Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Serious Malware Problems [Resolved]

Started by Yodoman , Feb 20 2008 03:30 PM

This topic is locked

#16
kahdah

Posted 22 February 2008 - 10:59 AM

GeekU Teacher

Retired Staff
15,822 posts

See if you can now run Combofix and post that log please.

#17
Yodoman

Posted 22 February 2008 - 11:18 AM

Member

Topic Starter
Member
13 posts

ComboFix 08-02-22.3 - Charles 2008-02-22 12:08:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.473 [GMT -5:00]
Running from: C:\Documents and Settings\Charles\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\jhpssuhj.ini
C:\WINDOWS\system32\jyaqhlkh.ini
C:\WINDOWS\system32\NTICDMK32.dll
C:\WINDOWS\system32\xyadd.ini

.
((((((((((((((((((((((((( Files Created from 2008-01-22 to 2008-02-22 )))))))))))))))))))))))))))))))
.

2008-02-22 09:14 . 2008-02-22 09:14 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-22 00:29 . 2008-02-22 00:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-22 00:29 . 2008-02-22 01:56 <DIR> d-------- C:\Documents and Settings\Charles\Application Data\AVG7
2008-02-22 00:29 . 2008-02-22 00:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-22 00:29 . 2008-02-22 01:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-21 22:58 . 2008-02-21 22:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-21 22:58 . 2008-02-21 22:58 <DIR> d-------- C:\Documents and Settings\Charles\Application Data\Malwarebytes
2008-02-21 22:58 . 2008-02-21 22:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-21 22:37 . 2008-02-21 22:37 60,416 --a------ C:\WINDOWS\system32\drivers\b^splplb.sys
2008-02-21 22:36 . 2008-02-21 22:36 60,416 --a------ C:\WINDOWS\system32\drivers\myvahfxa.sys
2008-02-21 22:35 . 2008-02-21 22:35 60,416 --a------ C:\WINDOWS\system32\drivers\lkdwglvw.sys
2008-02-21 22:12 . 2008-02-21 22:12 <DIR> d-------- C:\Deckard
2008-02-21 22:02 . 2008-02-21 22:06 3,624 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-21 21:57 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-21 21:57 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-21 21:57 . 2008-02-16 19:46 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-21 21:57 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-21 21:57 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-21 21:57 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-21 21:57 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-21 21:04 . 2008-02-21 21:04 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2008-02-21 21:04 . 2008-02-21 21:21 <DIR> d-------- C:\Documents and Settings\Charles\Application Data\Roxio
2008-02-21 20:51 . 2008-02-21 20:54 <DIR> d-------- C:\WINDOWS\system32\DLA
2008-02-21 20:51 . 2008-02-21 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-02-21 20:51 . 2006-08-08 09:18 92,920 --a------ C:\WINDOWS\DLA.EXE
2008-02-21 20:51 . 2006-08-08 09:18 56,056 --a------ C:\WINDOWS\system32\DLAAPI_W.DLL
2008-02-21 20:51 . 2006-08-01 19:46 51,800 --a------ C:\WINDOWS\system32\drivers\DRVNDDM.SYS
2008-02-21 20:51 . 2006-08-01 20:06 28,216 --a------ C:\WINDOWS\system32\drivers\DLARTL_M.SYS
2008-02-21 20:51 . 2006-08-01 20:06 12,952 --a------ C:\WINDOWS\system32\drivers\DLACDBHM.SYS
2008-02-21 20:51 . 2008-02-21 20:51 168 --a------ C:\WINDOWS\wininit.ini
2008-02-21 20:50 . 2008-02-21 20:50 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2008-02-21 20:49 . 2008-02-21 20:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-02-21 20:48 . 2008-02-21 20:49 <DIR> d-------- C:\Program Files\SightSpeed
2008-02-21 20:45 . 2008-02-21 20:51 <DIR> d-------- C:\Program Files\Roxio
2008-02-21 20:45 . 2008-02-21 20:50 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2008-02-21 20:45 . 2008-02-21 20:46 <DIR> d-------- C:\Program Files\Common Files\SightSpeed
2008-02-21 20:45 . 2008-02-21 20:47 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-02-21 20:45 . 2008-02-21 20:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-02-21 10:07 . 2008-02-21 10:07 <DIR> d-------- C:\_OTMoveIt
2008-02-20 15:56 . 2008-02-20 15:56 18,770 --a------ C:\WINDOWS\system32\fygopopa.dl
2008-02-18 01:06 . 2008-02-18 01:06 <DIR> d-------- C:\Program Files\iTunes
2008-02-18 01:06 . 2008-02-18 01:06 <DIR> d-------- C:\Program Files\iPod
2008-02-18 01:06 . 2008-02-18 01:10 <DIR> d-------- C:\Documents and Settings\Charles\Application Data\Apple Computer
2008-02-18 01:06 . 2008-02-18 01:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-18 01:06 . 2008-02-18 01:06 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-18 01:05 . 2008-02-18 01:06 <DIR> d-------- C:\Program Files\QuickTime
2008-02-18 01:05 . 2008-02-18 01:05 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-02-18 01:05 . 2008-02-18 01:05 <DIR> d-------- C:\Program Files\Apple Software Update
2008-02-18 01:05 . 2008-02-18 01:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-18 01:05 . 2008-02-18 01:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-02-15 13:24 . 2008-02-20 09:29 <DIR> d-------- C:\Program Files\Apollo DVD Copy
2008-02-15 13:24 . 2008-02-15 13:24 66 --a------ C:\WINDOWS\Apollo DVD Copy.INI
2008-02-15 13:07 . 2008-02-20 09:30 <DIR> d-------- C:\Program Files\NewTech Infosystems
2008-02-15 13:07 . 2008-02-15 13:07 6,016 --a------ C:\WINDOWS\system32\drivers\NTIDrvr.sys
2008-02-09 16:11 . 2008-02-09 16:11 <DIR> d-------- C:\WINDOWS\system32\(null)202
2008-02-07 09:46 . 2008-02-07 09:33 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-07 09:46 . 2008-02-07 09:46 3,453 --a------ C:\WINDOWS\unins000.dat
2008-02-06 22:46 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-02-06 22:46 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-02-06 14:14 . 2008-02-21 23:04 11 --a------ C:\WINDOWS\system32\(null)id
2008-02-05 22:30 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-02-05 22:30 . 2004-08-03 23:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-02-05 11:03 . 2008-02-16 10:37 <DIR> d-------- C:\Documents and Settings\Charles\Application Data\skypePM
2008-02-05 11:03 . 2008-02-05 11:03 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-02-05 11:01 . 2008-02-05 11:01 <DIR> d-------- C:\Program Files\Skype
2008-02-05 11:01 . 2008-02-05 11:01 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-02-05 11:01 . 2008-02-16 10:49 <DIR> d-------- C:\Documents and Settings\Charles\Application Data\Skype
2008-02-05 11:01 . 2008-02-05 11:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-02-02 17:48 . 2008-02-02 17:48 <DIR> d-------- C:\Program Files\Synchronization Technologies Inc
2008-02-02 17:47 . 2008-02-03 20:44 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-02-02 17:18 . 2008-02-02 17:18 <DIR> d-------- C:\Documents and Settings\Charles\Application Data\SyncMyCal
2008-02-02 16:30 . 2008-02-02 16:50 <DIR> d-------- C:\Documents and Settings\Charles\Application Data\RemoteCalendars
2008-01-31 23:30 . 2008-01-31 23:30 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-31 23:13 . 2008-01-31 23:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-31 23:13 . 2008-01-31 23:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-31 22:10 . 2008-01-31 22:10 <DIR> d-------- C:\Documents and Settings\Charles\Application Data\Windows Desktop Search
2008-01-31 22:09 . 2008-01-31 22:09 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-01-31 22:09 . 2006-09-15 07:36 192,000 -----c--- C:\WINDOWS\system32\dllcache\offfilt.dll
2008-01-31 22:09 . 2006-09-15 07:36 98,304 -----c--- C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-01-31 22:09 . 2006-09-15 07:36 29,696 -----c--- C:\WINDOWS\system32\dllcache\mimefilt.dll
2008-01-28 11:49 . 2008-01-28 11:49 <DIR> d-------- C:\Program Files\MSBuild
2008-01-28 11:39 . 2008-01-28 11:39 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-01-28 11:39 . 2008-01-28 11:39 <DIR> d-------- C:\Documents and Settings\Charles\Application Data\DAEMON Tools
2008-01-28 11:35 . 2008-01-28 11:35 716,272 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-01-28 10:46 . 2006-05-29 22:19 118,784 --a------ C:\WINDOWS\system32\dlxzizil.dll
2008-01-26 23:10 . 2008-01-26 23:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-26 23:07 . 2008-02-18 01:06 <DIR> d-------- C:\Program Files\Bonjour
2008-01-26 23:02 . 2008-01-26 23:02 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-01-26 21:19 . 2008-01-26 21:19 <DIR> d-------- C:\Program Files\Google
2008-01-26 21:08 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-26 21:08 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-01-26 21:08 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-26 21:05 . 2008-01-26 21:05 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-26 21:05 . 2008-01-26 21:05 <DIR> d-------- C:\Program Files\Microsoft Works
2008-01-26 21:05 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-01-26 21:04 . 2008-01-26 21:04 <DIR> dr-h----- C:\MSOCache
2008-01-26 21:04 . 2008-02-13 11:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-26 07:09 . 2008-01-26 07:09 <DIR> d-------- C:\Documents and Settings\Charles\Application Data\elefundesktops
2008-01-26 07:09 . 2008-01-26 07:09 2,262,648 --a------ C:\WINDOWS\system32\Flash9b.ocx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-22 06:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-02-22 06:11 --------- d-----w C:\Program Files\Trillian
2008-02-22 01:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-22 01:47 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-20 20:56 19,923 ----a-w C:\Program Files\Common Files\epepyfas.inf
2008-02-20 19:55 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-19 00:01 --------- d-----w C:\Documents and Settings\Charles\Application Data\Azureus
2008-02-07 15:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-07 15:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-02 21:54 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-02-01 17:27 --------- d-----w C:\Documents and Settings\Charles\Application Data\OpenOffice.org2
2008-01-27 04:07 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-26 04:01 --------- d-----w C:\Program Files\World of Warcraft
2008-01-20 09:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-18 03:41 --------- d-----w C:\Documents and Settings\Charles\Application Data\U3
2008-01-15 22:57 --------- d-----w C:\Program Files\Java
2008-01-12 19:52 --------- d-----w C:\Program Files\Security Task Manager
2008-01-08 21:05 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-01-02 04:15 --------- d-----w C:\Program Files\Xvid
2008-01-02 04:14 --------- d-----w C:\Program Files\DivX
2007-12-28 01:21 --------- d-----w C:\Documents and Settings\Charles\Application Data\InstallShield
2007-12-28 01:00 --------- d-----w C:\Program Files\Intel
2007-12-25 06:17 --------- d-----w C:\Program Files\Lavasoft
2007-12-25 06:16 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-24 22:28 --------- d-----w C:\Program Files\Azureus
2007-12-24 22:25 --------- d-----w C:\Program Files\LimeWire
2007-12-24 22:24 --------- d-----w C:\Program Files\Common Files\Java
2007-12-24 21:44 --------- d-----w C:\Documents and Settings\Charles\Application Data\Winamp
2007-12-24 21:39 --------- d-----w C:\Program Files\Winamp
2007-12-24 19:42 --------- d-----w C:\Documents and Settings\Charles\Application Data\Yahoo!
2007-12-24 19:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-24 19:40 --------- d-----w C:\Program Files\Yahoo!
2007-12-24 19:39 --------- d-----w C:\Program Files\Cosmi
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-17 11:51 486856]
"SyncMyCal"="C:\Program Files\Synchronization Technologies Inc\SyncMyCal\SyncMyCal.exe" [2008-01-11 18:21 49152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletWizard"="C:\WINDOWS\help\SplshWrp.exe" [2004-08-04 07:00 16384]
"TabletTip"="C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" [2004-08-04 07:00 271872]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-10-07 12:54 82010]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-07 12:52 737370]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 13:55 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 13:56 602182]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 12:39 151552]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-28 13:55 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-28 16:52 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-28 16:55 118784]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 10:20 413696 C:\WINDOWS\stsystra.exe]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-07-31 09:00 1116920]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-22 00:30 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TabletWizard"="%windir%\help\wizard.hta" [ ]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-22 00:29 219136]

C:\Documents and Settings\Charles\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjjggf]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll 2004-08-04 07:00 47104 C:\Program Files\Common Files\Microsoft Shared\Ink\LoginKey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
TabBtnWL.dll 2002-08-29 05:41 11776 C:\WINDOWS\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
tpgwlnot.dll 2004-08-04 07:00 30208 C:\WINDOWS\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wpzifyyo]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\\system32\\sessmgr.exe:@xpsp2res.dll,-22019
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Java\\jre1.5.0_01\\bin\\javaw.exe"=
"C:\\WINDOWS\\system32\\ElectricSheep.scr"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\SightSpeed\\SightSpeed.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-01 20:06]
R3 FinePnt;FinePoint Innovations HID Driver;C:\WINDOWS\system32\DRIVERS\FpHidDrv.sys [2005-07-06 23:23]
R3 MSTabBtn;Quanta Computer Tablet PC Buttons HID Driver;C:\WINDOWS\system32\DRIVERS\MSTabBtn.sys [2007-03-09 10:40]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;C:\WINDOWS\system32\DRIVERS\el575nd5.sys [2001-08-17 07:10]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 10:31:28 C:\WINDOWS\Tasks\Low Battery Alarm Program.job"
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-22 12:13:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\tabbtnu.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2008-02-22 12:17:01 - machine was rebooted [Charles]
ComboFix-quarantined-files.txt 2008-02-22 17:16:58
.
2008-02-22 06:57:09 --- E O F ---

#18
kahdah

Posted 22 February 2008 - 11:36 AM

GeekU Teacher

Retired Staff
15,822 posts

1. Please open Notepad

Click Start , then Run
type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\fygopopa.dll
C:\WINDOWS\system32\drivers\lkdwglvw.sys
C:\WINDOWS\system32\drivers\myvahfxa.sys
C:\WINDOWS\system32\drivers\b^splplb.sys
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjjggf]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wpzifyyo]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:Combofix.txt
=================================================
After that Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

Follow the Instruction Here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

#19
Yodoman

Posted 22 February 2008 - 01:16 PM

Member

Topic Starter
Member
13 posts

Scanning Report
Friday, February 22, 2008 12:53:22 - 14:14:59

Computer name: MIKES-COMPUTER
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
Result: 32 malware found
Tracking Cookie (spyware)

* System (Disinfected)
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System

Statistics
Scanned:

* Files: 48298
* System: 4631
* Not scanned: 3

Actions:

* Disinfected: 1
* Renamed: 0
* Deleted: 0
* None: 31
* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

Options
Scanning engines:

* F-Secure Libra: 2.4.2, 2008-02-21
* F-Secure AVP: 7.0.171, 2008-02-22
* F-Secure Orion: 1.2.37, 2008-02-22
* F-Secure Blacklight: 1.0.64
* F-Secure Draco: 1.0.35, 0597-150-72
* F-Secure Pegasus: 1.20.0, 2008-01-20

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQXJPG SWF
* Use Advanced heuristics

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

ComboFix 08-02-22.3 - Charles 2008-02-22 12:41:47.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.533 [GMT -5:00]
Running from: C:\Documents and Settings\Charles\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Charles\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\drivers\b^splplb.sys
C:\WINDOWS\system32\drivers\lkdwglvw.sys
C:\WINDOWS\system32\drivers\myvahfxa.sys
C:\WINDOWS\system32\fygopopa.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\b^splplb.sys
C:\WINDOWS\system32\drivers\lkdwglvw.sys
C:\WINDOWS\system32\drivers\myvahfxa.sys

.
((((((((((((((((((((((((( Files Created from 2008-01-22 to 2008-02-22 )))))))))))))))))))))))))))))))
.

2008-02-22 09:14 . 2008-02-22 09:14 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-22 00:29 . 2008-02-22 00:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-22 00:29 . 2008-02-22 01:56 <DIR> d-------- C:\Documents and Settings\Charles\Application Data\AVG7
2008-02-22 00:29 . 2008-02-22 00:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-22 00:29 . 2008-02-22 01:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-21 22:58 . 2008-02-21 22:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-21 22:58 . 2008-02-21 22:58 <DIR> d-------- C:\Documents and Settings\Charles\Application Data\Malwarebytes
2008-02-21 22:58 . 2008-02-21 22:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-21 22:12 . 2008-02-21 22:12 <DIR> d-------- C:\Deckard
2008-02-21 22:02 . 2008-02-21 22:06 3,624 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-21 21:57 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-21 21:57 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-21 21:57 . 2008-02-16 19:46 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-21 21:57 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-21 21:57 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-21 21:57 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-21 21:57 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-21 21:04 . 2008-02-21 21:04 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2008-02-21 21:04 . 2008-02-21 21:21 <DIR> d-------- C:\Documents and Settings\Charles\Application Data\Roxio
2008-02-21 20:51 . 2008-02-21 20:54 <DIR> d-------- C:\WINDOWS\system32\DLA
2008-02-21 20:51 . 2008-02-21 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-02-21 20:51 . 2006-08-08 09:18 92,920 --a------ C:\WINDOWS\DLA.EXE
2008-02-21 20:51 . 2006-08-08 09:18 56,056 --a------ C:\WINDOWS\system32\DLAAPI_W.DLL
2008-02-21 20:51 . 2006-08-01 19:46 51,800 --a------ C:\WINDOWS\system32\drivers\DRVNDDM.SYS
2008-02-21 20:51 . 2006-08-01 20:06 28,216 --a------ C:\WINDOWS\system32\drivers\DLARTL_M.SYS
2008-02-21 20:51 . 2006-08-01 20:06 12,952 --a------ C:\WINDOWS\system32\drivers\DLACDBHM.SYS
2008-02-21 20:51 . 2008-02-21 20:51 168 --a------ C:\WINDOWS\wininit.ini
2008-02-21 20:50 . 2008-02-21 20:50 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2008-02-21 20:49 . 2008-02-21 20:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-02-21 20:48 . 2008-02-21 20:49 <DIR> d-------- C:\Program Files\SightSpeed
2008-02-21 20:45 . 2008-02-21 20:51 <DIR> d-------- C:\Program Files\Roxio
2008-02-21 20:45 . 2008-02-21 20:50 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2008-02-21 20:45 . 2008-02-21 20:46 <DIR> d-------- C:\Program Files\Common Files\SightSpeed
2008-02-21 20:45 . 2008-02-21 20:47 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-02-21 20:45 . 2008-02-21 20:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-02-21 10:07 . 2008-02-21 10:07 <DIR> d-------- C:\_OTMoveIt
2008-02-20 15:56 . 2008-02-20 15:56 18,770 --a------ C:\WINDOWS\system32\fygopopa.dl
2008-02-18 01:06 . 2008-02-18 01:06 <DIR> d-------- C:\Program Files\iTunes
2008-02-18 01:06 . 2008-02-18 01:06 <DIR> d-------- C:\Program Files\iPod
2008-02-18 01:06 . 2008-02-18 01:10 <DIR> d-------- C:\Documents and Settings\Charles\Application Data\Apple Computer
2008-02-18 01:06 . 2008-02-18 01:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-18 01:06 . 2008-02-18 01:06 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-18 01:05 . 2008-02-18 01:06 <DIR> d-------- C:\Program Files\QuickTime
2008-02-18 01:05 . 2008-02-18 01:05 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-02-18 01:05 . 2008-02-18 01:05 <DIR> d-------- C:\Program Files\Apple Software Update
2008-02-18 01:05 . 2008-02-18 01:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-18 01:05 . 2008-02-18 01:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-02-15 13:24 . 2008-02-20 09:29 <DIR> d-------- C:\Program Files\Apollo DVD Copy
2008-02-15 13:24 . 2008-02-15 13:24 66 --a------ C:\WINDOWS\Apollo DVD Copy.INI
2008-02-15 13:07 . 2008-02-20 09:30 <DIR> d-------- C:\Program Files\NewTech Infosystems
2008-02-15 13:07 . 2008-02-15 13:07 6,016 --a------ C:\WINDOWS\system32\drivers\NTIDrvr.sys
2008-02-09 16:11 . 2008-02-09 16:11 <DIR> d-------- C:\WINDOWS\system32\(null)202
2008-02-07 09:46 . 2008-02-07 09:33 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-07 09:46 . 2008-02-07 09:46 3,453 --a------ C:\WINDOWS\unins000.dat
2008-02-06 22:46 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-02-06 22:46 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-02-06 14:14 . 2008-02-21 23:04 11 --a------ C:\WINDOWS\system32\(null)id
2008-02-05 22:30 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-02-05 22:30 . 2004-08-03 23:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-02-05 11:03 . 2008-02-16 10:37 <DIR> d-------- C:\Documents and Settings\Charles\Application Data\skypePM
2008-02-05 11:03 . 2008-02-05 11:03 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-02-05 11:01 . 2008-02-05 11:01 <DIR> d-------- C:\Program Files\Skype
2008-02-05 11:01 . 2008-02-05 11:01 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-02-05 11:01 . 2008-02-16 10:49 <DIR> d-------- C:\Documents and Settings\Charles\Application Data\Skype
2008-02-05 11:01 . 2008-02-05 11:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-02-02 17:48 . 2008-02-02 17:48 <DIR> d-------- C:\Program Files\Synchronization Technologies Inc
2008-02-02 17:47 . 2008-02-03 20:44 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-02-02 17:18 . 2008-02-02 17:18 <DIR> d-------- C:\Documents and Settings\Charles\Application Data\SyncMyCal
2008-02-02 16:30 . 2008-02-02 16:50 <DIR> d-------- C:\Documents and Settings\Charles\Application Data\RemoteCalendars
2008-01-31 23:30 . 2008-01-31 23:30 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-31 23:13 . 2008-01-31 23:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-31 23:13 . 2008-01-31 23:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-31 22:10 . 2008-01-31 22:10 <DIR> d-------- C:\Documents and Settings\Charles\Application Data\Windows Desktop Search
2008-01-31 22:09 . 2008-01-31 22:09 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-01-31 22:09 . 2006-09-15 07:36 192,000 -----c--- C:\WINDOWS\system32\dllcache\offfilt.dll
2008-01-31 22:09 . 2006-09-15 07:36 98,304 -----c--- C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-01-31 22:09 . 2006-09-15 07:36 29,696 -----c--- C:\WINDOWS\system32\dllcache\mimefilt.dll
2008-01-28 11:49 . 2008-01-28 11:49 <DIR> d-------- C:\Program Files\MSBuild
2008-01-28 11:39 . 2008-01-28 11:39 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-01-28 11:39 . 2008-01-28 11:39 <DIR> d-------- C:\Documents and Settings\Charles\Application Data\DAEMON Tools
2008-01-28 11:35 . 2008-01-28 11:35 716,272 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-01-28 10:46 . 2006-05-29 22:19 118,784 --a------ C:\WINDOWS\system32\dlxzizil.dll
2008-01-26 23:10 . 2008-01-26 23:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-26 23:07 . 2008-02-18 01:06 <DIR> d-------- C:\Program Files\Bonjour
2008-01-26 23:02 . 2008-01-26 23:02 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-01-26 21:19 . 2008-01-26 21:19 <DIR> d-------- C:\Program Files\Google
2008-01-26 21:08 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-26 21:08 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-01-26 21:08 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-26 21:05 . 2008-01-26 21:05 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-26 21:05 . 2008-01-26 21:05 <DIR> d-------- C:\Program Files\Microsoft Works
2008-01-26 21:05 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-01-26 21:04 . 2008-01-26 21:04 <DIR> dr-h----- C:\MSOCache
2008-01-26 21:04 . 2008-02-13 11:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-26 07:09 . 2008-01-26 07:09 <DIR> d-------- C:\Documents and Settings\Charles\Application Data\elefundesktops
2008-01-26 07:09 . 2008-01-26 07:09 2,262,648 --a------ C:\WINDOWS\system32\Flash9b.ocx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-22 06:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-02-22 06:11 --------- d-----w C:\Program Files\Trillian
2008-02-22 01:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-22 01:47 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-20 20:56 19,923 ----a-w C:\Program Files\Common Files\epepyfas.inf
2008-02-20 19:55 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-19 00:01 --------- d-----w C:\Documents and Settings\Charles\Application Data\Azureus
2008-02-07 15:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-07 15:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-07 14:55 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-02 21:54 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-02-01 17:27 --------- d-----w C:\Documents and Settings\Charles\Application Data\OpenOffice.org2
2008-01-27 04:07 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-26 04:01 --------- d-----w C:\Program Files\World of Warcraft
2008-01-20 09:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-18 03:41 --------- d-----w C:\Documents and Settings\Charles\Application Data\U3
2008-01-15 22:57 --------- d-----w C:\Program Files\Java
2008-01-12 19:52 --------- d-----w C:\Program Files\Security Task Manager
2008-01-08 21:05 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-01-02 04:15 --------- d-----w C:\Program Files\Xvid
2008-01-02 04:14 --------- d-----w C:\Program Files\DivX
2007-12-28 01:21 --------- d-----w C:\Documents and Settings\Charles\Application Data\InstallShield
2007-12-28 01:00 --------- d-----w C:\Program Files\Intel
2007-12-25 06:57 48,456 ----a-w C:\WINDOWS\system32\UninstallElectricSheep.exe
2007-12-25 06:17 --------- d-----w C:\Program Files\Lavasoft
2007-12-25 06:16 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-24 22:28 --------- d-----w C:\Program Files\Azureus
2007-12-24 22:25 --------- d-----w C:\Program Files\LimeWire
2007-12-24 22:24 --------- d-----w C:\Program Files\Common Files\Java
2007-12-24 21:44 --------- d-----w C:\Documents and Settings\Charles\Application Data\Winamp
2007-12-24 21:39 --------- d-----w C:\Program Files\Winamp
2007-12-24 19:42 --------- d-----w C:\Documents and Settings\Charles\Application Data\Yahoo!
2007-12-24 19:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-24 19:40 --------- d-----w C:\Program Files\Yahoo!
2007-12-24 19:39 --------- d-----w C:\Program Files\Cosmi
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-17 11:51 486856]
"SyncMyCal"="C:\Program Files\Synchronization Technologies Inc\SyncMyCal\SyncMyCal.exe" [2008-01-11 18:21 49152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletWizard"="C:\WINDOWS\help\SplshWrp.exe" [2004-08-04 07:00 16384]
"TabletTip"="C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" [2004-08-04 07:00 271872]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-10-07 12:54 82010]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-07 12:52 737370]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 13:55 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 13:56 602182]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 12:39 151552]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-28 13:55 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-28 16:52 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-28 16:55 118784]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 10:20 413696 C:\WINDOWS\stsystra.exe]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-07-31 09:00 1116920]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-22 00:30 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TabletWizard"="%windir%\help\wizard.hta" [ ]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-22 00:29 219136]

C:\Documents and Settings\Charles\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll 2004-08-04 07:00 47104 C:\Program Files\Common Files\Microsoft Shared\Ink\LoginKey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
TabBtnWL.dll 2002-08-29 05:41 11776 C:\WINDOWS\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
tpgwlnot.dll 2004-08-04 07:00 30208 C:\WINDOWS\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\\system32\\sessmgr.exe:@xpsp2res.dll,-22019
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Java\\jre1.5.0_01\\bin\\javaw.exe"=
"C:\\WINDOWS\\system32\\ElectricSheep.scr"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\SightSpeed\\SightSpeed.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-01 20:06]
R3 FinePnt;FinePoint Innovations HID Driver;C:\WINDOWS\system32\DRIVERS\FpHidDrv.sys [2005-07-06 23:23]
R3 MSTabBtn;Quanta Computer Tablet PC Buttons HID Driver;C:\WINDOWS\system32\DRIVERS\MSTabBtn.sys [2007-03-09 10:40]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;C:\WINDOWS\system32\DRIVERS\el575nd5.sys [2001-08-17 07:10]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 10:31:28 C:\WINDOWS\Tasks\Low Battery Alarm Program.job"
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-22 12:42:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-22 12:43:15
ComboFix-quarantined-files.txt 2008-02-22 17:43:13
ComboFix2.txt 2008-02-22 17:17:02
.
2008-02-22 06:57:09 --- E O F ---

#20
kahdah

Posted 22 February 2008 - 06:26 PM

GeekU Teacher

Retired Staff
15,822 posts

Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

#21
Yodoman

Posted 23 February 2008 - 03:34 PM

Member

Topic Starter
Member
13 posts

Sorry it took so long, I'm still not clear on what you wanted posted, so i saved the page as text and html and posted both....the text didn't look like it had the info you needed, the first log in here is the text second is the html.

Kaspersky Online ScannerWelcome to the Kaspersky Online Scanner! Use it to
scan your PC for viruses and other malware for free
Warning: if you have installed Kaspersky Online Scanner Pro, please
manually uninstall it using "Add/Remove Programs" before installing this
version! Otherwise this version will not function correctly.

Benefits:

Kaspersky Anti-Virus exceptional detection rates and thorough scanning
Hourly AV database updates available each time the Online Scanner is
launched
Heuristic analysis to detect unknown viruses
Simple installation (just click on a link)

Requirements and limitations:

When using this service for the first time, you have to run with
Administrator privileges in order to install the product. Also, you will
need to download and install files about 400 KB in size followed by 9 MB
of virus definitions.
However, if you use the Online Scanner again, you will only need to
download the files that have been updated since your last scan.
The Online Scanner service offered by Kaspersky Lab uses Microsoft ActiveX
technology. Microsoft ActiveX Technology and the Kaspersky Online Scanner
work only with MS Internet Explorer 6.0 or higher.
We cannot guarantee that the Online Scanner will function correctly if you
are using any other browser or any Internet Explorer extensions (such as
AvantBrowser). If you use a different browser, you can use the Kaspersky
File Scanner to scan individual files.
The free Kaspersky Online Scanner does not scan boot sectors and MBRs, so
it cannot detect malicious code located in these areas.
Please note: The free Kaspersky Online Scanner does not protect against
malicious code, and cannot prevent future infections. It only detects
malware that has already penetrated your computer. We strongly recommend
that you install a full antivirus solution to protect your system.

Privacy statement:

The Kaspersky Online Scanner will collect information about the malicious
programs found on your computer during the scanning process. The
information will be sent to the Kaspersky Virus Lab for statistical
purposes. No personal information about you or specific information about
your system will be collected or transmitted to Kaspersky Lab.

Clean infected files. Protect your PC from future infection.
BUY KASPERSKY ANTI-VIRUS NOW

Select: All, None, Suspicious Selected objects: 0

Scan settings:
Here you can configure the scanning process.

Scan using the following antivirus database:
standard - detect viruses, worms, Trojans,
rootkits
extended - protect your computer from Spyware,
adware, dialers and potentially dangerous
software such as remote access utilities, prank
programs and jokes. We do not recommend this
option to beginners or inexperienced users.

Scan options:
Scan Archives - scan files inside archives
Note: affects all targets except 'A
File...' scan target.
Scan Mail Bases - scan e-mails/attachments
inside mail base files
Note: affects all targets except 'My
Email' and 'A File...' scan targets.

Initialize Kaspersky Online Scanner
(downloading and installing Kaspersky Online
Scanner ActiveX from the server into your
computer)

Update Kaspersky Anti-Virus Databases [100%]:
(downloading and installing the latest Kaspersky
Anti-Virus Databases)

Please wait to update the virus definitions...
Downloading from url:
http://dnl-us6.kaspersky-labs.com
Downloading remote file: master.xml
Downloading remote file: kavset.xml
Downloading remote file: dailyc.avc
Downloading remote file: daily-ec.avc
Downloading remote file: avp.klb
Update finished. Ready to scan.
Next
Please select a target to scan:
You can configure the scanning process by
pressing "Scan Settings" button.

Critical Areas
scan critical areas of your hard disks
specified in %windir% and %tmp% system variables
Memory
scan disk modules of running processes
My Computer
scan all your hard and mapped disks
My Email
scan all your hard and mapped disks only for the
following extensions: *.PST; *.MSG; *.OST;
*.MDB; *.DBX; *.EML; *.MBS
Folders...
scan selected folders
A File...
scan a one file

Warning: The Kaspersky Online Scanner may not
run successfully while any other Anti-Virus
software is running. If you have Anti-Virus
software installed, please disable your AV
protection before running the Kaspersky Online
Scanner.
Scan complete.
Verdict: Your computer is infected
The following infected files/objects were
detected:

Report is empty.
Please note: The free Kaspersky Online Scanner
does not provide comprehensive protection and
cannot prevent future infections. It only
detects malware that has already penetrated your
storage devices. We strongly recommend that you
use a fully-functional antivirus solution to
protect your computer at all times.

Please wait, this process may take a long time
depending on the selected target. If you want to
continue browsing, open a new window.

Scan Progress [99%]:

Total number of scanned objects:93058
Number of viruses found:9
Number of infected objects:27
Number of suspicious objects:0
Duration of the scan process:02:08:20
New Scan

Get a Free Trial

Buy Kaspersky Anti-Virus

Help

Virus Encyclopedia

Kaspersky Lab

Product Info
You have Kaspersky Online Scanner version 5.0.98.0
installed. The current anti-virus database was
released on Saturday, February 23, 2008 and
contains 576888 records.

System Info
Operating System: Microsoft Windows XP
Professional, Service Pack 2 (Build 2600)Please
wait while the Kaspersky Online Scanner is
initializing and updating...

Copyright © Kaspersky Lab 1997 - 2007
Portions Copyright © Lan Crypto

KASPERSKY ONLINE SCANNER REPORT
Saturday, February 23, 2008 4:00:29 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/02/2008
Kaspersky Anti-Virus database records: 576888
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
F:\
Scan Statistics
Total number of scanned objects 93058
Number of viruses found 9
Number of infected objects 27
Number of suspicious objects 0
Duration of the scan process 02:08:20

Infected Object Name Virus Name Last Action
C:\Deckard\System Scanner\20080221224204\backup\DOCUME~1\Charles\LOCALS~1\Temp\uninst.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.22.Crwl Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.22.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.ci Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wsb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010009.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000A.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000B.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000C.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000D.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000E.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000F.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010010.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010014.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010015.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010016.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010017.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010018.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010019.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001D.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy88.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Perflib_Perfdata_2ac.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\SecTaskMan\hwvr.dll.q_804EE00_q Infected: not-a-virus:AdWare.Win32.PurityScan.gv skipped
C:\Documents and Settings\Charles\Application Data\Mozilla\Firefox\Profiles\jhnd8hp2.default\cert8.db Object is locked skipped
C:\Documents and Settings\Charles\Application Data\Mozilla\Firefox\Profiles\jhnd8hp2.default\history.dat Object is locked skipped
C:\Documents and Settings\Charles\Application Data\Mozilla\Firefox\Profiles\jhnd8hp2.default\key3.db Object is locked skipped
C:\Documents and Settings\Charles\Application Data\Mozilla\Firefox\Profiles\jhnd8hp2.default\parent.lock Object is locked skipped
C:\Documents and Settings\Charles\Application Data\Mozilla\Firefox\Profiles\jhnd8hp2.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Charles\Application Data\Mozilla\Firefox\Profiles\jhnd8hp2.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Charles\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Charles\Desktop\Malware Programs\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Charles\Desktop\Malware Programs\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Charles\Desktop\Malware Programs\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Charles\Desktop\Malware Programs\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Charles\Local Settings\Application Data\ApplicationHistory\TCServer.exe.7c11743d.ini.inuse Object is locked skipped
C:\Documents and Settings\Charles\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Charles\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Charles\Local Settings\Application Data\Mozilla\Firefox\Profiles\jhnd8hp2.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Charles\Local Settings\Application Data\Mozilla\Firefox\Profiles\jhnd8hp2.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Charles\Local Settings\Application Data\Mozilla\Firefox\Profiles\jhnd8hp2.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Charles\Local Settings\Application Data\Mozilla\Firefox\Profiles\jhnd8hp2.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Charles\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Charles\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Charles\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Charles\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP143\A0039231.sys Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP144\A0039248.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP145\A0039252.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gv skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP153\A0039274.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP153\A0039294.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP153\A0039296.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP153\A0039299.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP153\A0039299.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP154\A0039426.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP160\A0039462.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP161\A0039472.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP161\A0039530.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP161\A0040526.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP161\A0040527.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP161\A0040536.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP161\A0040537.dll Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP161\A0040546.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP161\A0040547.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP161\A0040553.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP161\A0040554.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP161\A0040580.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP161\A0040598.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP162\A0040612.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP162\A0040613.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP162\A0040618.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0040661.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0040662.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0040665.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0040666.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0040669.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0040670.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0040673.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0040674.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0040677.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0040678.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0040683.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0040685.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0040686.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0040689.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0040690.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0040695.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0041689.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0041690.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0041697.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0041698.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0041705.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0041706.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0041709.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0041710.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0041713.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0041714.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0041717.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0041718.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0041724.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0041725.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0041730.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0041733.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0041734.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0041737.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0041738.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0041743.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP163\A0041744.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP164\A0041992.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP164\A0041993.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP164\A0042058.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP165\A0042097.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP165\A0042098.exe Infected: Trojan-Downloader.Win32.Tiny.ads skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP165\A0042099.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP165\A0042100.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP165\A0042100.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Small.ieg skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP165\A0042100.exe/data.rar/serial.exe Infected: Trojan-Downloader.Win32.Small.ijp skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP165\A0042100.exe/data.rar Infected: Trojan-Downloader.Win32.Small.ijp skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP165\A0042100.exe RarSFX: infected - 4 skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP165\A0042609.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP165\A0042619.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP165\A0042621.dll Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP165\A0042622.dll Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP165\A0042624.dll Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP165\A0042625.dll Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP165\A0042626.dll Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP165\A0042628.dll Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP165\A0042629.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP165\A0042631.dll Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP165\A0042633.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP165\A0042634.dll Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP165\A0042636.dll Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP165\A0042695.sys Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP165\A0042696.sys Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP166\A0042859.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP166\A0042860.exe Object is locked skipped
C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP169\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{2B5F5070-FC92-42B1-8A7E-2C9E87356FB4}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

#22
kahdah

Posted 23 February 2008 - 03:38 PM

GeekU Teacher

Retired Staff
15,822 posts

Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\Documents and Settings\All Users\Application Data\SecTaskMan\hwvr.dll.q_804EE00_q
C:\Documents and Settings\All Users\Application Data\SecTaskMan\hwvr.dll

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
Click the red Moveit! button.
OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
===========================================
Also post a new dss log (kahdah.exe) and let me know how things are running?

#23
Yodoman

Posted 23 February 2008 - 03:44 PM

Member

Topic Starter
Member
13 posts

Things are running pretty good, better than when i initially got the laptop. I should have disabled AVG, but it didn't cross my mind and during the online scan AVG popped up saying something about some infected files

C:\Documents and Settings\All Users\Application Data\SecTaskMan\hwvr.dll.q_804EE00_q moved successfully.
File/Folder C:\Documents and Settings\All Users\Application Data\SecTaskMan\hwvr.dll not found.

OTMoveIt2 v1.0.20 log created on 02232008_164158

Deckard's System Scanner v20071014.68
Run by Charles on 2008-02-23 16:43:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-02-23 16:43:29
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\system32\searchindexer.exe
C:\WINDOWS\system32\wisptis.exe
C:\WINDOWS\system32\tabbtnu.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\searchprotocolhost.exe
C:\Documents and Settings\Charles\Desktop\kadah.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
O2 - BHO: (no name) - {0F047431-17BC-462F-AB4E-9951024AEFC7} - (no file)
O2 - BHO: (no name) - {393C2547-B2AB-422C-87AF-385238C73416} - (no file)
O2 - BHO: (no name) - {76AB0B87-C830-4CE6-A8BD-BF847484E4EC} - (no file)
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SyncMyCal] C:\Program Files\Synchronization Technologies Inc\SyncMyCal\SyncMyCal.exe
O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: ljjjggf - C:\WINDOWS\system32\
O20 - Winlogon Notify: wpzifyyo - C:\WINDOWS\system32\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 11203 bytes

-- Files created between 2008-01-23 and 2008-02-23 -----------------------------

2008-02-23 09:26:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-23 09:26:04 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-22 12:08:00 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-02-22 12:08:00 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-02-22 12:08:00 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-02-22 12:08:00 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-02-22 09:14:45 0 d-------- C:\WINDOWS\ERUNT
2008-02-22 01:51:08 0 dr-h----- C:\$VAULT$.AVG
2008-02-22 00:29:42 0 d-------- C:\Documents and Settings\Charles\Application Data\AVG7
2008-02-22 00:29:30 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-22 00:29:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-22 00:29:13 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-21 22:58:07 0 d-------- C:\Documents and Settings\Charles\Application Data\Malwarebytes
2008-02-21 22:58:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-21 22:58:01 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-21 22:02:29 3624 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-21 21:57:37 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-21 21:57:37 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-02-21 21:57:37 85504 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-02-21 21:57:37 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-02-21 21:57:37 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-02-21 21:57:37 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-02-21 21:57:37 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-21 21:04:50 0 d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2008-02-21 21:04:45 0 d-------- C:\Documents and Settings\Charles\Application Data\Roxio
2008-02-21 20:51:29 0 d-------- C:\WINDOWS\system32\DLA
2008-02-21 20:51:02 0 d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-02-21 20:50:27 0 d-------- C:\Program Files\Common Files\SureThing Shared
2008-02-21 20:49:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-02-21 20:48:58 0 d-------- C:\Program Files\SightSpeed
2008-02-21 20:45:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-02-21 20:45:45 0 d-------- C:\Program Files\Common Files\Sonic Shared
2008-02-21 20:45:45 0 d-------- C:\Program Files\Common Files\SightSpeed
2008-02-21 20:45:44 0 d-------- C:\Program Files\Roxio
2008-02-21 20:45:18 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-02-20 12:40:33 0 d--hs---- C:\WINDOWS\CSC
2008-02-18 01:06:47 0 d-------- C:\Documents and Settings\Charles\Application Data\Apple Computer
2008-02-18 01:06:37 0 d-------- C:\Program Files\iPod
2008-02-18 01:06:33 0 d-------- C:\Program Files\iTunes
2008-02-18 01:05:42 0 d-------- C:\Program Files\QuickTime
2008-02-18 01:05:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-18 01:05:25 0 d-------- C:\Program Files\Apple Software Update
2008-02-18 01:05:10 0 d-------- C:\Program Files\Common Files\Apple
2008-02-18 01:05:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-02-15 13:24:25 0 d-------- C:\Program Files\Apollo DVD Copy
2008-02-15 13:07:14 0 d-------- C:\Program Files\NewTech Infosystems
2008-02-15 13:07:04 6016 --a------ C:\WINDOWS\system32\drivers\NTIDrvr.sys <Not Verified; NewTech Infosystems, Inc.; >
2008-02-09 16:11:45 0 d-------- C:\WINDOWS\system32\(null)202
2008-02-07 09:46:20 691545 --a------ C:\WINDOWS\unins000.exe
2008-02-07 09:46:20 3453 --a------ C:\WINDOWS\unins000.dat
2008-02-06 14:14:42 11 --a------ C:\WINDOWS\system32\(null)id
2008-02-06 13:23:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-02-05 11:03:14 0 d-------- C:\Documents and Settings\Charles\Application Data\skypePM
2008-02-05 11:03:14 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-02-05 11:01:27 0 d-------- C:\Documents and Settings\Charles\Application Data\Skype
2008-02-05 11:01:12 0 d-------- C:\Program Files\Skype
2008-02-05 11:01:11 0 d-------- C:\Program Files\Common Files\Skype
2008-02-05 11:01:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-02-03 20:37:12 0 d-------- C:\Documents and Settings\Charles\Application Data\WinRAR
2008-02-02 17:48:36 0 d-------- C:\Program Files\Synchronization Technologies Inc
2008-02-02 17:47:18 0 d-------- C:\WINDOWS\SxsCaPendDel
2008-02-02 17:18:13 0 d-------- C:\Documents and Settings\Charles\Application Data\SyncMyCal
2008-02-02 16:30:57 0 d-------- C:\Documents and Settings\Charles\Application Data\RemoteCalendars
2008-01-31 23:30:03 0 d--h----- C:\WINDOWS\PIF
2008-01-31 22:10:16 0 d-------- C:\Documents and Settings\Charles\Application Data\Windows Desktop Search
2008-01-31 22:09:39 0 d-------- C:\Program Files\Windows Desktop Search
2008-01-28 11:49:10 0 d-------- C:\Program Files\MSBuild
2008-01-28 11:39:32 0 d-------- C:\Program Files\DAEMON Tools Lite
2008-01-28 11:39:32 0 d-------- C:\Documents and Settings\Charles\Application Data\DAEMON Tools
2008-01-28 11:35:12 716272 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-01-26 23:10:05 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-26 23:07:46 0 d-------- C:\Program Files\Bonjour
2008-01-26 23:02:07 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-01-26 21:19:28 0 d-------- C:\Program Files\Google
2008-01-26 21:19:28 0 d-------- C:\Documents and Settings\Charles\Application Data\Google
2008-01-26 21:05:27 0 d-------- C:\Program Files\Microsoft Works
2008-01-26 21:05:11 0 d-------- C:\Program Files\Microsoft.NET
2008-01-26 21:04:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-26 21:04:00 0 dr-h----- C:\MSOCache
2008-01-26 07:09:35 0 d-------- C:\Documents and Settings\Charles\Application Data\elefundesktops
2008-01-26 07:00:13 10 --a------ C:\Documents and Settings\Charles\(null)id

-- Find3M Report ---------------------------------------------------------------

2008-02-22 16:54:46 0 d-------- C:\Program Files\Trillian
2008-02-21 23:04:47 0 d-------- C:\Program Files\Common Files
2008-02-21 20:49:11 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-21 20:47:06 0 d-------- C:\Program Files\Common Files\InstallShield
2008-02-21 15:40:13 13009 --a------ C:\Documents and Settings\Charles\Application Data\Comma Separated Values (Windows).CAL
2008-02-21 15:39:29 38473 --a------ C:\Documents and Settings\Charles\Application Data\Comma Separated Values (Windows).ADR
2008-02-20 15:56:06 19923 --a------ C:\Program Files\Common Files\epepyfas.inf
2008-02-18 19:01:11 0 d-------- C:\Documents and Settings\Charles\Application Data\Azureus
2008-02-02 16:54:12 0 d-------- C:\Program Files\OpenOffice.org 2.3
2008-02-01 12:27:42 0 d-------- C:\Documents and Settings\Charles\Application Data\OpenOffice.org2
2008-01-28 10:35:05 0 d-------- C:\Documents and Settings\Charles\Application Data\Adobe
2008-01-26 23:07:44 0 d-------- C:\Program Files\Common Files\Adobe
2008-01-25 23:01:58 0 d-------- C:\Program Files\World of Warcraft
2008-01-17 22:41:06 0 d-------- C:\Documents and Settings\Charles\Application Data\U3
2008-01-15 17:57:18 0 d-------- C:\Program Files\Java
2008-01-13 22:35:53 134374 --a------ C:\Documents and Settings\Charles\Application Data\Cosmos Prefs
2008-01-12 14:52:59 0 d-------- C:\Program Files\Security Task Manager
2008-01-08 16:05:43 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-01-01 23:15:45 0 d-------- C:\Program Files\Xvid
2008-01-01 23:14:54 0 d-------- C:\Program Files\DivX
2007-12-31 05:46:39 0 d-------- C:\Documents and Settings\Charles\Application Data\Sun
2007-12-27 20:21:47 0 d-------- C:\Documents and Settings\Charles\Application Data\InstallShield
2007-12-27 20:00:34 0 d-------- C:\Program Files\Intel
2007-12-25 23:38:23 1158 --a------ C:\WINDOWS\mozver.dat
2007-12-25 01:57:37 48456 --a------ C:\WINDOWS\system32\UninstallElectricSheep.exe
2007-12-25 01:17:11 0 d-------- C:\Program Files\Lavasoft
2007-12-25 01:16:50 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-24 17:28:25 0 d-------- C:\Program Files\Azureus
2007-12-24 17:25:30 0 d-------- C:\Program Files\LimeWire
2007-12-24 17:24:49 0 d-------- C:\Program Files\Common Files\Java
2007-12-24 16:44:56 0 d-------- C:\Documents and Settings\Charles\Application Data\Winamp
2007-12-24 16:39:26 0 d-------- C:\Program Files\Winamp
2007-12-24 16:30:37 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-24 16:30:35 0 d-------- C:\Documents and Settings\Charles\Application Data\Mozilla
2007-12-24 14:42:49 0 d-------- C:\Documents and Settings\Charles\Application Data\Yahoo!
2007-12-24 14:40:18 0 d-------- C:\Program Files\Yahoo!
2007-12-24 14:39:54 0 d-------- C:\Program Files\Cosmi

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F047431-17BC-462F-AB4E-9951024AEFC7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{393C2547-B2AB-422C-87AF-385238C73416}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{76AB0B87-C830-4CE6-A8BD-BF847484E4EC}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletWizard"="C:\WINDOWS\help\SplshWrp.exe" [08/04/2004 07:00 AM]
"TabletTip"="C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" [08/04/2004 07:00 AM]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [10/07/2005 12:54 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [10/07/2005 12:52 PM]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [12/28/2005 01:55 PM]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [12/28/2005 01:56 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 07:51 PM]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [06/08/2007 09:59 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [09/29/2006 12:39 PM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [11/28/2005 01:55 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [11/28/2005 04:52 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [11/28/2005 04:55 PM]
"SigmatelSysTrayApp"="stsystra.exe" [12/27/2005 10:20 AM C:\WINDOWS\stsystra.exe]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [10/27/2006 12:47 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [01/31/2008 11:13 PM]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [07/31/2006 09:00 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [02/22/2008 12:30 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:00 AM]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [06/08/2007 09:59 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [01/17/2008 11:51 AM]
"SyncMyCal"="C:\Program Files\Synchronization Technologies Inc\SyncMyCal\SyncMyCal.exe" [01/11/2008 06:21 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"TabletWizard"=%windir%\help\wizard.hta

C:\Documents and Settings\Charles\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [10/26/2006 8:24:54 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2/5/2007 3:40:46 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [02/05/2007 03:39 PM 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjjggf]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll 08/04/2004 07:00 AM 47104 C:\Program Files\Common Files\Microsoft Shared\Ink\LoginKey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
TabBtnWL.dll 08/29/2002 05:41 AM 11776 C:\WINDOWS\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
tpgwlnot.dll 08/04/2004 07:00 AM 30208 C:\WINDOWS\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wpzifyyo]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

-- End of Deckard's System Scanner: finished at 2008-02-23 16:43:50 ------------

Edited by Yodoman, 23 February 2008 - 03:47 PM.

#24
kahdah

Posted 23 February 2008 - 05:26 PM

GeekU Teacher

Retired Staff
15,822 posts

Ok

Please open up Notepad and copy all of the items in the code box below.
Change the "Save As Type" to "All Files". Save it as fixthis.reg on your Desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0F047431-17BC-462F-AB4E-9951024AEFC7}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{393C2547-B2AB-422C-87AF-385238C73416}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76AB0B87-C830-4CE6-A8BD-BF847484E4EC}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjjggf] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wpzifyyo]

Now double-click fixthis.reg.
A window will come up asking if you want to let it merge with the registry.
Click yes.

Ater it merges you can delete this also.
===================
Go ahead and uninstall MalwareBytes Antimalware.

Also delete C:\SdFix and C:\Avenger
=====================================
Time for some housekeeping

Click START then RUN
Now type Combofix /u in the runbox and click OK

[list]

The above procedure will delete and do the following:

ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Clean System Restore points.

Also delete anything that we used that is left over.
===================================
After that I would like for you to run a Full system scan with AVG and let me know How it goes.(What it finds)

#25
Yodoman

Posted 23 February 2008 - 07:31 PM

Member

Topic Starter
Member
13 posts

It found nothing!!! I think we're good to go

#26
kahdah

Posted 23 February 2008 - 07:52 PM

GeekU Teacher

Retired Staff
15,822 posts

Great your log is clean.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein ->Here
====================
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.