 - Hosts: 194.54.90.238 www.google.ca
O1 - Hosts: 194.54.90.238 www.google.td
O1 - Hosts: 194.54.90.238 www.google.cl
O1 - Hosts: 194.54.90.238 www.google.com.co
O1 - Hosts: 194.54.90.238 www.google.co.cr
O1 - Hosts: 194.54.90.238 www.google.dk
O1 - Hosts: 194.54.90.238 www.google.com.do
O1 - Hosts: 194.54.90.238 www.google.fm
O1 - Hosts: 194.54.90.238 www.google.fi
O1 - Hosts: 194.54.90.238 www.google.fr
O1 - Hosts: 194.54.90.238 www.google.gm
O1 - Hosts: 194.54.90.238 www.google.ge
O1 - Hosts: 194.54.90.238 www.google.de
O1 - Hosts: 194.54.90.238 www.google.com.gi
O1 - Hosts: 194.54.90.238 www.google.com.gr
O1 - Hosts: 194.54.90.238 www.google.gl
O1 - Hosts: 194.54.90.238 www.google.gg
O1 - Hosts: 194.54.90.238 www.google.co.il
O1 - Hosts: 194.54.90.238 www.google.it
O1 - Hosts: 194.54.90.238 www.google.co.kr
O1 - Hosts: 194.54.90.238 www.google.lu
O1 - Hosts: 194.54.90.238
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu11.exe 61A847B5BBF72813338B2B27128065E9C084320161C4661227A755E9C2933154389A284662EA4EBF
968951185EFC412806867680AEDE604D64C2661373F80FB68AD6
O4 - HKLM\..\Run: [Ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe"
O4 - HKLM\..\Run: [SMSI Loader] C:\Program Files\Common Files\Smith Micro Shared\Fax\SMLoader.exe /PRNDRV
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies Ltd\RecoverPro_XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [MotiveMonitor] "C:\Program Files\Motive\AsstCommon\motmon.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1153765131\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Act! Preloader] "C:\Program Files\ACT\ACT for Windows\Act8.exe" -stayrunning
O4 - HKLM\..\Run: [0418d60c] rundll32.exe "C:\WINDOWS\system32\gcdmxykv.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Lifeline.lnk = C:\Program Files\Digital Lifeline\bin\mpbtn.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: MediaTV Monitor.lnk = C:\Program Files\ADS Tech\MediaTV\MediaTVMonitor.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: 6th Street Omaha Poker by pogo - http://game1.pogo.co...omaha-en_US.cab
O16 - DPF: Ali Baba Slots TM by pogo - http://game1.pogo.co...ibaba-en_US.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.co...kjack-en_US.cab
O16 - DPF: Blackjack Carnival by pogo - http://game1.pogo.co...jack2-en_US.cab
O16 - DPF: Double Deuce Poker by pogo - http://game1.pogo.co...deuce-en_US.cab
O16 - DPF: Fortune Bingo by pogo - http://game1.pogo.co...bingo-en_US.cab
O16 - DPF: Hangman Hijinks by pogo - http://game1.pogo.co...ngman-en_US.cab
O16 - DPF: Hog Heaven Slots by pogo - http://game1.pogo.co...fancy-en_US.cab
O16 - DPF: Jigsaw Detective by pogo - http://game1.pogo.co...igsaw-en_US.cab
O16 - DPF: Jokers Wild Poker by pogo - http://game1.pogo.co...swild-en_US.cab
O16 - DPF: Lost Temple Poker by pogo - http://game1.pogo.co...poker-en_US.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.co...ottso-en_US.cab
O16 - DPF: Sweet Tooth TM by pogo - http://game1.pogo.co...tooth-en_US.cab
O16 - DPF: Tumble Bees by pogo - http://game1.pogo.co...mbee2-en_US.cab
O16 - DPF: Vaults of Atlantis Slots by pogo - http://game1.pogo.co...slots-en_US.cab
O16 - DPF: Video Poker by pogo - http://game1.pogo.co...poker-en_US.cab
O16 - DPF: Wonderland Memories by pogo - http://game1.pogo.co...ories-en_US.cab
O16 - DPF: Word Craft by pogo - http://game1.pogo.co...abble-en_US.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} (SpinTop Games Launcher) - http://aolsvc.aol.co...mesLauncher.cab
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RWxsZW4gIEJyb3du\command.exe (file missing)
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\hvcbhywd.exe (file missing)
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Pervasive.SQL Workgroup Engine - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 10304 bytes

quick updated.
I ran housecall and it does seem like panda removed some housecall had previously been unable to but the big one is still there 'PE_trats.A' along with a downloader 'Troj_vundo.aca' and 'PE_tras.a-o'. Housecall shows that these viruses are associated with the wireless card (zcfgsrvc.exe) ctfmon.exe snf fcccdby.dll (whatever that is). Im fear if I try booting in normal mode again I will only allow the trojans to install all the malware I have removed. I think at this point I will wait patiently for advice.

Edited by iceblood, 12 February 2008 - 02:38 PM.

#2
Rorschach112

Posted 11 February 2008 - 10:04 AM

Ralphie

Retired Staff
47,710 posts

Hello

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#3
iceblood

Posted 11 February 2008 - 01:52 PM

Member

Topic Starter
Member
10 posts

Wow, ComboFix is a beast. It cleaned the system right up. I am running it in normal mode now, and its running well. Just some HP installation popup. I was able to install AVG and am running a scan as we speak, here are the logs of, first combofix then HJT. Thanks for the help and the referral to such software =).

combofix
ComboFix 08-02-11.2 - Ellen Brown 2008-02-13 1:30:10.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.513 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\fcccdby.dll
C:\WINDOWS\system32\mlljg.dll
C:\Documents and Settings\Eric Brown\My Documents\YMBOLS~1\?ymbols\
C:\Documents and Settings\Eric Brown\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Eric Brown\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Eric Brown\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Eric Brown\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\ACT\ACT for Windows\Act8.exe
C:\Program Files\America Online 9.0\AOL.EXE
C:\Program Files\Common Files\AOL\1153765131\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\Smith Micro Shared\Fax\SMLoader.exe
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\internet explorer\msimg32.dll
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\Motive\AsstCommon\motmon.exe
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\1.bin\F3BROVLY.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\mwsoemon .exe
C:\Program Files\MyWebSearch\bar\1.bin\mwsoemon.exe
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Cache\0005E13F
C:\Program Files\MyWebSearch\bar\Cache\0005EC5B.bin
C:\Program Files\MyWebSearch\bar\Cache\00060552.bin
C:\Program Files\MyWebSearch\bar\Cache\000614D2.bin
C:\Program Files\MyWebSearch\bar\Cache\00061649.bin
C:\Program Files\MyWebSearch\bar\Cache\000623B7.bin
C:\Program Files\MyWebSearch\bar\Cache\00063105.bin
C:\Program Files\MyWebSearch\bar\Cache\000632DA.bin
C:\Program Files\MyWebSearch\bar\Cache\00063616.bin
C:\Program Files\MyWebSearch\bar\Cache\0006378D
C:\Program Files\MyWebSearch\bar\Cache\0BDDB1D7.bin
C:\Program Files\MyWebSearch\bar\Cache\0BDDB3CB.bin
C:\Program Files\MyWebSearch\bar\Cache\0BDDB542.bin
C:\Program Files\MyWebSearch\bar\Cache\0BDDB66B.bin
C:\Program Files\MyWebSearch\bar\Cache\files.ini
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\icons\CM.ICO
C:\Program Files\MyWebSearch\bar\icons\MFC.ICO
C:\Program Files\MyWebSearch\bar\icons\PSS.ICO
C:\Program Files\MyWebSearch\bar\icons\SMILEY.ICO
C:\Program Files\MyWebSearch\bar\icons\WB.ICO
C:\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO
C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S
C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S
C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S
C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S
C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S
C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\Phoenix Technologies Ltd\RecoverPro_XP\VBPTASK.EXE
C:\Program Files\QdrDrive\QdrDrive9.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule\dic.gz
C:\Program Files\QdrModule\kwd.gz
C:\Program Files\QdrModule\QdrModule11 .exe
C:\Program Files\QdrModule\QdrModule11.exe
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\QdrPack11 .exe
C:\Program Files\QdrPack\QdrPack11.exe
C:\Program Files\QdrPack\trgts.gz
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Router\UnInstall.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Temporary\kernInst.exe
C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\mrofinu11.exe
C:\WINDOWS\system32\\PSDrvCheck.exe
C:\WINDOWS\system32\agrhnasl.ini
C:\WINDOWS\system32\agrxowtf.ini
C:\WINDOWS\system32\atkxjgcb.dll
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\ctcgvlni.ini
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctnubnst.dll
C:\WINDOWS\system32\dlfudgls.dll
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\fahwjkto.dll
C:\WINDOWS\system32\fcccdby.dll
C:\WINDOWS\system32\fmidqigy.ini
C:\WINDOWS\system32\frahwcrc.ini
C:\WINDOWS\system32\fsflseiv.ini
C:\WINDOWS\system32\ftwoxrga.dll
C:\WINDOWS\system32\gcdmxykv.dll
C:\WINDOWS\system32\gheaeyoa.dll
C:\WINDOWS\system32\gjllm.ini
C:\WINDOWS\system32\gjllm.ini2
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\idrienxh.dll
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\inlvgctc.dll
C:\WINDOWS\system32\lyhomfbx.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mlljg.dll
C:\WINDOWS\system32\mlljg.exe
C:\WINDOWS\system32\nmanppjj.dll
C:\WINDOWS\system32\nqlyynye.dll
C:\WINDOWS\system32\otkjwhaf.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pejigliq.ini
C:\WINDOWS\system32\PSDrvCheck.exe
C:\WINDOWS\system32\sfuxlysd.dll
C:\WINDOWS\system32\ttnwnfem.dll
C:\WINDOWS\system32\uuxqtlrw.ini
C:\WINDOWS\system32\vieslfsf.dll
C:\WINDOWS\system32\vkyxmdcg.ini
C:\WINDOWS\system32\vkyxmdcg.tmp
C:\WINDOWS\system32\vtaikobi.dll
C:\WINDOWS\system32\wdlrammf.ini
C:\WINDOWS\system32\wrltqxuu.dll
C:\WINDOWS\system32\wtsisvcc32.exe
C:\WINDOWS\system32\wwxucikh.dll
C:\WINDOWS\system32\xbfmohyl.dll
C:\WINDOWS\system32\yoyjbtcm.dll
.
---- Previous Run -------
.
C:\Documents and Settings\Eric Brown\My Documents\YMBOLS~1
C:\Documents and Settings\Eric Brown\My Documents\YMBOLS~1\?ymbols\
C:\Documents and Settings\Eric Brown\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Eric Brown\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Eric Brown\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Eric Brown\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Eric Brown\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Eric Brown\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\ACT\ACT for Windows\Act8.exe
C:\Program Files\America Online 9.0\aol.exe
C:\Program Files\Common Files\AOL\1153765131\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\Smith Micro Shared\Fax\SMLoader.exe
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\inetget2
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\internet explorer\msimg32.dll
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\Motive\AsstCommon\motmon.exe
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\1.bin\F3BROVLY.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\mwsoemon .exe
C:\Program Files\MyWebSearch\bar\1.bin\mwsoemon.exe
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Cache\0005E13F
C:\Program Files\MyWebSearch\bar\Cache\0005EC5B.bin
C:\Program Files\MyWebSearch\bar\Cache\00060552.bin
C:\Program Files\MyWebSearch\bar\Cache\000614D2.bin
C:\Program Files\MyWebSearch\bar\Cache\00061649.bin
C:\Program Files\MyWebSearch\bar\Cache\000623B7.bin
C:\Program Files\MyWebSearch\bar\Cache\00063105.bin
C:\Program Files\MyWebSearch\bar\Cache\000632DA.bin
C:\Program Files\MyWebSearch\bar\Cache\00063616.bin
C:\Program Files\MyWebSearch\bar\Cache\0006378D
C:\Program Files\MyWebSearch\bar\Cache\0BDDB1D7.bin
C:\Program Files\MyWebSearch\bar\Cache\0BDDB3CB.bin
C:\Program Files\MyWebSearch\bar\Cache\0BDDB542.bin
C:\Program Files\MyWebSearch\bar\Cache\0BDDB66B.bin
C:\Program Files\MyWebSearch\bar\Cache\files.ini
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\icons\CM.ICO
C:\Program Files\MyWebSearch\bar\icons\MFC.ICO
C:\Program Files\MyWebSearch\bar\icons\PSS.ICO
C:\Program Files\MyWebSearch\bar\icons\SMILEY.ICO
C:\Program Files\MyWebSearch\bar\icons\WB.ICO
C:\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO
C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S
C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S
C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S
C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S
C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S
C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\Phoenix Technologies Ltd\RecoverPro_XP\VBPTASK.EXE
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive9.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dic.gz
C:\Program Files\QdrModule\kwd.gz
C:\Program Files\QdrModule\QdrModule11 .exe
C:\Program Files\QdrModule\QdrModule11.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\QdrPack11 .exe
C:\Program Files\QdrPack\QdrPack11.exe
C:\Program Files\QdrPack\trgts.gz
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Router
C:\Program Files\Router\UnInstall.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Temporary
C:\Program Files\Temporary\kernInst.exe
C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\mrofinu11.exe
C:\WINDOWS\RWxsZW4gIEJyb3du\
C:\WINDOWS\system32\\PSDrvCheck.exe
C:\WINDOWS\system32\agrhnasl.ini
C:\WINDOWS\system32\agrxowtf.ini
C:\WINDOWS\system32\atkxjgcb.dll
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\ctcgvlni.ini
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctnubnst.dll
C:\WINDOWS\system32\dlfudgls.dll
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\fahwjkto.dll
C:\WINDOWS\system32\fmidqigy.ini
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\frahwcrc.ini
C:\WINDOWS\system32\fsflseiv.ini
C:\WINDOWS\system32\ftwoxrga.dll
C:\WINDOWS\system32\gcdmxykv.dll
C:\WINDOWS\system32\gheaeyoa.dll
C:\WINDOWS\system32\gjllm.ini
C:\WINDOWS\system32\gjllm.ini2
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\idrienxh.dll
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\inlvgctc.dll
C:\WINDOWS\system32\lyhomfbx.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mlljg.exe
C:\WINDOWS\system32\nmanppjj.dll
C:\WINDOWS\system32\nqlyynye.dll
C:\WINDOWS\system32\otkjwhaf.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pejigliq.ini
C:\WINDOWS\system32\PSDrvCheck.exe
C:\WINDOWS\system32\sfuxlysd.dll
C:\WINDOWS\system32\ttnwnfem.dll
C:\WINDOWS\system32\uuxqtlrw.ini
C:\WINDOWS\system32\vieslfsf.dll
C:\WINDOWS\system32\vkyxmdcg.ini
C:\WINDOWS\system32\vkyxmdcg.tmp
C:\WINDOWS\system32\vtaikobi.dll
C:\WINDOWS\system32\wdlrammf.ini
C:\WINDOWS\system32\wrltqxuu.dll
C:\WINDOWS\system32\wtsisvcc32.exe
C:\WINDOWS\system32\wwxucikh.dll
C:\WINDOWS\system32\xbfmohyl.dll
C:\WINDOWS\system32\yoyjbtcm.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\DomainService

((((((((((((((((((((((((( Files Created from 2008-01-13 to 2008-02-13 )))))))))))))))))))))))))))))))
.

2008-02-09 13:10 . 2008-02-08 23:51 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-09 10:09 . 2008-02-09 21:37 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-09 10:09 . 2008-02-09 20:53 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-09 10:09 . 2008-02-09 20:53 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-09 10:09 . 2008-02-09 20:53 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-08 23:51 . 2008-02-10 06:26 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-02-08 15:39 . 2008-02-08 15:39 <DIR> d-------- C:\WINDOWS.0
2008-02-06 03:04 . 2008-02-06 05:30 <DIR> d-------- C:\Documents and Settings\Ellen Brown\.housecall6.6
2008-02-04 03:56 . 2006-07-24 10:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-02-04 03:56 . 2006-12-06 09:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ACT
2008-02-04 03:55 . 2006-07-23 16:53 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-02-04 03:55 . 2006-09-27 08:42 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-02-04 03:55 . 2006-07-23 17:10 <DIR> d--h----- C:\Documents and Settings\Administrator\InstallAnywhere
2008-02-04 03:55 . 2006-07-24 10:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-02-04 03:55 . 2006-07-23 16:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Leadertech
2008-02-04 03:55 . 2006-07-14 03:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-02-04 03:55 . 2006-09-28 08:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink
2008-02-04 03:55 . 2006-12-07 14:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ArcSoft
2008-01-24 02:17 . 2008-01-24 02:17 <DIR> d-------- C:\Documents and Settings\Ellen Brown\Application Data\Lavasoft
2008-01-23 06:56 . 2008-02-08 23:01 179 --a------ C:\handle.dat
2008-01-23 06:54 . 2008-02-12 04:00 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-23 06:48 . 2008-02-09 11:02 <DIR> d-------- C:\WINDOWS\system32\nGpxx13
2008-01-23 06:48 . 2008-01-23 06:48 <DIR> d-------- C:\TEMP\cXzz9
2008-01-14 07:04 . 2008-01-14 07:04 <DIR> d-------- C:\Render
2008-01-14 07:04 . 2008-01-14 07:04 40 --a------ C:\WINDOWS\system32\blue.SITENAME
2008-01-14 07:03 . 2008-01-14 07:04 404 --a------ C:\WINDOWS\VFO.VST

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-13 09:24 --------- d-----w C:\Program Files\QuickTime
2008-02-13 09:24 --------- d-----w C:\Program Files\Microsoft Location Finder
2008-02-13 09:24 --------- d-----w C:\Program Files\America Online 9.0
2008-02-10 05:23 --------- d-----w C:\Program Files\OFFICE11
2008-02-09 10:26 --------- d-----w C:\Program Files\Trend Micro
2008-02-06 13:19 --------- d-----w C:\Program Files\Dot1XCfg
2008-02-06 13:19 --------- d-----w C:\Program Files\Common Files\uumk
2008-01-14 15:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pinnacle Studio
2008-01-14 15:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pinnacle
2008-01-10 12:30 --------- d-----w C:\Documents and Settings\Eric Brown\Application Data\AdobeUM
2007-12-19 17:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\SpinTop Games
2006-12-07 22:15 56 --sh--r C:\WINDOWS\system32\86EA9BBB2F.sys
.

<pre>
----a-w		 1,015,808 2008-02-09 17:51:28  C:\Program Files\ACT\ACT for Windows\Act8 .exe
----a-w			50,768 2008-02-09 17:53:08  C:\Program Files\America Online 9.0\aol .exe
----a-w			50,736 2008-02-09 17:51:18  C:\Program Files\Common Files\AOL\1153765131\ee\AOLSoftware .exe
----a-w			71,216 2008-02-09 17:51:25  C:\Program Files\Common Files\AOL\ACS\AOLDial .exe
----a-w			32,768 2008-02-09 17:50:35  C:\Program Files\Common Files\Smith Micro Shared\Fax\SMLoader .exe
----a-w			32,768 2008-02-09 17:50:43  C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
----a-w			49,152 2008-02-09 17:51:14  C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w		   356,352 2008-02-09 17:51:24  C:\Program Files\Intel\Wireless\Bin\EOUWiz .exe
----a-w		   385,024 2008-02-09 17:50:59  C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe
----a-w		   401,408 2008-02-12 11:59:24  C:\Program Files\Intel\Wireless\Bin\ZcfgSvc .exe
----a-w			32,881 2008-02-09 17:50:33  C:\Program Files\Java\j2re1.4.2_15\bin\jusched .exe
----a-w		 1,694,208 2008-02-09 17:52:38  C:\Program Files\Messenger\msmsgs .exe
----a-w		   101,136 2008-02-09 17:51:59  C:\Program Files\Microsoft Location Finder\LocationFinder .exe
----a-w		   135,168 2008-02-09 17:50:55  C:\Program Files\Motive\AsstCommon\motmon .exe
----a-w		   114,688 2008-02-09 17:50:40  C:\Program Files\Phoenix Technologies Ltd\RecoverPro_XP\VBPTASK .EXE
----a-w			77,824 2008-02-10 05:01:53  C:\Program Files\QuickTime\qttask			  .exe
----a-w			77,824 2008-02-09 10:09:58  C:\Program Files\QuickTime\qttask			 .exe
----a-w			77,824 2008-02-09 10:09:59  C:\Program Files\QuickTime\qttask			.exe
----a-w			77,824 2008-02-06 12:10:13  C:\Program Files\QuickTime\qttask		   .exe
----a-w			77,824 2008-02-06 12:10:14  C:\Program Files\QuickTime\qttask		  .exe
----a-w			77,824 2008-02-06 12:10:14  C:\Program Files\QuickTime\qttask		 .exe
----a-w			77,824 2008-02-06 12:10:14  C:\Program Files\QuickTime\qttask		.exe
----a-w			77,824 2008-02-06 12:10:14  C:\Program Files\QuickTime\qttask	   .exe
----a-w			77,824 2008-02-06 12:10:14  C:\Program Files\QuickTime\qttask	  .exe
----a-w			77,824 2008-02-06 12:10:15  C:\Program Files\QuickTime\qttask	 .exe
----a-w			77,824 2008-02-06 12:10:15  C:\Program Files\QuickTime\qttask	.exe
----a-w			77,824 2008-02-06 12:10:15  C:\Program Files\QuickTime\qttask   .exe
----a-w			77,824 2008-02-06 12:10:16  C:\Program Files\QuickTime\qttask  .exe
----a-w			77,824 2008-02-06 12:10:16  C:\Program Files\QuickTime\qttask .exe
----a-w		   729,178 2008-02-09 17:50:36  C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w			69,632 2008-02-09 17:50:33  C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck .exe
----a-w		   158,208 2008-02-05 18:26:00  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w			15,360 2008-02-12 12:00:19  C:\WINDOWS\system32\ctfmon .exe
----a-w			77,824 2008-02-09 17:51:12  C:\WINDOWS\system32\hkcmd .exe
----a-w		   118,784 2008-02-09 17:51:09  C:\WINDOWS\system32\igfxpers .exe
----a-w			94,208 2008-02-09 17:51:03  C:\WINDOWS\system32\igfxtray .exe
----a-w		   406,016 2008-02-09 17:50:49  C:\WINDOWS\system32\PSDrvCheck .exe
</pre>

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C3F6AA10-11AF-2C2C-D227-30E602F459E6}]
C:\WINDOWS\system32\mmbac.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Router"="C:\Program Files\Router\Router.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryMechanic"="" []
"SMSERIAL"="sm56hlpr.exe" [2005-05-26 18:12 544768 C:\WINDOWS\sm56hlpr.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-05-04 17:28 14396416 C:\WINDOWS\RTHDCPL.EXE]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 16:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"farstone"="" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06 29696]
Digital Lifeline.lnk - C:\Program Files\Digital Lifeline\bin\mpbtn.exe [2006-07-25 13:47:14 172032]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 10:40:44 282624]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-12-15 12:00:54 73728]
MediaTV Monitor.lnk - C:\Program Files\ADS Tech\MediaTV\MediaTVMonitor.exe [2006-12-07 14:21:21 135168]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-01-22 11:21:00 815104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2005-05-31 21:46 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

R0 ptpd;Disk Filter Driver;C:\WINDOWS\system32\drivers\ptpd.sys [2005-07-07 02:03]
R0 RITCPT;RITCPT;C:\WINDOWS\system32\drivers\RITCPT.sys [2005-02-15 06:52]
R0 VVBackd5;VVBackd5;C:\WINDOWS\system32\drivers\VVBackd5.sys [2005-02-15 06:52]
R2 FBAPI;FBAPI;C:\WINDOWS\system32\drivers\FBAPI.sys [2005-02-15 06:52]
R2 Machnm32;Machnm32 Driver;C:\WINDOWS\system32\Machnm32.sys [2003-08-12 23:27]
R2 MSSQL$ACT7;MSSQL$ACT7;C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe [2003-05-31 18:02]
R2 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;C:\WINDOWS\system32\srvany.exe [2006-05-10 11:08]
S3 AFW;AFW;C:\DOCUME~1\ERICBR~1\LOCALS~1\Temp\0010f9e2.sys []
S3 PhnxVcd;PhnxVcd;C:\WINDOWS\system32\Drivers\PhnxVcd.sys [2005-02-25 17:34]
S3 PTV371;Mini TV USB;C:\WINDOWS\system32\DRIVERS\PTV371.SYS [2006-03-18 17:17]
S3 SQLAgent$ACT7;SQLAgent$ACT7;C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE [2002-12-17 15:23]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-13 02:00:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\MsiExec.exe
.
**************************************************************************
.
Completion time: 2008-02-13 2:02:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-13 10:02:09
.
2008-01-23 14:44:28 --- E O F ---

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:44:09 AM, on 2/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Digital Lifeline\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ADS Tech\MediaTV\MediaTVMonitor.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {C3F6AA10-11AF-2C2C-D227-30E602F459E6} - C:\WINDOWS\system32\mmbac.dll (file missing)
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Lifeline.lnk = C:\Program Files\Digital Lifeline\bin\mpbtn.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: MediaTV Monitor.lnk = C:\Program Files\ADS Tech\MediaTV\MediaTVMonitor.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: 6th Street Omaha Poker by pogo - http://game1.pogo.co...omaha-en_US.cab
O16 - DPF: Ali Baba Slots TM by pogo - http://game1.pogo.co...ibaba-en_US.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.co...kjack-en_US.cab
O16 - DPF: Blackjack Carnival by pogo - http://game1.pogo.co...jack2-en_US.cab
O16 - DPF: Double Deuce Poker by pogo - http://game1.pogo.co...deuce-en_US.cab
O16 - DPF: Fortune Bingo by pogo - http://game1.pogo.co...bingo-en_US.cab
O16 - DPF: Hangman Hijinks by pogo - http://game1.pogo.co...ngman-en_US.cab
O16 - DPF: Hog Heaven Slots by pogo - http://game1.pogo.co...fancy-en_US.cab
O16 - DPF: Jigsaw Detective by pogo - http://game1.pogo.co...igsaw-en_US.cab
O16 - DPF: Jokers Wild Poker by pogo - http://game1.pogo.co...swild-en_US.cab
O16 - DPF: Lost Temple Poker by pogo - http://game1.pogo.co...poker-en_US.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.co...ottso-en_US.cab
O16 - DPF: Sweet Tooth TM by pogo - http://game1.pogo.co...tooth-en_US.cab
O16 - DPF: Tumble Bees by pogo - http://game1.pogo.co...mbee2-en_US.cab
O16 - DPF: Vaults of Atlantis Slots by pogo - http://game1.pogo.co...slots-en_US.cab
O16 - DPF: Video Poker by pogo - http://game1.pogo.co...poker-en_US.cab
O16 - DPF: Wonderland Memories by pogo - http://game1.pogo.co...ories-en_US.cab
O16 - DPF: Word Craft by pogo - http://game1.pogo.co...abble-en_US.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} (SpinTop Games Launcher) - http://aolsvc.aol.co...mesLauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Pervasive.SQL Workgroup Engine - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 7462 bytes

#4
Rorschach112

Posted 11 February 2008 - 02:29 PM

Ralphie

Retired Staff
47,710 posts

Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {C3F6AA10-11AF-2C2C-D227-30E602F459E6} - C:\WINDOWS\system32\mmbac.dll (file missing)
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
C:\WINDOWS\system32\nGpxx13
C:\TEMP\cXzz9
C:\Program Files\Dot1XCfg
C:\Program Files\Common Files\uumk
C:\Program Files\Router

RenV::
----a-w 1,015,808 2008-02-09 17:51:28 C:\Program Files\ACT\ACT for Windows\Act8 .exe
----a-w 50,768 2008-02-09 17:53:08 C:\Program Files\America Online 9.0\aol .exe
----a-w 50,736 2008-02-09 17:51:18 C:\Program Files\Common Files\AOL\1153765131\ee\AOLSoftware .exe
----a-w 71,216 2008-02-09 17:51:25 C:\Program Files\Common Files\AOL\ACS\AOLDial .exe
----a-w 32,768 2008-02-09 17:50:35 C:\Program Files\Common Files\Smith Micro Shared\Fax\SMLoader .exe
----a-w 32,768 2008-02-09 17:50:43 C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
----a-w 49,152 2008-02-09 17:51:14 C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w 356,352 2008-02-09 17:51:24 C:\Program Files\Intel\Wireless\Bin\EOUWiz .exe
----a-w 385,024 2008-02-09 17:50:59 C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe
----a-w 401,408 2008-02-12 11:59:24 C:\Program Files\Intel\Wireless\Bin\ZcfgSvc .exe
----a-w 32,881 2008-02-09 17:50:33 C:\Program Files\Java\j2re1.4.2_15\bin\jusched .exe
----a-w 1,694,208 2008-02-09 17:52:38 C:\Program Files\Messenger\msmsgs .exe
----a-w 101,136 2008-02-09 17:51:59 C:\Program Files\Microsoft Location Finder\LocationFinder .exe
----a-w 135,168 2008-02-09 17:50:55 C:\Program Files\Motive\AsstCommon\motmon .exe
----a-w 114,688 2008-02-09 17:50:40 C:\Program Files\Phoenix Technologies Ltd\RecoverPro_XP\VBPTASK .EXE
----a-w 77,824 2008-02-10 05:01:53 C:\Program Files\QuickTime\qttask .exe
----a-w 77,824 2008-02-09 10:09:58 C:\Program Files\QuickTime\qttask .exe
----a-w 77,824 2008-02-09 10:09:59 C:\Program Files\QuickTime\qttask .exe
----a-w 77,824 2008-02-06 12:10:13 C:\Program Files\QuickTime\qttask .exe
----a-w 77,824 2008-02-06 12:10:14 C:\Program Files\QuickTime\qttask .exe
----a-w 77,824 2008-02-06 12:10:14 C:\Program Files\QuickTime\qttask .exe
----a-w 77,824 2008-02-06 12:10:14 C:\Program Files\QuickTime\qttask .exe
----a-w 77,824 2008-02-06 12:10:14 C:\Program Files\QuickTime\qttask .exe
----a-w 77,824 2008-02-06 12:10:14 C:\Program Files\QuickTime\qttask .exe
----a-w 77,824 2008-02-06 12:10:15 C:\Program Files\QuickTime\qttask .exe
----a-w 77,824 2008-02-06 12:10:15 C:\Program Files\QuickTime\qttask .exe
----a-w 77,824 2008-02-06 12:10:15 C:\Program Files\QuickTime\qttask .exe
----a-w 77,824 2008-02-06 12:10:16 C:\Program Files\QuickTime\qttask .exe
----a-w 77,824 2008-02-06 12:10:16 C:\Program Files\QuickTime\qttask .exe
----a-w 729,178 2008-02-09 17:50:36 C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w 69,632 2008-02-09 17:50:33 C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck .exe
----a-w 158,208 2008-02-05 18:26:00 C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w 15,360 2008-02-12 12:00:19 C:\WINDOWS\system32\ctfmon .exe
----a-w 77,824 2008-02-09 17:51:12 C:\WINDOWS\system32\hkcmd .exe
----a-w 118,784 2008-02-09 17:51:09 C:\WINDOWS\system32\igfxpers .exe
----a-w 94,208 2008-02-09 17:51:03 C:\WINDOWS\system32\igfxtray .exe
----a-w 406,016 2008-02-09 17:50:49 C:\WINDOWS\system32\PSDrvCheck .exe

Driver::
AFW

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

#5
iceblood

Posted 11 February 2008 - 03:21 PM

Member

Topic Starter
Member
10 posts

Thank you for the fast response. I posted the log below. Also AVG founf 50 infected files, 20 it deleted 30 in moved the the virus vault.

ComboFix 08-02-11.2 - Ellen Brown 2008-02-13 4:02:02.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.461 [GMT -8:00]
Running from: C:\Documents and Settings\Ellen Brown\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ellen Brown\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\uumk
C:\Program Files\Common Files\uumk\uumka.lck
C:\Program Files\Common Files\uumk\uumkd\class-barrel
C:\Program Files\Common Files\uumk\uumkh
C:\Program Files\Common Files\uumk\uumkl.lck
C:\Program Files\Common Files\uumk\uumkm.lck
C:\Program Files\Dot1XCfg
C:\TEMP\cXzz9
C:\WINDOWS\system32\nGpxx13

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\AFW

((((((((((((((((((((((((( Files Created from 2008-01-13 to 2008-02-13 )))))))))))))))))))))))))))))))
.

2008-02-13 02:46 . 2008-02-13 02:46 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-13 02:46 . 2008-02-13 03:50 <DIR> d-------- C:\Documents and Settings\Ellen Brown\Application Data\AVG7
2008-02-13 02:45 . 2008-02-13 02:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-13 02:45 . 2008-02-13 02:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-09 13:10 . 2008-02-08 23:51 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-09 10:09 . 2008-02-09 21:37 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-09 10:09 . 2008-02-09 20:53 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-09 10:09 . 2008-02-09 20:53 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-09 10:09 . 2008-02-09 20:53 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-08 23:51 . 2008-02-10 06:26 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-02-08 15:39 . 2008-02-08 15:39 <DIR> d-------- C:\WINDOWS.0
2008-02-06 03:04 . 2008-02-06 05:30 <DIR> d-------- C:\Documents and Settings\Ellen Brown\.housecall6.6
2008-02-04 03:56 . 2006-07-24 10:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-02-04 03:56 . 2006-12-06 09:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ACT
2008-02-04 03:55 . 2006-07-23 16:53 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-02-04 03:55 . 2006-09-27 08:42 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-02-04 03:55 . 2006-07-23 17:10 <DIR> d--h----- C:\Documents and Settings\Administrator\InstallAnywhere
2008-02-04 03:55 . 2006-07-24 10:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-02-04 03:55 . 2006-07-23 16:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Leadertech
2008-02-04 03:55 . 2006-07-14 03:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-02-04 03:55 . 2006-09-28 08:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink
2008-02-04 03:55 . 2006-12-07 14:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ArcSoft
2008-02-04 03:44 . 2008-02-05 10:26 158,208 --a--c--- C:\WINDOWS\system32\dllcache\msconfig.exe
2008-01-24 02:17 . 2008-01-24 02:17 <DIR> d-------- C:\Documents and Settings\Ellen Brown\Application Data\Lavasoft
2008-01-23 06:56 . 2008-02-08 23:01 179 --a------ C:\handle.dat
2008-01-23 06:54 . 2008-02-12 04:00 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-23 06:54 . 2008-02-12 04:00 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-14 07:04 . 2008-01-14 07:04 <DIR> d-------- C:\Render
2008-01-14 07:04 . 2008-01-14 07:04 40 --a------ C:\WINDOWS\system32\blue.SITENAME
2008-01-14 07:03 . 2008-01-14 07:04 404 --a------ C:\WINDOWS\VFO.VST

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-13 12:02 --------- d-----w C:\Program Files\QuickTime
2008-02-13 12:02 --------- d-----w C:\Program Files\Microsoft Location Finder
2008-02-13 12:01 --------- d-----w C:\Program Files\America Online 9.0
2008-02-10 05:23 --------- d-----w C:\Program Files\OFFICE11
2008-02-09 10:26 --------- d-----w C:\Program Files\Trend Micro
2008-01-14 15:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pinnacle Studio
2008-01-14 15:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pinnacle
2008-01-10 12:30 --------- d-----w C:\Documents and Settings\Eric Brown\Application Data\AdobeUM
2007-12-19 17:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\SpinTop Games
2006-12-07 22:15 56 --sh--r C:\WINDOWS\system32\86EA9BBB2F.sys
.

<pre>
----a-w			77,824 2008-02-10 05:01:53  C:\Program Files\QuickTime\qttask			  .exe
----a-w			77,824 2008-02-09 10:09:58  C:\Program Files\QuickTime\qttask			 .exe
----a-w			77,824 2008-02-09 10:09:59  C:\Program Files\QuickTime\qttask			.exe
----a-w			77,824 2008-02-06 12:10:13  C:\Program Files\QuickTime\qttask		   .exe
----a-w			77,824 2008-02-06 12:10:14  C:\Program Files\QuickTime\qttask		  .exe
----a-w			77,824 2008-02-06 12:10:14  C:\Program Files\QuickTime\qttask		 .exe
----a-w			77,824 2008-02-06 12:10:14  C:\Program Files\QuickTime\qttask		.exe
----a-w			77,824 2008-02-06 12:10:14  C:\Program Files\QuickTime\qttask	   .exe
----a-w			77,824 2008-02-06 12:10:14  C:\Program Files\QuickTime\qttask	  .exe
----a-w			77,824 2008-02-06 12:10:15  C:\Program Files\QuickTime\qttask	 .exe
----a-w			77,824 2008-02-06 12:10:15  C:\Program Files\QuickTime\qttask	.exe
----a-w			77,824 2008-02-06 12:10:15  C:\Program Files\QuickTime\qttask   .exe
----a-w			77,824 2008-02-06 12:10:16  C:\Program Files\QuickTime\qttask  .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryMechanic"="" []
"SMSERIAL"="sm56hlpr.exe" [2005-05-26 18:12 544768 C:\WINDOWS\sm56hlpr.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-05-04 17:28 14396416 C:\WINDOWS\RTHDCPL.EXE]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 16:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"farstone"="" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-13 02:45 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-13 02:46 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06 29696]
Digital Lifeline.lnk - C:\Program Files\Digital Lifeline\bin\mpbtn.exe [2006-07-25 13:47:14 172032]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 10:40:44 282624]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-12-15 12:00:54 73728]
MediaTV Monitor.lnk - C:\Program Files\ADS Tech\MediaTV\MediaTVMonitor.exe [2006-12-07 14:21:21 135168]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-01-22 11:21:00 815104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2005-05-31 21:46 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

R0 ptpd;Disk Filter Driver;C:\WINDOWS\system32\drivers\ptpd.sys [2005-07-07 02:03]
R0 RITCPT;RITCPT;C:\WINDOWS\system32\drivers\RITCPT.sys [2005-02-15 06:52]
R0 VVBackd5;VVBackd5;C:\WINDOWS\system32\drivers\VVBackd5.sys [2005-02-15 06:52]
R2 FBAPI;FBAPI;C:\WINDOWS\system32\drivers\FBAPI.sys [2005-02-15 06:52]
R2 Machnm32;Machnm32 Driver;C:\WINDOWS\system32\Machnm32.sys [2003-08-12 23:27]
R2 MSSQL$ACT7;MSSQL$ACT7;C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe [2003-05-31 18:02]
R2 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;C:\WINDOWS\system32\srvany.exe [2006-05-10 11:08]
S3 PhnxVcd;PhnxVcd;C:\WINDOWS\system32\Drivers\PhnxVcd.sys [2005-02-25 17:34]
S3 PTV371;Mini TV USB;C:\WINDOWS\system32\DRIVERS\PTV371.SYS [2006-03-18 17:17]
S3 SQLAgent$ACT7;SQLAgent$ACT7;C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE [2002-12-17 15:23]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-13 04:17:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
.

#6
iceblood

Posted 11 February 2008 - 04:39 PM

Member

Topic Starter
Member
10 posts

I just ran windows defender and AVG, both came back with a clean bill. comp is running great! Unless you see something else I would say you've done it. Thanks so much man, I thought this would be much harder then it was. =)

#7
Rorschach112

Posted 11 February 2008 - 05:48 PM

Ralphie

Retired Staff
47,710 posts

Little bit left

1. Close any open browsers.

Download the attached CFScript file to the same location as ComboFix.exe

Posted Image

Edited by Rorschach112, 11 February 2008 - 06:00 PM.

#8
iceblood

Posted 11 February 2008 - 10:02 PM

Member

Topic Starter
Member
10 posts

Done!

Here is the log.

ComboFix 08-02-11.2 - Ellen Brown 2008-02-13 10:19:33.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.488 [GMT -8:00]
Running from: C:\Documents and Settings\Ellen Brown\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ellen Brown\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-13 to 2008-02-13 )))))))))))))))))))))))))))))))
.

2008-02-13 04:25 . 2008-02-13 04:25 <DIR> d-------- C:\Program Files\Windows Defender
2008-02-13 02:46 . 2008-02-13 02:46 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-13 02:46 . 2008-02-13 04:34 <DIR> d-------- C:\Documents and Settings\Ellen Brown\Application Data\AVG7
2008-02-13 02:45 . 2008-02-13 02:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-13 02:45 . 2008-02-13 02:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-09 13:10 . 2008-02-08 23:51 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-09 10:09 . 2008-02-09 21:37 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-09 10:09 . 2008-02-09 20:53 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-09 10:09 . 2008-02-09 20:53 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-09 10:09 . 2008-02-09 20:53 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-08 23:51 . 2008-02-10 06:26 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-02-08 15:39 . 2008-02-08 15:39 <DIR> d-------- C:\WINDOWS.0
2008-02-06 03:04 . 2008-02-06 05:30 <DIR> d-------- C:\Documents and Settings\Ellen Brown\.housecall6.6
2008-02-04 03:56 . 2006-07-24 10:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-02-04 03:56 . 2006-12-06 09:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ACT
2008-02-04 03:55 . 2006-07-23 16:53 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-02-04 03:55 . 2006-09-27 08:42 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-02-04 03:55 . 2006-07-23 17:10 <DIR> d--h----- C:\Documents and Settings\Administrator\InstallAnywhere
2008-02-04 03:55 . 2006-07-24 10:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-02-04 03:55 . 2006-07-23 16:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Leadertech
2008-02-04 03:55 . 2006-07-14 03:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-02-04 03:55 . 2006-09-28 08:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink
2008-02-04 03:55 . 2006-12-07 14:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ArcSoft
2008-02-04 03:44 . 2008-02-05 10:26 158,208 --a--c--- C:\WINDOWS\system32\dllcache\msconfig.exe
2008-01-24 02:17 . 2008-01-24 02:17 <DIR> d-------- C:\Documents and Settings\Ellen Brown\Application Data\Lavasoft
2008-01-23 06:56 . 2008-02-08 23:01 179 --a------ C:\handle.dat
2008-01-23 06:54 . 2008-02-12 04:00 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-23 06:54 . 2008-02-12 04:00 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-14 07:04 . 2008-01-14 07:04 <DIR> d-------- C:\Render
2008-01-14 07:04 . 2008-01-14 07:04 40 --a------ C:\WINDOWS\system32\blue.SITENAME
2008-01-14 07:03 . 2008-01-14 07:04 404 --a------ C:\WINDOWS\VFO.VST

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-13 18:13 --------- d-----w C:\Program Files\QuickTime
2008-02-13 12:02 --------- d-----w C:\Program Files\Microsoft Location Finder
2008-02-13 12:01 --------- d-----w C:\Program Files\America Online 9.0
2008-02-10 05:23 --------- d-----w C:\Program Files\OFFICE11
2008-02-09 17:51 94,208 ----a-w C:\WINDOWS\system32\igfxtray.exe
2008-02-09 17:51 77,824 ----a-w C:\WINDOWS\system32\hkcmd.exe
2008-02-09 17:51 118,784 ----a-w C:\WINDOWS\system32\igfxpers.exe
2008-02-09 17:50 406,016 ----a-w C:\WINDOWS\system32\PSDrvCheck.exe
2008-02-09 10:26 --------- d-----w C:\Program Files\Trend Micro
2008-02-05 18:26 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig.exe
2008-01-14 15:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pinnacle Studio
2008-01-14 15:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pinnacle
2008-01-10 12:30 --------- d-----w C:\Documents and Settings\Eric Brown\Application Data\AdobeUM
2007-12-19 17:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\SpinTop Games
2005-12-15 19:03 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2006-12-07 22:15 56 --sh--r C:\WINDOWS\system32\86EA9BBB2F.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-02-12 04:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="sm56hlpr.exe" [2005-05-26 18:12 544768 C:\WINDOWS\sm56hlpr.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-05-04 17:28 14396416 C:\WINDOWS\RTHDCPL.EXE]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 16:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"farstone"="" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-13 02:45 579072]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-13 02:46 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06 29696]
Digital Lifeline.lnk - C:\Program Files\Digital Lifeline\bin\mpbtn.exe [2006-07-25 13:47:14 172032]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 10:40:44 282624]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-12-15 12:00:54 73728]
MediaTV Monitor.lnk - C:\Program Files\ADS Tech\MediaTV\MediaTVMonitor.exe [2006-12-07 14:21:21 135168]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-01-22 11:21:00 815104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2005-05-31 21:46 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

R0 ptpd;Disk Filter Driver;C:\WINDOWS\system32\drivers\ptpd.sys [2005-07-07 02:03]
R0 RITCPT;RITCPT;C:\WINDOWS\system32\drivers\RITCPT.sys [2005-02-15 06:52]
R0 VVBackd5;VVBackd5;C:\WINDOWS\system32\drivers\VVBackd5.sys [2005-02-15 06:52]
R2 FBAPI;FBAPI;C:\WINDOWS\system32\drivers\FBAPI.sys [2005-02-15 06:52]
R2 Machnm32;Machnm32 Driver;C:\WINDOWS\system32\Machnm32.sys [2003-08-12 23:27]
R2 MSSQL$ACT7;MSSQL$ACT7;C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe [2003-05-31 18:02]
R2 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;C:\WINDOWS\system32\srvany.exe [2006-05-10 11:08]
S3 PhnxVcd;PhnxVcd;C:\WINDOWS\system32\Drivers\PhnxVcd.sys [2005-02-25 17:34]
S3 PTV371;Mini TV USB;C:\WINDOWS\system32\DRIVERS\PTV371.SYS [2006-03-18 17:17]
S3 SQLAgent$ACT7;SQLAgent$ACT7;C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE [2002-12-17 15:23]

*Newly Created Service* - WINDEFEND
.
Contents of the 'Scheduled Tasks' folder
"2008-02-13 12:28:11 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-13 10:20:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-13 10:20:48
ComboFix-quarantined-files.txt 2008-02-13 18:20:25
ComboFix2.txt 2008-02-13 18:16:51
ComboFix3.txt 2008-02-13 12:19:52
ComboFix4.txt 2008-02-13 10:02:13
.
2008-01-23 14:44:28 --- E O F ---

BTW Im curious about something. Is this program one you like to use most of the time or was there a special reason you decided to use combofix with these viruses?

#9
Rorschach112

Posted 12 February 2008 - 06:51 AM

Ralphie

Retired Staff
47,710 posts

I try not to use ComboFix that often as it is a powerful tool, but it is the main program we use to deal with the infection you had.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Also post a new HijackThis log and tell me how your PC is running

#10
iceblood

Posted 12 February 2008 - 11:08 AM

Member

Topic Starter
Member
10 posts

the comp is running extremely well considering the number of viruses still found. Here is the kaspersky scan results

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, February 14, 2008 12:07:47 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/02/2008
Kaspersky Anti-Virus database records: 558465
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 77139
Number of viruses found: 41
Number of infected objects: 143
Number of suspicious objects: 0
Duration of the scan process: 01:07:03

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\mlljg.exe.bac_a00940 Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\mlljg.exe.bac_a01744 Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\mlljgbak.exe.bac_a00628 Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\mrofinu11.exe.tmp.bac_a00628 Infected: Trojan-Downloader.Win32.Agent.hql skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Broderbund Software\Print\The Print Shop\21.0\Books\Sender\Sender.abk Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Broderbund Software\Print\The Print Shop\21.0\PMWPRINT.INI Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-02132008-042511.log Object is locked skipped
C:\Documents and Settings\All Users\Documents\ACT\ACT for Windows 8\Databases\ACT8Demo.ADF Object is locked skipped
C:\Documents and Settings\All Users\Documents\ACT\ACT for Windows 8\Databases\ACT8Demo.ALF Object is locked skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\!update.exe.bac_a00212 Infected: Trojan-Downloader.Win32.PurityScan.fk skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\2c1dbeb1361cce3acfbbca0488dfd6ee[1].zip.bac_a00212/b151.exe Infected: Trojan-Downloader.Win32.Agent.fjn skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\2c1dbeb1361cce3acfbbca0488dfd6ee[1].zip.bac_a00212 ZIP: infected - 1 skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\2c1dbeb1361cce3acfbbca0488dfd6ee[1].zip.bac_a00212 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\718f466754402ac597de014577627f96[1].zip.bac_a00212/b104.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\718f466754402ac597de014577627f96[1].zip.bac_a00212/b104.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\718f466754402ac597de014577627f96[1].zip.bac_a00212/b104.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\718f466754402ac597de014577627f96[1].zip.bac_a00212/b104.exe Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\718f466754402ac597de014577627f96[1].zip.bac_a00212 ZIP: infected - 4 skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\718f466754402ac597de014577627f96[1].zip.bac_a00212 CryptFF.b: infected - 4 skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\8154ff2675af1b6e0677560871425153[1].zip.bac_a00212/b138.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\8154ff2675af1b6e0677560871425153[1].zip.bac_a00212 ZIP: infected - 1 skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\8154ff2675af1b6e0677560871425153[1].zip.bac_a00212 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\b103.exe.bac_a00212 Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\b104.exe.bac_a00212/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\b104.exe.bac_a00212/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\b104.exe.bac_a00212/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\b104.exe.bac_a00212 NSIS: infected - 3 skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\b104.exe.bac_a00212 CryptFF.b: infected - 3 skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\b138.exe.bac_a00212 Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\b151.exe.bac_a00212 Infected: Trojan-Downloader.Win32.Agent.fjn skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\c1f5cc94a30f082054f3a00e6655462d[1].zip.bac_a00212/b103.exe Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\c1f5cc94a30f082054f3a00e6655462d[1].zip.bac_a00212 ZIP: infected - 1 skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\c1f5cc94a30f082054f3a00e6655462d[1].zip.bac_a00212 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\D104.tmp.bac_a00212/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\D104.tmp.bac_a00212 NSIS: infected - 1 skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\D104.tmp.bac_a00212 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\Dot1XCfg .exe.bac_a00212 Infected: Trojan-Downloader.Win32.Adload.qf skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\Dot1XCfg.exe.bac_a02000 Infected: Trojan-Downloader.Win32.Adload.qf skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\F3HTMLMU.DLL.bac_a00212 Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\FF.dll.bac_a00212 Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\gamadril20071203[1].bac_a00212 Infected: Backdoor.Win32.Agent.dbm skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\hctp[1].bac_a00212 Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\hvcbhywd.exe.bac_a00212 Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\installer[1].exe.bac_a00212/file1 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\installer[1].exe.bac_a00212/file2 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\installer[1].exe.bac_a00212/file4 Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\installer[1].exe.bac_a00212 Inno: infected - 3 skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\installer[1].exe.bac_a00212 CryptFF.b: infected - 3 skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\mlljg.exe.bac_a00212 Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\mlljg.exe.bac_a02000 Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\mmbac.dll.bac_a00212 Infected: not-a-virus:AdWare.Win32.PurityScan.gl skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\mrofinu[1].zip.bac_a00212/mrofinu.exe Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\mrofinu[1].zip.bac_a00212 ZIP: infected - 1 skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\mrofinu[1].zip.bac_a00212 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\RCX2F.tmp.bac_a02000 Infected: Trojan-Downloader.Win32.Agent.gdi skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\RCX67.tmp.bac_a00212 Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\RCXA5.tmp.bac_a02000 Infected: Trojan-Downloader.Win32.Agent.gdi skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\Router .exe.bac_a00212 Infected: Trojan-Downloader.Win32.Agent.gdi skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\Router.exe.bac_a02000 Infected: Trojan-Downloader.Win32.Agent.gdi skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\temp.fr1A5A.bac_a00212 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\TMP111.tmp.bac_a00212 Infected: Trojan-Downloader.Win32.PurityScan.fe skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\TMP11A.tmp.bac_a00212 Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\TMP159.tmp.bac_a00212 Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\TMP63.tmp.bac_a00212 Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\TMP98.tmp.bac_a00212 Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\TMPBA.tmp.bac_a00212 Infected: Trojan-Downloader.Win32.Agent.hql skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\TMPDF.tmp.bac_a00212 Infected: Trojan-Downloader.Win32.Agent.hql skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\TMPED.tmp.bac_a00212 Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\tsinstall_4_0_4_0_b4.exe.bac_a00212/WISE0009.BIN Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\tsinstall_4_0_4_0_b4.exe.bac_a00212/WISE0010.BIN Infected: Trojan-Downloader.Win32.TSUpdate.p skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\tsinstall_4_0_4_0_b4.exe.bac_a00212/WISE0011.BIN Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\tsinstall_4_0_4_0_b4.exe.bac_a00212/WISE0012.BIN Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\tsinstall_4_0_4_0_b4.exe.bac_a00212 WiseSFX: infected - 4 skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\tsinstall_4_0_4_0_b4.exe.bac_a00212 CryptFF.b: infected - 4 skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\tsupdate_4_0_4_1_b3.exe.bac_a00212/WISE0009.BIN Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\tsupdate_4_0_4_1_b3.exe.bac_a00212/WISE0010.BIN Infected: Trojan-Downloader.Win32.TSUpdate.r skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\tsupdate_4_0_4_1_b3.exe.bac_a00212/WISE0011.BIN Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\tsupdate_4_0_4_1_b3.exe.bac_a00212/WISE0012.BIN Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\tsupdate_4_0_4_1_b3.exe.bac_a00212 WiseSFX: infected - 4 skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\tsupdate_4_0_4_1_b3.exe.bac_a00212 CryptFF.b: infected - 4 skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\uumka.exe.bac_a00212 Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\uumkl.exe.bac_a00212 Infected: Trojan-Downloader.Win32.TSUpdate.r skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\uumkm .exe.bac_a02000 Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\uumkm.exe.bac_a02000 Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\uumkp.exe.bac_a00212 Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\Documents and Settings\Ellen Brown\.housecall6.6\Quarantine\ygiqdimf.dll.bac_a00212 Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Ellen Brown\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ellen Brown\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ellen Brown\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ellen Brown\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{AA08C869-C2E9-49B8-B1BB-03392291C763} Object is locked skipped
C:\Documents and Settings\Ellen Brown\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ellen Brown\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ellen Brown\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Ellen Brown\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\LOG\ERRORLOG Object is locked skipped
C:\pvsw\bin\mkde\log\LAST_SEG.LOG Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\msimg32.dll.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\QooBox\Quarantine\C\Program Files\ISM\ism.exe.vir Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3BROVLY.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\mwsoemon .exe.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\f3PSSavr.scr.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006325.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006326.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006327.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gq skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006328.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006334.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006336.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006337.EXE Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006338.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006339.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006340.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006341.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006342.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006343.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006344.EXE Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006345.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006346.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006347.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006348.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006349.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006350.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006351.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006352.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006353.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006354.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006355.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006356.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006357.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006358.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006359.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006360.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006372.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006375.dll Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006376.dll Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006387.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006390.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006399.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006401.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006417.exe Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006419.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006421.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006422.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006423.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006424.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006425.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006426.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006427.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006428.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006429.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006430.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006431.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006432.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006434.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006435.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006437.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006439.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006440.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006441.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006443.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006444.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006445.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006446.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006447.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006448.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006449.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006457.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006465.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006466.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006467.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006469.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006472.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006475.exe Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006476.dll Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006477.dll Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006478.dll Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006479.dll Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006480.dll Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006481.dll Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006482.dll Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006483.dll Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006484.dll Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006485.dll Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP0\A0006486.dll Object is locked skipped
C:\System Volume Information\_restore{EE1621A8-E83A-4641-B73A-513071F8F157}\RP8\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_330.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#11
iceblood

Posted 12 February 2008 - 11:22 AM

Member

Topic Starter
Member
10 posts

Looks like these are mostly quarantined viruses though.

#12
Rorschach112

Posted 12 February 2008 - 11:23 AM

Ralphie

Retired Staff
47,710 posts

Your logs are clean ! We need to do a few things

Now lets uninstall Combofix:

Click START then RUN
Now type Combofix /u in the runbox and click OK

The above procedure will do the following:

Delete ComboFix and its associated files and folders.
Delete VundoFix backups, if present
Delete the C:\Deckard folder, if present
Delete the C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here

Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure

Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.

#13
iceblood

Posted 12 February 2008 - 01:21 PM

Member

Topic Starter
Member
10 posts

Geat job man, If they had their OEM disk I was just going to format the PC. Im hooking them up with AVG +firewall so that should take care of most of the needs. I usually just use windows defender for spyware do you think I should give them spyware blaster as well? installed the new JRE. Im not sure if I can convince them to use mozilla but I at least installed IE 7, hopefully they will stay away from whatever they got into.

Seriously though, dont thank me. You really resurrected this PC thanks so much for helping out!

#14
Rorschach112

Posted 12 February 2008 - 02:00 PM

Ralphie

Retired Staff
47,710 posts

Well SpywareBlaster and SpywareGuard are different type of security programs, they don't scan to remove malware, instead they protect you from getting infected in the first place. This is very important, and makes them an essential for any PC user.

Let me know if you have any more questions