Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Antispywareupdates.net infection

Started by Evil Ed , Mar 14 2008 12:14 AM

Please log in to reply

#1
Evil Ed

Posted 14 March 2008 - 12:14 AM

New Member

Member
8 posts

A friend asked me to fix his infected PC. Please help me... this is a bit out of my league. Anyway, the pc keeps wanting to go to Antispywareupdates.net, the desktop says the pc is infected and has a link for antispyware, and what looks like Windows security center is warning about an infection.

I used HijackThis to fix "O4 - HKLM\..\Run: [7c8c9078] rundll32.exe "C:\WINDOWS\system32\bkcariyc.dll",b" because Symantec Antivirus keeps complaining about it being infected with Trojan.Virantax.B virus.

Here is the current HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:33 AM, on 3/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\system32\braviax.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://antispywareup...?aid=496.cbcbcb
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {08A3084E-E8C8-4DE1-9FB4-48179982C8DE} - C:\WINDOWS\system32\opnmlki.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Optimum Online Toolbar - {720B3C59-7EDE-44d1-AD9C-71106A7550AF} - C:\Program Files\OptimumOnline\insptbar.dll
O3 - Toolbar: (no name) - {052b12f7-86fa-4921-8482-26c42316b522} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\fkavlbpb.dll (file missing)
O3 - Toolbar: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbHostIE.dll
O4 - HKLM\..\Run: [bikini] bikini.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A284661A64DB7
C8F0287E55E246220D9E728F9FC17D446BC57D5170E744AB97
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKLM\..\Run: [SpyAway] C:\Program Files\SpyAway\spyaway.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantispyware.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) -
O20 - Winlogon Notify: fkavlbpb - fkavlbpb.dll (file missing)
O20 - Winlogon Notify: opnmlki - C:\WINDOWS\SYSTEM32\opnmlki.dll
O20 - Winlogon Notify: tuvvvsp - tuvvvsp.dll (file missing)
O21 - SSODL: hinnible - {59080fb1-a43e-4059-a155-18b1eac7352c} - (no file)
O22 - SharedTaskScheduler: {59080fb1-a43e-4059-a155-18b1eac7352c} - hinnible - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICSer_WPC54GS - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8744 bytes

Thank you for your help.
Ed

#2
Rorschach112

Posted 14 March 2008 - 08:47 AM

Ralphie

Retired Staff
47,710 posts

Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

Please download SmitfraudFix (by S!Ri) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

#3
Evil Ed

Posted 14 March 2008 - 09:31 PM

New Member

Topic Starter
Member
8 posts

Thanks for your help!

BTW, every reboot gives me an anti-spyware program called SpyAway auto starting. Searching the internet for it kind of gives me the impression that it might be a virus or spyware itself. Should I try to uninstall it?

Symantec Anti-Virus found the following during the dss.exe scan:
------------------------
Trojan.Virantix.B - c:\Windows\System32\users32.dat
(The c:\Windows\System32\users32.dat seems to get found after every reboot.)
Trojan Horse - c:\Windows\temp\DWH803A.tmp
Trojan Horse - c:\Windows\temp\DWH8366.tmp
Trojan.Vundo - c:\Windows\temp\DWH8441.tmp
Downloader - c:\Windows\temp\DWH8853B.tmp
Trojan.Vundo - c:\Windows\temp\DWH85D7.tmp
Trojan.Vundo - c:\Windows\temp\DWH8664.tmp
Trojan.Vundo - c:\Windows\temp\DWH875E.tmp
Trojan.Adclicker - c:\Windows\system32\ofinyxxx.dll
Trojan.Adclicker - c:\Windows\system32\olclxppw.dll
Trojan.Metajuanr - c:\Windows\system32\uhsuyeuc.dll

Ok, here are the files:

>>>>>>>> rapport.txt
----------------------------

SmitFraudFix v2.303

Scan done at 22:35:40.26, Fri 03/14/2008
Run from C:\Documents and Settings\Admin\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"hinnible"="{59080fb1-a43e-4059-a155-18b1eac7352c}"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost
127.0.0.1 multitrader.info
127.0.0.1 reggame.biz
127.0.0.1 tele-globus.biz
127.0.0.1 newasp.com.cn
127.0.0.1 daoway.biz
127.0.0.1 school-172.info
127.0.0.1 http://test.just.f1d.../limbo/mail.php
127.0.0.1 lem0n.info
127.0.0.1 supra-hosting.info

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\default.htm Deleted
C:\WINDOWS\system32\mgmrwmrv.exe Deleted
C:\WINDOWS\system32\winfrun32.bin Deleted
C:\WINDOWS\system32\components\flx?.dll Deleted
C:\Program Files\Safety Bar\ Deleted
C:\Program Files\SpyHeal\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» DNS

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

>>>>>>>> main.txt
----------------------------

Deckard's System Scanner v20071014.68
Run by Admin on 2008-03-14 22:59:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 3 Restore Point(s) --
3: 2008-03-15 04:00:02 UTC - RP3 - Deckard's System Scanner Restore Point
2: 2008-03-14 07:23:59 UTC - RP2 - Before HijackThis
1: 2008-03-14 07:23:10 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 510 MiB (512 MiB recommended).
System Drive C: has 0.76 GiB (less than 15%) free.

-- HijackThis (run as Admin.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:04:25 PM, on 3/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\system32\braviax.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Admin\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Admin.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://antispywareup...?aid=496.cbcbcb
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: (no name) - {08A3084E-E8C8-4DE1-9FB4-48179982C8DE} - C:\WINDOWS\system32\opnmlki.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Optimum Online Toolbar - {720B3C59-7EDE-44d1-AD9C-71106A7550AF} - C:\Program Files\OptimumOnline\insptbar.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\fkavlbpb.dll (file missing)
O3 - Toolbar: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbHostIE.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A284661A64DB7
C8F0287E55E246220D9E728F9FC17D446BC57D5170E744AB97
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKLM\..\Run: [SpyAway] C:\Program Files\SpyAway\spyaway.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantispyware.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) -
O20 - Winlogon Notify: fkavlbpb - fkavlbpb.dll (file missing)
O20 - Winlogon Notify: opnmlki - C:\WINDOWS\SYSTEM32\opnmlki.dll
O20 - Winlogon Notify: tuvvvsp - tuvvvsp.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICSer_WPC54GS - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7117 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080314-014105-899 O4 - HKLM\..\Run: [7c8c9078] rundll32.exe "C:\WINDOWS\system32\bkcariyc.dll",b

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>

S3 CBTNDIS5 (CBTNDIS5 NDIS Protocol Driver) - c:\windows\system32\cbtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 NICSer_WPC54GS - c:\program files\linksys\wireless-g notebook adapter with speedbooster\nicserv.exe

S2 McShield (McAfee Real-time Scanner) - c:\progra~1\mcafee\viruss~1\mcshield.exe (file missing)
S3 McSysmon (McAfee SystemGuards) - c:\progra~1\mcafee\viruss~1\mcsysmon.exe (file missing)

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-03-07 10:46:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2008-02-14 and 2008-03-14 -----------------------------

2008-03-14 22:35:59 1934 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-14 01:27:58 0 d--h----- C:\Documents and Settings\Admin\Templates
2008-03-14 01:27:58 0 dr------- C:\Documents and Settings\Admin\Start Menu
2008-03-14 01:27:58 0 dr-h----- C:\Documents and Settings\Admin\SendTo
2008-03-14 01:27:58 0 dr-h----- C:\Documents and Settings\Admin\Recent
2008-03-14 01:27:58 0 d--h----- C:\Documents and Settings\Admin\PrintHood
2008-03-14 01:27:58 786432 --ah----- C:\Documents and Settings\Admin\NTUSER.DAT
2008-03-14 01:27:58 0 d--h----- C:\Documents and Settings\Admin\NetHood
2008-03-14 01:27:58 0 dr------- C:\Documents and Settings\Admin\My Documents
2008-03-14 01:27:58 0 d--h----- C:\Documents and Settings\Admin\Local Settings
2008-03-14 01:27:58 0 dr------- C:\Documents and Settings\Admin\Favorites
2008-03-14 01:27:58 0 d-------- C:\Documents and Settings\Admin\Desktop
2008-03-14 01:27:58 0 d---s---- C:\Documents and Settings\Admin\Cookies
2008-03-14 01:27:58 0 dr-h----- C:\Documents and Settings\Admin\Application Data
2008-03-14 01:27:58 0 d-------- C:\Documents and Settings\Admin\Application Data\Sun
2008-03-14 01:27:58 0 d-------- C:\Documents and Settings\Admin\Application Data\Jasc Software Inc
2008-03-14 01:27:58 0 d-------- C:\Documents and Settings\Admin\Application Data\Identities
2008-03-14 01:27:58 0 d--h----- C:\Documents and Settings\Admin\Application Data\Gtek
2008-03-14 01:11:02 0 d-------- C:\Program Files\Trend Micro
2008-03-14 01:09:53 0 d-------- C:\__Virus_Fix
2008-03-12 02:36:53 0 d-------- C:\Documents and Settings\Administrator\Application Data\SpamBlocker
2008-03-12 02:33:24 0 d-------- C:\Program Files\seekmo
2008-03-12 02:33:23 0 d-------- C:\Program Files\zango
2008-03-12 02:33:23 0 d-------- C:\Program Files\180searchassistant
2008-03-12 02:29:26 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-03-12 02:29:26 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-03-12 02:29:26 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-03-12 02:29:26 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-03-12 02:29:26 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-03-12 02:29:26 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-03-12 02:29:26 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-03-12 02:29:26 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-03-12 02:29:26 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-03-12 02:29:26 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-03-12 02:29:26 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-03-12 02:29:26 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-03-12 02:29:26 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-03-12 02:29:26 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-03-12 02:29:26 0 d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-03-12 02:29:26 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-03-12 02:29:26 0 d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-03-12 02:29:25 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-03-10 19:12:12 0 d-------- C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility
2008-03-10 18:08:25 0 d-------- C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility_Icons
2008-03-10 18:08:18 0 d-------- C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility
2008-03-10 18:07:57 0 d-------- C:\Documents and Settings\LocalService\Application Data\SpamBlocker
2008-03-10 18:07:15 0 d-------- C:\Program Files\Hotbar
2008-03-10 18:07:14 0 d-------- C:\Program Files\SpamBlockerUtility
2008-03-10 17:41:09 0 d-------- C:\Program Files\SpyAway
2008-03-10 17:35:10 304835 --a------ C:\WINDOWS\system32\winivstr.exe
2008-03-10 08:10:39 16384 --a------ C:\WINDOWS\system32\braviax.exe
2008-03-10 08:10:36 59392 --a------ C:\Hrn.exe
2008-03-10 07:54:55 334120 --a------ C:\WINDOWS\system32\mllji.dll
2008-03-10 07:50:46 0 d-------- C:\Documents and Settings\Mom_2\Application Data\?dobe
2008-03-09 17:20:44 328280 --a------ C:\WINDOWS\system32\mllmm.dll
2008-03-09 12:02:40 318060 --a------ C:\WINDOWS\system32\gebya.dll
2008-03-09 10:30:59 32768 --a------ C:\WINDOWS\voiceip.dll
2008-03-09 10:30:59 13056 --a------ C:\WINDOWS\stcloader.exe
2008-03-09 10:30:59 0 d-------- C:\Program Files\stc
2008-03-09 10:30:58 15104 --a------ C:\WINDOWS\swin32.dll
2008-03-09 10:30:58 31744 --a------ C:\WINDOWS\cdsm32.dll
2008-03-09 10:30:58 29696 --a------ C:\WINDOWS\bokja.exe
2008-03-09 10:30:57 24832 --a------ C:\WINDOWS\mssvr.exe
2008-03-09 10:30:56 24832 --a------ C:\WINDOWS\mspphe.dll
2008-03-09 10:30:56 30464 --a------ C:\WINDOWS\bjam.dll
2008-03-09 10:30:56 24832 --a------ C:\WINDOWS\2020search2.dll
2008-03-09 10:30:55 14848 --a------ C:\WINDOWS\2020search.dll
2008-03-09 10:30:54 19200 --a------ C:\WINDOWS\system32\WER8274.DLL
2008-03-09 10:30:54 9984 --a------ C:\WINDOWS\system32\MSIXU.DLL
2008-03-09 10:30:54 0 d-------- C:\Program Files\180search assistant
2008-03-09 10:30:53 12288 --a------ C:\WINDOWS\salm.exe
2008-03-09 10:30:53 16640 --a------ C:\WINDOWS\180ax.exe
2008-03-09 10:30:52 19456 --a------ C:\WINDOWS\updatetc.exe
2008-03-09 10:30:52 30976 --a------ C:\WINDOWS\saiemod.dll
2008-03-09 10:30:52 0 d-------- C:\WINDOWS\FLEOK
2008-03-09 10:30:52 0 d-------- C:\Program Files\180solutions
2008-03-09 10:30:51 22016 --a------ C:\WINDOWS\system32\MSNSA32.dll
2008-03-09 10:30:50 13824 --a------ C:\WINDOWS\msapasrc.dll
2008-03-09 10:30:50 12544 --a------ C:\WINDOWS\msa64chk.dll
2008-03-09 10:30:49 9728 --a------ C:\WINDOWS\system32\SIPSPI32.dll
2008-03-09 10:30:49 16896 --a------ C:\WINDOWS\system32\shdocpe.dll
2008-03-09 10:30:49 22784 --a------ C:\WINDOWS\system32\ntnut32.exe
2008-03-09 10:30:49 12288 --a------ C:\WINDOWS\shdocpl.dll
2008-03-09 10:30:48 13312 --a------ C:\WINDOWS\shdocpe.dll
2008-03-09 10:30:48 9472 --a------ C:\WINDOWS\ntnut.exe
2008-03-09 10:30:46 31232 --a------ C:\WINDOWS\winsb.dll
2008-03-09 10:30:46 9472 --a------ C:\WINDOWS\browserad.dll
2008-03-09 10:30:46 30976 --a------ C:\WINDOWS\aviwrap32.dll
2008-03-09 10:30:46 0 d-------- C:\Program Files\Sysmnt
2008-03-09 10:30:45 13056 --a------ C:\WINDOWS\avisynthex32.dll
2008-03-09 10:30:45 19712 --a------ C:\WINDOWS\avifile32.dll
2008-03-09 10:30:45 14336 --a------ C:\WINDOWS\autodisc32.dll
2008-03-09 10:30:45 18432 --a------ C:\WINDOWS\audiosrv32.dll
2008-03-09 10:30:44 20224 --a------ C:\WINDOWS\ati2dvag32.dll
2008-03-09 10:30:44 27648 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-03-09 10:30:44 23808 --a------ C:\WINDOWS\athprxy32.dll
2008-03-09 10:30:44 14080 --a------ C:\WINDOWS\asycfilt32.dll
2008-03-09 10:30:44 21248 --a------ C:\WINDOWS\asferror32.dll
2008-03-09 10:30:43 20736 --a------ C:\WINDOWS\changeurl_30.dll
2008-03-09 10:30:43 26624 --a------ C:\WINDOWS\apphelp32.dll
2008-03-08 20:27:51 329740 --a------ C:\WINDOWS\system32\pmkjk.dll
2008-03-08 20:23:26 0 d-------- C:\Program Files\webHancer
2008-03-08 20:23:09 37376 -ra------ C:\WINDOWS\mrofinu72.exe
2008-03-08 20:22:35 37376 --a------ C:\WINDOWS\system32\opnmlki.dll
2008-03-05 14:41:58 0 d-------- C:\Program Files\Outerinfo
2008-03-05 14:41:54 0 d-------- C:\WINDOWS\system32\?ystem
2008-03-05 13:43:16 187904 ---hs---- C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
2008-02-21 14:55:06 0 d-------- C:\Program Files\JavaCore
2008-02-19 09:09:15 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-02-19 08:28:32 0 d-------- C:\WINDOWS\s?stem
2008-02-17 11:05:55 0 d-------- C:\WINDOWS\s?mbols
2008-02-16 20:29:36 45 ---h----- C:\WINDOWS\dsez5089.dat
2008-02-16 20:28:04 0 d-------- C:\Program Files\PhotoFiltre Studio
2008-02-16 12:03:41 1219 --a------ C:\WINDOWS\checkip.dat

-- Find3M Report ---------------------------------------------------------------

2008-03-14 22:51:18 0 d-------- C:\Program Files\Symantec AntiVirus
2008-03-08 20:45:10 0 d-------- C:\Program Files\ISM
2008-03-08 20:25:28 6686 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-08 20:22:59 0 d-------- C:\Program Files\QdrModule
2008-03-08 20:22:49 0 d-------- C:\Program Files\QdrDrive
2008-03-08 20:22:42 41724 ---hs---- C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
2008-03-07 20:27:41 0 d-------- C:\Program Files\Common Files
2008-03-07 20:27:18 0 d-------- C:\Program Files\McAfee
2008-02-18 11:28:58 0 d-------- C:\Program Files\Temporary
2008-02-17 11:05:45 0 d-------- C:\Program Files\Common Files\?asks
2008-01-22 18:17:50 0 d-------- C:\Program Files\Linksys
2008-01-22 18:17:47 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-22 18:16:54 0 d-------- C:\Program Files\Funk Software
2008-01-22 18:16:54 0 d-------- C:\Program Files\Common Files\Funk Software
2008-01-16 19:47:38 0 d-------- C:\Program Files\iTunes
2008-01-16 19:47:26 0 d-------- C:\Program Files\iPod
2008-01-16 19:45:28 0 d-------- C:\Program Files\Bonjour
2008-01-16 19:45:01 0 d-------- C:\Program Files\QuickTime
2007-12-21 16:24:26 526472 --ahs---- C:\WINDOWS\system32\acbeg.ini2
2007-12-21 16:17:57 0 --------- C:\WINDOWS\system32\olclxppw.dll
2007-12-21 16:14:57 0 --------- C:\WINDOWS\system32\uhsuyeuc.dll
2007-12-18 16:00:28 0 --------- C:\WINDOWS\system32\ofinyxxx.dll
2007-12-17 20:25:28 7003 --ahs---- C:\WINDOWS\system32\bcbeg.ini2

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{08A3084E-E8C8-4DE1-9FB4-48179982C8DE}]
03/08/2008 08:22 PM 37376 --a------ C:\WINDOWS\system32\opnmlki.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [06/02/2005 08:21 AM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [06/23/2005 06:27 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/10/2008 03:27 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [01/15/2008 03:22 AM]
"runner1"="C:\WINDOWS\mrofinu72.exe" [03/10/2008 12:45 PM]
"braviax"="C:\WINDOWS\system32\braviax.exe" [03/10/2008 08:10 AM]
"SpyAway"="C:\Program Files\SpyAway\spyaway.exe" [03/10/2008 05:41 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" []

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 2:04:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 2:04:12 PM]
Wireless-G Notebook Adapter with SpeedBooster Utility.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe [1/22/2008 6:17:51 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"= C:\WINDOWS\system32\tuvvvsp.dll [ ]
"{08A3084E-E8C8-4DE1-9FB4-48179982C8DE}"= C:\WINDOWS\system32\opnmlki.dll [03/08/2008 08:22 PM 37376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fkavlbpb]
fkavlbpb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnmlki]
opnmlki.dll 03/08/2008 08:22 PM 37376 C:\WINDOWS\SYSTEM32\opnmlki.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvvvsp]
tuvvvsp.dll

-- Hosts -----------------------------------------------------------------------

127.0.0.1 multitrader.info
127.0.0.1 reggame.biz
127.0.0.1 tele-globus.biz
127.0.0.1 newasp.com.cn
127.0.0.1 daoway.biz
127.0.0.1 school-172.info
127.0.0.1 http://test.just.f1d.../limbo/mail.php
127.0.0.1 lem0n.info
127.0.0.1 supra-hosting.info

-- End of Deckard's System Scanner: finished at 2008-03-14 23:05:56 ------------

>>>>>>>> extra.txt
----------------------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.40GHz
Percentage of Memory in Use: 63%
Physical Memory (total/avail): 509.98 MiB / 186.43 MiB
Pagefile Memory (total/avail): 1247.59 MiB / 983.05 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1949.49 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 34.44 GiB total, 0.76 GiB free.
D: is CDROM (No Media)
E: is Removable (FAT)

\\.\PHYSICALDRIVE0 - WDC WD400BB-75JHA0 - 37.25 GiB - 3 partitions
\PARTITION0 - Unknown - 47.03 MiB
\PARTITION1 (bootable) - Installable File System - 34.44 GiB - C:
\PARTITION2 - Unknown - 2.75 GiB

\\.\PHYSICALDRIVE1 - Generic STORAGE DEVICE USB Device - 23.53 MiB - 1 partition
\PARTITION0 - 16-bit FAT - 29.66 MiB - E:

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

AV: Symantec AntiVirus Corporate Edition v10.0.1.1000 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\system32\\dhpmbuby.exe"="C:\\WINDOWS\\system32\\dhp"
"C:\\WINDOWS\\system32\\cwanxnnw.exe"="C:\\WINDOWS\\system32\\cwa"
"C:\\WINDOWS\\system32\\tmsaxvvw.exe"="C:\\WINDOWS\\system32\\tms"
"C:\\WINDOWS\\system32\\ukicfesr.exe"="C:\\WINDOWS\\system32\\uki"
"C:\\WINDOWS\\system32\\wirjycgc.exe"="C:\\WINDOWS\\system32\\wir"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"="C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE:*:Disabled:LEXPPS.EXE"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Admin\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DC8WG661
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Admin
LOGONSERVER=\\DC8WG661
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Admin\LOCALS~1\Temp
TMP=C:\DOCUME~1\Admin\LOCALS~1\Temp
USERDOMAIN=DC8WG661
USERNAME=Admin
USERPROFILE=C:\Documents and Settings\Admin
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Frankie
Mom (admin)
Dad (admin)
Mom_2 (admin)
Admin (admin)
Administrator (admin)
Guest (guest)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Shockwave Player --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
Apple Mobile Device Support --> MsiExec.exe /I{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Banctec Service Agreement --> MsiExec.exe /X{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Corel Paint Shop Pro Photo XI --> MsiExec.exe /I{E1C7EF5E-3A7B-4ED4-A48B-F70F1B36EAB4}
Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Media Experience --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\setup.exe" -uninstall
Dell Photo Printer 720 --> C:\WINDOWS\system32\spool\drivers\w32x86\3\DLBCUN5C.EXE -dDell Photo Printer 720
Dell Support 5.0.0 (630) --> rundll32 C:\PROGRA~1\DELLSU~1\AUInst.dll,ExUninstall
Get High Speed Internet! --> MsiExec.exe /I{7A3F0566-5E05-4919-9C98-456F6B5CF831}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel® 537EP V9x DF PCI Modem --> rundll32 IntelCci.dll,iSMUninstallation "Intel® 537EP V9x DF PCI Modem"
Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
Intel® PROSet for Wired Connections --> MsiExec.exe /I{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}
Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
Internet Speed Monitor --> C:\Program Files\ISM\Uninstall.exe
iTunes --> MsiExec.exe /I{B85C4D19-6CEB-48CF-BD98-C887AC8C6F94}
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
LimeWire 4.14.12 --> "C:\Program Files\LimeWire\uninstall.exe"
LiveUpdate 2.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
McAfee Privacy Service --> c:\PROGRA~1\mcafee.com\shared\mghtml.exe mcp://c:\PROGRA~1\mcafee.com\agent\uninst\mpsrem.ui::uninstall.htm
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Modem Event Monitor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}\setup.exe" -l0x9
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Modem On Hold --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
My Way Search Assistant --> rundll32 C:\PROGRA~1\MyWaySA\SrchAsDe\1.bin\desrcas.dll,O
MySpaceIM --> MsiExec.exe /I{FE242C4A-4AF0-4E9F-ABFF-92CA3CEE8761}
Odyssey Client --> MsiExec.exe /X{99D42EC7-652B-4819-B3E6-6450C815E03F}
Optimum Online Toolbar --> C:\PROGRA~1\OPTIMU~1\UNWISE.EXE C:\PROGRA~1\OPTIMU~1\INSTALL.LOG
Optimum Online Toolbar (remove only) --> regsvr32 /u /s "C:\Program Files\OptimumOnline\insptbar.dll"
Outerinfo --> "C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe"
PhotoFiltre Studio --> "C:\Program Files\PhotoFiltre Studio\Uninst.exe"
QuickTime --> MsiExec.exe /I{6EC874C2-F950-4B7E-A5B7-B1066D6B74AA}
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Registry Cleaner 1.0 --> "C:\Program Files\Registry Cleaner Retail\unins000.exe"
Safety Bar --> "C:\Program Files\Safety Bar\Uninstall.bat" "C:\Program Files\Safety Bar"
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x9
SpyAway 1.01.0020 --> "C:\Program Files\SpyAway\uninstall.exe" -u
Symantec AntiVirus --> MsiExec.exe /I{3248E093-5288-4CA9-B3AB-11A675FEA1F9}
Wireless-G Notebook Adapter with SpeedBooster --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2A2EDF5F-F3C6-4919-AE34-C08A71AD034A}\Setup.exe" -l0x9
WordPerfect Office 12 --> MsiExec.exe /I{AF19F291-F22F-4798-9662-525305AE9E48}

-- Application Event Log -------------------------------------------------------

Event Record #/Type224199 / Error
Event Submitted/Written: 03/14/2008 11:05:23 PM
Event ID/Source: 51 / Symantec AntiVirus
Event Description:
Security Risk Found!Threat: Trojan.Adclicker in File: C:\WINDOWS\system32\ofinyxxx.dll by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Delete succeeded : Access denied. Action Description: The file was deleted successfully.

Event Record #/Type224198 / Error
Event Submitted/Written: 03/14/2008 11:05:23 PM
Event ID/Source: 5 / Symantec AntiVirus
Event Description:
Threat Found!Threat: Trojan.Adclicker in File: C:\WINDOWS\SYSTEM32\ofinyxxx.dll by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Delete succeeded : Access denied. Action Description: The file was deleted successfully.

Event Record #/Type224197 / Error
Event Submitted/Written: 03/14/2008 11:05:22 PM
Event ID/Source: 46 / Symantec AntiVirus
Event Description:
Security Risk Found!Threat: Trojan.Adclicker in File: C:\WINDOWS\system32\ofinyxxx.dll by: Auto-Protect scan. Action: Clean failed : Quarantine failed. Action Description: The file was deleted successfully.

Event Record #/Type224196 / Error
Event Submitted/Written: 03/14/2008 11:04:40 PM
Event ID/Source: 51 / Symantec AntiVirus
Event Description:
Security Risk Found!Threat: Trojan.Vundo in File: C:\WINDOWS\temp\DWH875E.tmp by: Auto-Protect scan. Action: Reboot Required. Action Description: The file was deleted successfully.

Event Record #/Type224195 / Error
Event Submitted/Written: 03/14/2008 11:04:29 PM
Event ID/Source: 5 / Symantec AntiVirus
Event Description:
Threat Found!Threat: Trojan.Vundo in File: C:\WINDOWS\Temp\DWH875E.tmp by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Delete succeeded : Access denied. Action Description: The file was deleted successfully.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type24566 / Error
Event Submitted/Written: 03/14/2008 10:51:12 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The McAfee Real-time Scanner service failed to start due to the following error:
%%3

Event Record #/Type24562 / Error
Event Submitted/Written: 03/14/2008 10:50:05 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type24561 / Error
Event Submitted/Written: 03/14/2008 10:49:41 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type24560 / Error
Event Submitted/Written: 03/14/2008 10:34:44 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type24559 / Error
Event Submitted/Written: 03/14/2008 10:34:42 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

-- End of Deckard's System Scanner: finished at 2008-03-14 23:05:56 ------------

#4
Evil Ed

Posted 14 March 2008 - 09:32 PM

New Member

Topic Starter
Member
8 posts

And here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:38 PM, on 3/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\system32\braviax.exe
C:\Program Files\SpyAway\spyaway.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://antispywareup...?aid=496.cbcbcb
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: (no name) - {08A3084E-E8C8-4DE1-9FB4-48179982C8DE} - C:\WINDOWS\system32\opnmlki.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Optimum Online Toolbar - {720B3C59-7EDE-44d1-AD9C-71106A7550AF} - C:\Program Files\OptimumOnline\insptbar.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\fkavlbpb.dll (file missing)
O3 - Toolbar: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbHostIE.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A284661A64DB7
C8F0287E55E246220D9E728F9FC17D446BC57D5170E744AB97
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKLM\..\Run: [SpyAway] C:\Program Files\SpyAway\spyaway.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantispyware.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) -
O20 - Winlogon Notify: fkavlbpb - fkavlbpb.dll (file missing)
O20 - Winlogon Notify: opnmlki - C:\WINDOWS\SYSTEM32\opnmlki.dll
O20 - Winlogon Notify: tuvvvsp - tuvvvsp.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICSer_WPC54GS - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7121 bytes

#5
Rorschach112

Posted 15 March 2008 - 07:22 AM

Ralphie

Retired Staff
47,710 posts

Hello

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

#6
Evil Ed

Posted 15 March 2008 - 10:28 PM

New Member

Topic Starter
Member
8 posts

Awesome! I am no longer getting virus warnings. Thanks!

>>>>>>>> ComboFix.log

ComboFix 08-03-13.4 - Admin 2008-03-15 23:43:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.211 [GMT -5:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\SpamBlocker
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Frankie\Start Menu\Programs\Startup\ta_start.lnk
C:\Documents and Settings\Guest\Application Data\Install.dat
C:\Documents and Settings\LocalService\Application Data\SpamBlocker
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\SpamBlockerUtility.log
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\1.sdf
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\1066790.sdf
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\2884323.sdf
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\3852400.sdf
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\domains.txt
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\17025
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\27503
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\29115
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\306519
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\33697
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\531510
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\61837
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\6292
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\751230
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\753339
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\83216
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\96961
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\ustat\367c.dat
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\ads.cdf
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\btntrans.idx
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\btntrans1.dat
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\business_promo.htm
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\buttondir.txt
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\components.cdf
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\cursors.res
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\d_icons_buttons_1000.res
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\d_icons_buttons_2000.res
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\d_icons_buttons_3000.res
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\d_icons_buttons_bar.res
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\d_icons_buttons_bbar1.res
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\d_icons_buttons_logos.res
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\d_icons_buttons_other.res
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\d_icons_weather.res
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\default.cdf
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz1.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz10.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz11.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz12.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz13.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz14.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz15.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz16.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz17.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz18.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz19.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz2.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz20.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz3.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz4.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz5.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz6.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz7.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz8.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz9.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_categorize.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_comparison.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_em_PROFL_CA_flow_b_IEB.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_explorer-Mails.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_explorer-people.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_fastutilities.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_favorites.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_Games.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_Hide.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_hotbarcom.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_Hotmail.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_hsskin.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_jemster.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_jemsterie.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_jemsteruk.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_jobsearch.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_Mails.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_new.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_premium.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_reun.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_ringtones.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_SearchBoxTrapper.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_searchfor.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_searchgo.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_weather.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_yellowpages.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\email-def-511724-9595.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\email-t1-bg.res
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\hb_ie_menu.res
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\hotbar-premium-hotbar-premium.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\hotbar-premium.cdf
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\hotbar_promo.htm
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\icons2.res
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\ie_games_icon.res
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\ie_video.res
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\keywords.idx
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\keywords1.dat
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\layout.cdf
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\linkpathlegal.txt
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\progress.res
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\s_icons_buttons.res
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\sales_buttons.res
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\sbu_icon.res
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\t2_bg.res
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\theweb.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\top7.cdf
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Top7_theweb.mnu
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\tsd_bg.res
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\weathericon.res
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\ads.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\BtnTrans.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\BtnTrans1.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\business_promo.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\buttondir.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\cursors.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\d_icons_buttons_1000.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\d_icons_buttons_2000.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\d_icons_buttons_3000.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\d_icons_buttons_bar.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\d_icons_buttons_bbar1.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\d_icons_buttons_logos.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\d_icons_buttons_other.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\d_icons_weather.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\default.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\email-t1-bg.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\hb_ie_menu.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\hotbar-premium.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\hotbar_promo.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\icons2.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\ie_games_icon.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\ie_video.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\keywords.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\keywords1.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\layout.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\linkpathlegal.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\progress.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\s_icons_buttons.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\sales_buttons.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\samplegroups2.txt
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\samplegroups2.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\sbu_icon.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\t2_bg.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\top7.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\tsd_bg.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\weathericon.xip
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility_Icons
C:\Documents and Settings\LocalService\Application Data\SpamBlockerUtility_Icons\Software_Online_8.ico
C:\Documents and Settings\Mom\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Mom\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Mom\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Mom\Start Menu\Programs\Startup\TA_Start.lnk
C:\Documents and Settings\Mom_2\Application Data\DOBE~1
C:\Documents and Settings\Mom_2\Application Data\macromedia\Flash Player\#SharedObjects\RZ7T9AZX\www.broadcaster.com
C:\Documents and Settings\Mom_2\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\SpamBlockerUtility.log
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\1.sdf
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\1058131.sdf
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\118843.sdf
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\2884321.sdf
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\2884323.sdf
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\2901962.sdf
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\3893642.sdf
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\domains.txt
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\116250
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\118207
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\11891
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\15024
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\17025
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\17040
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\186521
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\18906
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\26656
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\27503
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\27505
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\288733
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\29115
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\33697
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\34107
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\43719
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\44228
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\44293
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\44458
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\459052
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\538263
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\54469
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\61837
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\64404
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\64446
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\6552
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\6558
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\65770
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\67469
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\69263
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\70650
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\744260
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\744881
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\745148
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\748329
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\7521
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\753335
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\83216
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\86587
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\87843
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\92930
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\ustat\367c.dat
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\ads.cdf
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\btntrans.idx
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\btntrans1.dat
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\business_promo.htm
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\buttondir.txt
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\components.cdf
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\cursors.res
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\d_icons_buttons_1000.res
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\d_icons_buttons_2000.res
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\d_icons_buttons_3000.res
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\d_icons_buttons_bar.res
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\d_icons_buttons_bbar1.res
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\d_icons_buttons_logos.res
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\d_icons_buttons_other.res
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\d_icons_weather.res
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\default.cdf
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_bidz.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_bidz1.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_bidz10.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_bidz11.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_bidz12.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_bidz13.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_bidz14.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_bidz15.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_bidz16.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_bidz17.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_bidz18.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_bidz19.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_bidz2.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_bidz20.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_bidz3.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_bidz4.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_bidz5.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_bidz6.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_bidz7.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_bidz8.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_bidz9.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_categorize.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_comparison.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_em_PROFL_CA_flow_b_IEB.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_explorer-Mails.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_explorer-people.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_fastutilities.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_favorites.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_Games.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_Hide.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_hotbarcom.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_Hotmail.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_hsskin.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_jemster.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_jemsterie.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_jemsteruk.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_jobsearch.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_Mails.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_new.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_premium.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_reun.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_ringtones.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_SearchBoxTrapper.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_searchfor.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_searchgo.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_weather.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Default_yellowpages.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\email-def-511724-9595.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\email-t1-bg.res
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\hb_ie_menu.res
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\hotbar-premium-hotbar-premium.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\hotbar-premium.cdf
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\hotbar_promo.htm
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\icons2.res
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\ie_games_icon.res
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\ie_video.res
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\keywords.idx
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\keywords1.dat
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\layout.cdf
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\linkpathlegal.txt
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\progress.res
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\s_icons_buttons.res
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\sales_buttons.res
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\sbu_icon.res
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\t2_bg.res
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\theweb.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\top7.cdf
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\Top7_theweb.mnu
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\tsd_bg.res
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\weathericon.res
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\ads.xip
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\BtnTrans.xip
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\BtnTrans1.xip
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\business_promo.xip
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\buttondir.xip
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\cursors.xip
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\d_icons_buttons_1000.xip
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\d_icons_buttons_2000.xip
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\d_icons_buttons_3000.xip
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\d_icons_buttons_bar.xip
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\d_icons_buttons_bbar1.xip
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\d_icons_buttons_logos.xip
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\d_icons_buttons_other.xip
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\d_icons_weather.xip
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\default.xip
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\email-t1-bg.xip
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\hb_ie_menu.xip
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\hotbar-premium.xip
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\hotbar_promo.xip
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\icons2.xip
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\ie_games_icon.xip
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\ie_video.xip
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\keywords.xip
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\keywords1.xip
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\layout.xip
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\linkpathlegal.xip
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\progress.xip
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\s_icons_buttons.xip
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\sales_buttons.xip
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\samplegroups2.txt
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\samplegroups2.xip
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\sbu_icon.xip
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\t2_bg.xip
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\top7.xip
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\tsd_bg.xip
C:\Documents and Settings\Mom_2\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\weathericon.xip
C:\Documents and Settings\Mom_2\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Mom_2\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Mom_2\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Mom_2\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Mom_2\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Mom_2\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Mom_2\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\Mom_2\Start Menu\Programs\Startup\TA_Start.lnk
C:\Program Files\Common Files\asks~1
C:\Program Files\Common Files\asks~1\?asks\
C:\Program Files\Common Files\asks~1\ati2evxx.exe
C:\Program Files\Common Files\Yazzle1275OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\ISM
C:\Program Files\ISM\BndDrive7.dll
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\ISM2
C:\Program Files\ISM2\dictionary.gz
C:\Program Files\ISM2\targets.gz
C:\Program Files\JavaCore
C:\Program Files\JavaCore\UnInstall.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive12.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dic.gz
C:\Program Files\QdrModule\kwd.gz
C:\Program Files\QdrModule\QdrModule13.exe
C:\Program Files\seekmo
C:\Program Files\seekmo\seekmohook.dll
C:\Program Files\Temporary
C:\Program Files\Temporary\InsiDERIns.exe
C:\Program Files\Temporary\wininstall.exe
C:\Program Files\webhancer
C:\Program Files\webhancer\Programs\whAgent.ini
C:\Program Files\WinAble
C:\Temp\fse
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\smbols~1
C:\WINDOWS\smbols~1\?ttrib.exe
C:\WINDOWS\sstem~1
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\SYSTEM32\acbeg.ini
C:\WINDOWS\SYSTEM32\acbeg.ini2
C:\WINDOWS\SYSTEM32\bcbeg.ini
C:\WINDOWS\SYSTEM32\bcbeg.ini2
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\components
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\system32\winivstr.exe
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
C:\WINDOWS\system32\ystem~1
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll

----- BITS: Possible infected sites -----

hxxp://80.93.48.74
hxxp://site.com
.
((((((((((((((((((((((((( Files Created from 2008-02-16 to 2008-03-16 )))))))))))))))))))))))))))))))
.

2008-03-15 02:17 . 2008-03-15 02:26 <DIR> d-------- C:\VundoFix Backups
2008-03-14 22:59 . 2008-03-14 22:59 <DIR> d-------- C:\Deckard
2008-03-14 22:35 . 2008-03-14 22:35 1,934 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-03-14 01:27 . 2004-12-02 10:53 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Jasc Software Inc
2008-03-14 01:27 . 2004-12-02 10:57 <DIR> d--h----- C:\Documents and Settings\Admin\Application Data\Gtek
2008-03-14 01:11 . 2008-03-14 01:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-14 01:09 . 2008-03-15 02:16 <DIR> d-------- C:\__Virus_Fix
2008-03-12 02:33 . 2008-03-12 02:33 <DIR> d-------- C:\Program Files\zango
2008-03-12 02:33 . 2008-03-12 02:33 <DIR> d-------- C:\Program Files\180searchassistant
2008-03-12 02:29 . 2004-12-02 10:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-03-12 02:29 . 2004-12-02 10:57 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-03-10 17:41 . 2008-03-15 02:15 <DIR> d-------- C:\Program Files\SpyAway
2008-03-10 08:10 . 2008-03-10 08:10 59,392 --a------ C:\Hrn.exe
2008-03-09 10:30 . 2008-03-09 10:30 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-09 10:30 . 2008-03-09 10:30 <DIR> d-------- C:\Program Files\stc
2008-03-09 10:30 . 2008-03-09 10:30 <DIR> d-------- C:\Program Files\180solutions
2008-03-09 10:30 . 2008-03-09 10:30 <DIR> d-------- C:\Program Files\180search assistant
2008-03-08 20:22 . 2008-03-08 20:22 295,819 --a------ C:\WINDOWS\SYSTEM32\L81B9.tmp
2008-03-08 20:22 . 2008-03-08 20:22 229,532 --a------ C:\WINDOWS\SYSTEM32\L74B9.tmp
2008-03-08 20:22 . 2008-03-08 20:22 37,376 --a------ C:\WINDOWS\SYSTEM32\opnmlki.dll.vir
2008-03-08 00:17 . 2008-03-08 00:17 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUS.ico
2008-02-20 17:45 . 2008-02-20 17:45 72,566 --a------ C:\WINDOWS\SYSTEM32\GameFly_2.ico
2008-02-17 11:06 . 2008-02-17 11:06 400 --a------ C:\WINDOWS\SYSTEM32\LC761.tmp
2008-02-17 11:05 . 2008-02-17 11:05 181,965 --a------ C:\WINDOWS\SYSTEM32\L22D.tmp
2008-02-16 20:29 . 2008-02-16 20:29 45 ---h----- C:\WINDOWS\dsez5089.dat
2008-02-16 20:28 . 2008-02-16 20:32 <DIR> d-------- C:\Program Files\PhotoFiltre Studio
2008-02-16 12:03 . 2008-02-16 12:04 1,219 --a------ C:\WINDOWS\checkip.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-16 04:42 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-03-09 01:38 --------- d-----w C:\Documents and Settings\Mom_2\Application Data\Corel
2008-03-09 01:25 6,686 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2008-03-08 01:27 --------- d-----w C:\Program Files\McAfee
2008-03-08 01:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-08 01:20 --------- d-----w C:\Documents and Settings\Mom_2\Application Data\McAfee
2008-02-28 21:45 --------- d-----w C:\Documents a

#7
Evil Ed

Posted 15 March 2008 - 10:32 PM

New Member

Topic Starter
Member
8 posts

Oops! That didn't fit. Here is the rest starting at "Find3M Report "

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-16 04:42 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-03-09 01:38 --------- d-----w C:\Documents and Settings\Mom_2\Application Data\Corel
2008-03-09 01:25 6,686 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2008-03-08 01:27 --------- d-----w C:\Program Files\McAfee
2008-03-08 01:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-08 01:20 --------- d-----w C:\Documents and Settings\Mom_2\Application Data\McAfee
2008-02-28 21:45 --------- d-----w C:\Documents and Settings\Mom_2\Application Data\LimeWire
2008-01-22 23:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-22 23:17 --------- d-----w C:\Program Files\Linksys
2008-01-22 23:16 --------- d-----w C:\Program Files\Funk Software
2008-01-22 23:16 --------- d-----w C:\Program Files\Common Files\Funk Software
2008-01-20 18:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-01-17 00:47 --------- d-----w C:\Program Files\iTunes
2008-01-17 00:47 --------- d-----w C:\Program Files\iPod
2008-01-17 00:45 --------- d-----w C:\Program Files\QuickTime
2008-01-17 00:45 --------- d-----w C:\Program Files\Bonjour
2006-03-22 18:46 104 --sh--r C:\WINDOWS\SYSTEM32\4232D0E863.sys
2006-12-18 02:11 168 --sh--r C:\WINDOWS\SYSTEM32\63E8D03242.sys
2007-11-19 21:05 6,842 -csha-w C:\WINDOWS\SYSTEM32\hjllm.ini2
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 67,160 2004-12-08 22:50:04 C:\Program Files\AIM\bak\aim.exe
----a-w 67,112 2006-08-01 20:35:36 C:\Program Files\AIM\aim.exe

-c--a-w 67,160 2006-08-19 04:13:28 C:\Program Files\AIM\AIM95_c0\bak\aim.exe

----a-w 1,388,544 2004-06-30 19:33:04 C:\Program Files\Analog Devices\SoundMAX\bak\SMax4PNP.exe

----a-w 1,597,440 2004-09-09 22:35:38 C:\Program Files\AWS\WeatherBug\bak\Weather.exe

----a-w 290,816 2004-04-12 02:15:14 C:\Program Files\Dell\Media Experience\bak\PCMService.exe

----a-w 306,688 2004-07-19 13:51:24 C:\Program Files\Dell Support\bak\DSAgnt.exe

----a-w 221,184 2003-09-04 02:12:44 C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe

----a-w 229,952 2006-09-12 05:58:54 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 267,048 2008-01-15 08:22:56 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 32,881 2003-11-19 23:48:14 C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe

----a-w 36,975 2005-04-13 08:48:52 C:\Program Files\Java\jre1.5.0_03\bin\bak\jusched.exe

----a-w 98,304 2004-06-17 04:33:02 C:\Program Files\McAfee\SpamKiller\bak\MskAgent.exe

----a-w 1,083,392 2004-08-03 23:18:16 C:\Program Files\McAfee\SpamKiller\bak\MSKDetct.exe

----a-w 53,248 2004-09-14 14:50:48 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mmtask.exe

----a-w 131,072 2004-09-14 14:50:48 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe

----a-w 98,304 2004-12-02 16:02:31 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 385,024 2008-01-10 20:27:36 C:\Program Files\QuickTime\QTTask.exe

----a-w 26,112 2004-12-02 16:01:44 C:\Program Files\Real\RealPlayer\bak\RealPlay.exe

-c--a-w 118,784 2004-02-10 17:51:30 C:\WINDOWS\SYSTEM32\bak\hkcmd.exe

-c--a-w 155,648 2004-02-10 17:55:32 C:\WINDOWS\SYSTEM32\bak\igfxtray.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 08:21 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-06-23 18:27 85696]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"braviax"="C:\WINDOWS\system32\braviax.exe" [ ]

C:\Documents and Settings\Mom_2\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-12-03 16:35:53 147456]
PowerReg Scheduler V3.exe [2007-10-06 18:13:28 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless-G Notebook Adapter with SpeedBooster Utility.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe [2008-01-22 18:17:51 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=

R2 NICSer_WPC54GS;NICSer_WPC54GS;C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe [2003-11-13 13:29]
R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2003-05-14 16:01]
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\CBTNDIS5.SYS [2003-07-16 22:28]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-07 15:46:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-15 23:49:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-15 23:54:56
ComboFix-quarantined-files.txt 2008-03-16 04:54:53

And here is hijackthis.log:
----------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:18:15 AM, on 3/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://antispywareup...?aid=496.cbcbcb
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Optimum Online Toolbar - {720B3C59-7EDE-44d1-AD9C-71106A7550AF} - C:\Program Files\OptimumOnline\insptbar.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantispyware.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) -
O20 - AppInit_DLLs:
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICSer_WPC54GS - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6552 bytes

#8
Rorschach112

Posted 16 March 2008 - 01:06 PM

Ralphie

Retired Staff
47,710 posts

Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantispyware.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O20 - AppInit_DLLs:

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Hrn.exe
C:\WINDOWS\SYSTEM32\L81B9.tmp
C:\WINDOWS\SYSTEM32\L74B9.tmp
C:\WINDOWS\SYSTEM32\opnmlki.dll.vir
C:\WINDOWS\SYSTEM32\LC761.tmp
C:\WINDOWS\SYSTEM32\L22D.tmp
C:\WINDOWS\dsez5089.dat
C:\WINDOWS\SYSTEM32\hjllm.ini2
C:\WINDOWS\system32\braviax.exe

Folder::
C:\Program Files\zango
C:\Program Files\180searchassistant
C:\Program Files\Sysmnt
C:\Program Files\stc
C:\Program Files\180solutions
C:\Program Files\180search assistant
C:\Program Files\MyWaySA

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Download FindAWF.exe from here or here, and save it to your desktop.

Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.

1. Press 1 then Enter to scan for bak folders
2. Press 2 then Enter to restore files from bak folders
3. Press 3 then Enter to remove bak folders
4. Press 4 then Enter to reset domain zones
5. Press E then Enter to EXIT
Press 1, then press Enter
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in notepad called AWF.txt.
Please copy and paste the contents of the AWF.txt file in your next reply.

#9
Evil Ed

Posted 16 March 2008 - 07:19 PM

New Member

Topic Starter
Member
8 posts

Yes! Things seem to be running much smoother now. Thanks for all your help. Here are the logs:

>>>>>>>> awf.txt <<<<<<<<

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Sun 03/16/2008
The current time is: 21:03:56.89

bak folders found
~~~~~~~~~~~

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

end of report

>>>>>>>> ComboFix.log <<<<<<<<

ComboFix 08-03-13.4 - Admin 2008-03-16 20:37:16.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.219 [GMT -5:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Hrn.exe
C:\WINDOWS\dsez5089.dat
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\SYSTEM32\hjllm.ini2
C:\WINDOWS\SYSTEM32\L22D.tmp
C:\WINDOWS\SYSTEM32\L74B9.tmp
C:\WINDOWS\SYSTEM32\L81B9.tmp
C:\WINDOWS\SYSTEM32\LC761.tmp
C:\WINDOWS\SYSTEM32\opnmlki.dll.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Hrn.exe
C:\Program Files\180search assistant
C:\Program Files\180search assistant\180sa.exe
C:\Program Files\180search assistant\sau.exe
C:\Program Files\180searchassistant
C:\Program Files\180searchassistant\saap.exe
C:\Program Files\180searchassistant\sac.exe
C:\Program Files\180solutions
C:\Program Files\180solutions\sais.exe
C:\Program Files\MyWaySA
C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
C:\Program Files\stc
C:\Program Files\stc\csv5p070.exe
C:\Program Files\Sysmnt
C:\Program Files\Sysmnt\Ssmgr.exe
C:\Program Files\zango
C:\Program Files\zango\zango.exe
C:\WINDOWS\dsez5089.dat
C:\WINDOWS\SYSTEM32\hjllm.ini2
C:\WINDOWS\SYSTEM32\L22D.tmp
C:\WINDOWS\SYSTEM32\L74B9.tmp
C:\WINDOWS\SYSTEM32\L81B9.tmp
C:\WINDOWS\SYSTEM32\LC761.tmp
C:\WINDOWS\SYSTEM32\opnmlki.dll.vir

.
((((((((((((((((((((((((( Files Created from 2008-02-17 to 2008-03-17 )))))))))))))))))))))))))))))))
.

2008-03-15 02:17 . 2008-03-15 02:26 <DIR> d-------- C:\VundoFix Backups
2008-03-14 22:59 . 2008-03-14 22:59 <DIR> d-------- C:\Deckard
2008-03-14 22:35 . 2008-03-14 22:35 1,934 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-03-14 01:27 . 2004-12-02 10:53 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Jasc Software Inc
2008-03-14 01:27 . 2004-12-02 10:57 <DIR> d--h----- C:\Documents and Settings\Admin\Application Data\Gtek
2008-03-14 01:11 . 2008-03-14 01:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-14 01:09 . 2008-03-16 20:33 <DIR> d-------- C:\__Virus_Fix
2008-03-12 02:29 . 2004-12-02 10:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-03-12 02:29 . 2004-12-02 10:57 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-03-10 17:41 . 2008-03-15 02:15 <DIR> d-------- C:\Program Files\SpyAway
2008-03-08 00:17 . 2008-03-08 00:17 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUS.ico
2008-02-20 17:45 . 2008-02-20 17:45 72,566 --a------ C:\WINDOWS\SYSTEM32\GameFly_2.ico

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-17 01:21 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-03-09 01:38 --------- d-----w C:\Documents and Settings\Mom_2\Application Data\Corel
2008-03-09 01:25 6,686 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2008-03-08 01:27 --------- d-----w C:\Program Files\McAfee
2008-03-08 01:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-08 01:20 --------- d-----w C:\Documents and Settings\Mom_2\Application Data\McAfee
2008-02-28 21:45 --------- d-----w C:\Documents and Settings\Mom_2\Application Data\LimeWire
2008-02-17 01:32 --------- d-----w C:\Program Files\PhotoFiltre Studio
2008-01-22 23:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-22 23:17 --------- d-----w C:\Program Files\Linksys
2008-01-22 23:16 --------- d-----w C:\Program Files\Funk Software
2008-01-22 23:16 --------- d-----w C:\Program Files\Common Files\Funk Software
2008-01-20 18:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-01-17 00:47 --------- d-----w C:\Program Files\iTunes
2008-01-17 00:47 --------- d-----w C:\Program Files\iPod
2008-01-17 00:45 --------- d-----w C:\Program Files\QuickTime
2008-01-17 00:45 --------- d-----w C:\Program Files\Bonjour
2006-03-22 18:46 104 --sh--r C:\WINDOWS\SYSTEM32\4232D0E863.sys
2006-12-18 02:11 168 --sh--r C:\WINDOWS\SYSTEM32\63E8D03242.sys
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 67,160 2004-12-08 22:50:04 C:\Program Files\AIM\bak\aim.exe
----a-w 67,112 2006-08-01 20:35:36 C:\Program Files\AIM\aim.exe

-c--a-w 67,160 2006-08-19 04:13:28 C:\Program Files\AIM\AIM95_c0\bak\aim.exe

----a-w 1,388,544 2004-06-30 19:33:04 C:\Program Files\Analog Devices\SoundMAX\bak\SMax4PNP.exe

----a-w 1,597,440 2004-09-09 22:35:38 C:\Program Files\AWS\WeatherBug\bak\Weather.exe

----a-w 290,816 2004-04-12 02:15:14 C:\Program Files\Dell\Media Experience\bak\PCMService.exe

----a-w 306,688 2004-07-19 13:51:24 C:\Program Files\Dell Support\bak\DSAgnt.exe

----a-w 221,184 2003-09-04 02:12:44 C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe

----a-w 229,952 2006-09-12 05:58:54 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 267,048 2008-01-15 08:22:56 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 32,881 2003-11-19 23:48:14 C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe

----a-w 36,975 2005-04-13 08:48:52 C:\Program Files\Java\jre1.5.0_03\bin\bak\jusched.exe

----a-w 98,304 2004-06-17 04:33:02 C:\Program Files\McAfee\SpamKiller\bak\MskAgent.exe

----a-w 1,083,392 2004-08-03 23:18:16 C:\Program Files\McAfee\SpamKiller\bak\MSKDetct.exe

----a-w 53,248 2004-09-14 14:50:48 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mmtask.exe

----a-w 131,072 2004-09-14 14:50:48 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe

----a-w 98,304 2004-12-02 16:02:31 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 385,024 2008-01-10 20:27:36 C:\Program Files\QuickTime\QTTask.exe

----a-w 26,112 2004-12-02 16:01:44 C:\Program Files\Real\RealPlayer\bak\RealPlay.exe

-c--a-w 118,784 2004-02-10 17:51:30 C:\WINDOWS\SYSTEM32\bak\hkcmd.exe

-c--a-w 155,648 2004-02-10 17:55:32 C:\WINDOWS\SYSTEM32\bak\igfxtray.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 08:21 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-06-23 18:27 85696]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]

C:\Documents and Settings\Mom_2\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-12-03 16:35:53 147456]
PowerReg Scheduler V3.exe [2007-10-06 18:13:28 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless-G Notebook Adapter with SpeedBooster Utility.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe [2008-01-22 18:17:51 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=

R2 NICSer_WPC54GS;NICSer_WPC54GS;C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe [2003-11-13 13:29]
R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2003-05-14 16:01]
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\CBTNDIS5.SYS [2003-07-16 22:28]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-07 15:46:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-16 20:45:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-16 20:49:06
ComboFix-quarantined-files.txt 2008-03-17 01:49:01
ComboFix2.txt 2008-03-16 04:54:57

>>>>>>>> hijackthis.log <<<<<<<<

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:05:25 PM, on 3/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://antispywareup...?aid=496.cbcbcb
O3 - Toolbar: Optimum Online Toolbar - {720B3C59-7EDE-44d1-AD9C-71106A7550AF} - C:\Program Files\OptimumOnline\insptbar.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) -
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICSer_WPC54GS - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 5808 bytes

#10
Rorschach112

Posted 16 March 2008 - 07:25 PM

Ralphie

Retired Staff
47,710 posts

Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

AWF::
C:\Program Files\AIM\bak\aim.exe
C:\Program Files\AIM\AIM95_c0\bak\aim.exe
C:\Program Files\Analog Devices\SoundMAX\bak\SMax4PNP.exe
C:\Program Files\AWS\WeatherBug\bak\Weather.exe
C:\Program Files\Dell\Media Experience\bak\PCMService.exe
C:\Program Files\Dell Support\bak\DSAgnt.exe
C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe
C:\Program Files\iTunes\bak\iTunesHelper.exe
C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe
C:\Program Files\Java\jre1.5.0_03\bin\bak\jusched.exe
C:\Program Files\McAfee\SpamKiller\bak\MskAgent.exe
C:\Program Files\McAfee\SpamKiller\bak\MSKDetct.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\Real\RealPlayer\bak\RealPlay.exe
C:\WINDOWS\SYSTEM32\bak\hkcmd.exe
C:\WINDOWS\SYSTEM32\bak\igfxtray.exe

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

#11
Evil Ed

Posted 17 March 2008 - 12:10 AM

New Member

Topic Starter
Member
8 posts

OK, here is ComboFix_log.txt and hijackthis.log:

>>>>>>>> ComboFix_log.txt >>>>>>>>

ComboFix 08-03-13.4 - Admin 2008-03-17 1:25:36.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.202 [GMT -5:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-17 to 2008-03-17 )))))))))))))))))))))))))))))))
.

2008-03-17 00:54 . 2008-03-17 00:55 <DIR> d-------- C:\Wallpapers
2008-03-15 02:17 . 2008-03-15 02:26 <DIR> d-------- C:\VundoFix Backups
2008-03-14 22:59 . 2008-03-14 22:59 <DIR> d-------- C:\Deckard
2008-03-14 22:35 . 2008-03-14 22:35 1,934 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-03-14 01:27 . 2004-12-02 10:53 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Jasc Software Inc
2008-03-14 01:27 . 2004-12-02 10:57 <DIR> d--h----- C:\Documents and Settings\Admin\Application Data\Gtek
2008-03-14 01:11 . 2008-03-14 01:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-14 01:09 . 2008-03-17 01:20 <DIR> d-------- C:\__Virus_Fix
2008-03-12 02:29 . 2004-12-02 10:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-03-12 02:29 . 2004-12-02 10:57 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-03-10 17:41 . 2008-03-15 02:15 <DIR> d-------- C:\Program Files\SpyAway
2008-03-08 00:17 . 2008-03-08 00:17 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUS.ico
2008-02-20 17:45 . 2008-02-20 17:45 72,566 --a------ C:\WINDOWS\SYSTEM32\GameFly_2.ico

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-17 06:30 --------- d-----w C:\Program Files\QuickTime
2008-03-17 06:30 --------- d-----w C:\Program Files\iTunes
2008-03-17 06:30 --------- d-----w C:\Program Files\Dell Support
2008-03-17 06:30 --------- d-----w C:\Program Files\AIM
2008-03-17 05:22 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-03-09 01:38 --------- d-----w C:\Documents and Settings\Mom_2\Application Data\Corel
2008-03-09 01:25 6,686 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2008-03-08 01:27 --------- d-----w C:\Program Files\McAfee
2008-03-08 01:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-08 01:20 --------- d-----w C:\Documents and Settings\Mom_2\Application Data\McAfee
2008-02-28 21:45 --------- d-----w C:\Documents and Settings\Mom_2\Application Data\LimeWire
2008-02-17 01:32 --------- d-----w C:\Program Files\PhotoFiltre Studio
2008-01-22 23:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-22 23:17 --------- d-----w C:\Program Files\Linksys
2008-01-22 23:16 --------- d-----w C:\Program Files\Funk Software
2008-01-22 23:16 --------- d-----w C:\Program Files\Common Files\Funk Software
2008-01-20 18:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-01-17 00:47 --------- d-----w C:\Program Files\iPod
2008-01-17 00:45 --------- d-----w C:\Program Files\Bonjour
2006-03-22 18:46 104 --sh--r C:\WINDOWS\SYSTEM32\4232D0E863.sys
2006-12-18 02:11 168 --sh--r C:\WINDOWS\SYSTEM32\63E8D03242.sys
.

((((((((((((((((((((((((((((( [email protected]_23.54.29.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-02-10 17:51:30 118,784 -c--a-w C:\WINDOWS\SYSTEM32\hkcmd.exe
+ 2004-02-10 17:55:32 155,648 -c--a-w C:\WINDOWS\SYSTEM32\igfxtray.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2004-07-19 08:51 306688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 08:21 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-06-23 18:27 85696]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-12-02 11:02 98304]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-12 00:58 229952]

C:\Documents and Settings\Mom_2\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-12-03 16:35:53 147456]
PowerReg Scheduler V3.exe [2007-10-06 18:13:28 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless-G Notebook Adapter with SpeedBooster Utility.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe [2008-01-22 18:17:51 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=

R2 NICSer_WPC54GS;NICSer_WPC54GS;C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe [2003-11-13 13:29]
R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2003-05-14 16:01]
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\CBTNDIS5.SYS [2003-07-16 22:28]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-07 15:46:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-17 01:30:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-17 1:33:18
ComboFix-quarantined-files.txt 2008-03-17 06:33:14
ComboFix2.txt 2008-03-17 01:49:07
ComboFix3.txt 2008-03-16 04:54:57

>>>>>>>> hijackthis.log >>>>>>>>

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:03:46 AM, on 3/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://antispywareup...?aid=496.cbcbcb
O3 - Toolbar: Optimum Online Toolbar - {720B3C59-7EDE-44d1-AD9C-71106A7550AF} - C:\Program Files\OptimumOnline\insptbar.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) -
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICSer_WPC54GS - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 5729 bytes

#12
Rorschach112

Posted 17 March 2008 - 09:51 AM

Ralphie

Retired Staff
47,710 posts

Hello

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Also tell me how your PC is running

#13
Evil Ed

Posted 19 March 2008 - 10:31 PM

New Member

Topic Starter
Member
8 posts

OK, the Kaspersky WebScanner only found 2 infected files in archives, which I deleted. I found a lot more, but the others were in System Restore and Quarantine folders, which I deleted also.

The weird thing is that the PC was feeling much faster before doing the last couple of things, but might be because of installing Registry Mechanic and Spyware Doctor from PCTools. I cleaned the registry and defragged the harddrive and its almost as fast now. The only really bad thing is that it takes a very long time to shutdown (restart is ok though). As I mentioned at the beginning, this is a friends pc so I don't know what it was like before the virus, but the shutdown was very slow since he gave it to me to fix. I never had a pc take 2-3 minutes to shutdown before. Could this have anything to do with the virus?

And thanks again for all your help. I've removed virus' before, but this was over my head.

#14
Rorschach112

Posted 20 March 2008 - 06:11 AM

Ralphie

Retired Staff
47,710 posts

Yes it may be related to the damage the virus did

Few things to do

Now lets uninstall Combofix:

Click START then RUN
Now type Combofix /u in the runbox and click OK

The above procedure will do the following:

Delete ComboFix and its associated files and folders.
Delete VundoFix backups, if present
Delete the C:\Deckard folder, if present
Delete the C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here

Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure

Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.