Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Pop ups + Slow ie [RESOLVED]

Started by nugent1 , Mar 24 2008 10:58 PM

  • This topic is locked This topic is locked

#1
nugent1
Posted 24 March 2008 - 10:58 PM

nugent1

    Member

  • Member
  • PipPip
  • 12 posts
I've followed the steps and scanned.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:44, on 2008-03-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Documents and Settings\Todd\lsass.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Alltel\QuickLink Mobile\QuickLink Mobile.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.defaulthomepage.info
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\kmd.exe /c C:\ComboFix\Combobatch.bat
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [Instafinder] C:\Program Files\Instafinder\instafinder.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Todd\lsass.exe
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [BM0ade429f] Rundll32.exe "C:\WINDOWS\system32\inouparb.dll",s
O4 - HKLM\..\Run: [09ed7103] rundll32.exe "C:\WINDOWS\system32\rvhbycer.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide....ageUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{20F66A4B-A3E6-4ADC-92B1-0B72EC828167}: NameServer = 166.102.165.11 166.102.165.13
O17 - HKLM\System\CS1\Services\Tcpip\..\{20F66A4B-A3E6-4ADC-92B1-0B72EC828167}: NameServer = 166.102.165.11 166.102.165.13
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 7450 bytes
  • 0

Advertisements

#2
nugent1
Posted 26 March 2008 - 02:04 PM

nugent1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I've been through all the steps + panda scan. I've ran avg anit-spyware, superantispyware, spybot sd, ad-aware 2007, and just got through combofix. Post it's Log along with a new hijack log. Is there anybody out there?


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:03:41 PM, on 3/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alltel\QuickLink Mobile\QuickLink Mobile.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [Instafinder] C:\Program Files\Instafinder\instafinder.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide....ageUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{20F66A4B-A3E6-4ADC-92B1-0B72EC828167}: NameServer = 166.102.165.11 166.102.165.13
O17 - HKLM\System\CS1\Services\Tcpip\..\{20F66A4B-A3E6-4ADC-92B1-0B72EC828167}: NameServer = 166.102.165.11 166.102.165.13
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: efcdaaa - efcdaaa.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 7491 bytes








ComboFix 08-03-25.4 - Todd 2008-03-26 14:15:13.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.111 [GMT -5:00]
Running from: C:\Documents and Settings\Todd\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Todd\Application Data\Adssite Advanced Toolbar
C:\Documents and Settings\Todd\Application Data\Adssite Advanced Toolbar\selected.xml
C:\Documents and Settings\Todd\Application Data\FunWebProducts
C:\Program Files\Adssite Advanced Toolbar
C:\Program Files\FunWebProducts
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\outlook
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\bkR11\ftCa.log
C:\Temp\gbRve12
C:\Temp\gbRve12\csLioes.log
C:\WINDOWS\BM0ade429f.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\pskt.ini
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\accdd.ini
C:\WINDOWS\system32\accdd.ini2
C:\WINDOWS\system32\adssitesuggest.dll
C:\WINDOWS\system32\aqVreo18
C:\WINDOWS\system32\aqVreo18\aqVreo182328.exe
C:\WINDOWS\system32\asfhgkbf.ini
C:\WINDOWS\system32\awtsr.dll
C:\WINDOWS\system32\dgqboift.dll
C:\WINDOWS\system32\efcdaaa.dll
C:\WINDOWS\system32\erflmdwt.dll
C:\WINDOWS\system32\fbkghfsa.dll
C:\WINDOWS\system32\fdqctvte.dll
C:\WINDOWS\system32\ffrfyqlv.dll
C:\WINDOWS\system32\gdtjjlhi.dll
C:\WINDOWS\system32\gubshvss.ini
C:\WINDOWS\system32\hbeevaqa.dll
C:\WINDOWS\system32\ibxnblhc.dll
C:\WINDOWS\system32\ihljjtdg.ini
C:\WINDOWS\system32\ikmlswxq.dll
C:\WINDOWS\system32\inouparb.dll
C:\WINDOWS\system32\jxafoovb.dll
C:\WINDOWS\system32\kmd.exe
C:\WINDOWS\system32\krdyexxh.dll
C:\WINDOWS\system32\lebplwgb.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mwckcsqp.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pqsckcwm.ini
C:\WINDOWS\system32\rstwa.ini
C:\WINDOWS\system32\rstwa.ini2
C:\WINDOWS\system32\srutv.ini
C:\WINDOWS\system32\srutv.ini2
C:\WINDOWS\system32\ssttu.dll
C:\WINDOWS\system32\ssvhsbug.dll
C:\WINDOWS\system32\tuvstus.dll
C:\WINDOWS\system32\twdmlfre.ini
C:\WINDOWS\system32\udpomvyo.dll
C:\WINDOWS\system32\UpMedia\SearchTool.dll
C:\WINDOWS\system32\UpMedia\uninstallSE.exe
C:\WINDOWS\system32\uttss.ini
C:\WINDOWS\system32\uttss.ini2
C:\WINDOWS\system32\wjbcinim.dll
C:\x.dat
C:\z.dat
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\bkR11
C:\Temp\bkR11\ftCa.log
C:\WINDOWS\system32\auujalmj.dll
C:\WINDOWS\system32\byjiybkf.dll
C:\WINDOWS\system32\enqrimsq.dll
C:\WINDOWS\system32\fwdedvsn.dll
C:\WINDOWS\system32\jsjnbbwl.dll
C:\WINDOWS\system32\kjkmp.ini
C:\WINDOWS\system32\kjkmp.ini2
C:\WINDOWS\system32\kmuijxuf.dll
C:\WINDOWS\system32\oswujset.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pjgwmctk.dll
C:\WINDOWS\system32\qctsshhi.dll
C:\WINDOWS\system32\sqvboehr.dll
C:\WINDOWS\system32\udqlamcd.dll
C:\WINDOWS\system32\UpMedia
C:\WINDOWS\system32\UpMedia\SearchTool.dll
C:\WINDOWS\system32\UpMedia\uninstallSE.exe
C:\WINDOWS\system32\wsbubsax.dll
C:\WINDOWS\system32\xtigqppm.dll
C:\WINDOWS\system32\ynaprqug.dll
C:\x.dat
C:\z.dat
C:\WINDOWS\Fonts\'

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TnIDriver


((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 )))))))))))))))))))))))))))))))
.

2008-03-25 16:46 . 2008-03-25 16:46 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-25 16:46 . 2008-03-25 16:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-25 03:01 . 2008-03-25 03:01 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-25 00:42 . 2008-03-25 00:42 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-25 00:42 . 2008-03-25 09:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-24 22:56 . 2008-03-25 00:26 354 ---hs---- C:\WINDOWS\system32\recybhvr.ini
2008-03-24 15:10 . 2008-03-24 15:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-03-24 13:31 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-24 13:31 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-03-24 13:31 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-23 22:38 . 2008-03-23 22:38 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2008-03-23 22:26 . 2008-03-23 22:44 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-23 22:25 . 2008-03-23 22:47 <DIR> d-------- C:\Program Files\Windows Live
2008-03-23 22:24 . 2008-03-23 22:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-23 14:17 . 2008-03-25 16:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-23 10:03 . 2008-03-23 10:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-03-23 09:31 . 2008-03-23 09:31 29,696 ---hs---- C:\Documents and Settings\Todd\lsass.exe
2008-03-22 11:43 . 2008-03-22 11:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Banner Maker Pro for Flash
2008-03-22 11:20 . 2008-03-22 11:20 84,761 --a------ C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
2008-03-22 11:19 . 2008-03-22 11:19 80,121 --a------ C:\WINDOWS\system32\adzgalore-remove.exe
2008-03-22 11:19 . 2008-03-22 11:19 40,713 --a------ C:\WINDOWS\system32\cpmsky-uninst.exe
2008-03-22 11:11 . 2008-03-23 09:25 <DIR> d-------- C:\WINDOWS\system32\usnv
2008-03-22 11:11 . 2008-03-22 11:11 <DIR> d-------- C:\WINDOWS\system32\mp2
2008-03-22 11:11 . 2008-03-23 09:25 <DIR> d-------- C:\WINDOWS\system32\FxTmp
2008-03-22 11:11 . 2008-03-22 11:11 37,376 --a------ C:\WINDOWS\mrofinu1188.exe.tmp
2008-03-22 11:11 . 2008-03-23 09:32 37,376 --a------ C:\WINDOWS\mrofinu1188.exe
2008-03-22 11:11 . 2008-03-22 11:11 2,671 --a------ C:\WINDOWS\17PHolmes1000106.exe
2008-03-22 11:10 . 2008-03-22 11:10 5,632 --a------ C:\dllhost.exe
2008-03-22 11:10 . 2008-03-22 11:10 2,671 --a------ C:\WINDOWS\da.exe
2008-03-18 07:19 . 2008-03-18 07:19 153,600 --a------ C:\WINDOWS\system32\mysidesearch_sidebar.dll
2008-03-17 21:28 . 2008-03-17 21:28 268 --ah----- C:\sqmdata15.sqm
2008-03-17 21:28 . 2008-03-17 21:28 244 --ah----- C:\sqmnoopt15.sqm
2008-03-13 22:49 . 2008-03-13 22:49 268 --ah----- C:\sqmdata14.sqm
2008-03-13 22:49 . 2008-03-13 22:49 244 --ah----- C:\sqmnoopt14.sqm
2008-03-08 13:26 . 2008-03-08 13:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PopCap
2008-03-07 08:58 . 2008-03-07 08:58 60,416 --a------ C:\WINDOWS\system32\cpmsky.dll
2008-03-06 14:27 . 2008-03-06 14:27 268 --ah----- C:\sqmdata13.sqm
2008-03-06 14:27 . 2008-03-06 14:27 244 --ah----- C:\sqmnoopt13.sqm
2008-03-06 10:07 . 2008-03-06 10:07 268 --ah----- C:\sqmdata12.sqm
2008-03-06 10:07 . 2008-03-06 10:07 244 --ah----- C:\sqmnoopt12.sqm
2008-03-06 08:46 . 2008-03-06 08:46 268 --ah----- C:\sqmdata11.sqm
2008-03-06 08:46 . 2008-03-06 08:46 244 --ah----- C:\sqmnoopt11.sqm
2008-03-05 23:29 . 2008-03-05 23:29 268 --ah----- C:\sqmdata10.sqm
2008-03-05 23:29 . 2008-03-05 23:29 244 --ah----- C:\sqmnoopt10.sqm
2008-03-05 02:45 . 2008-03-05 02:45 268 --ah----- C:\sqmdata09.sqm
2008-03-05 02:45 . 2008-03-05 02:45 244 --ah----- C:\sqmnoopt09.sqm
2008-03-04 22:30 . 2008-03-04 22:30 268 --ah----- C:\sqmdata08.sqm
2008-03-04 22:30 . 2008-03-04 22:30 244 --ah----- C:\sqmnoopt08.sqm
2008-03-01 17:54 . 2008-03-01 17:54 268 --ah----- C:\sqmdata07.sqm
2008-03-01 17:54 . 2008-03-01 17:54 244 --ah----- C:\sqmnoopt07.sqm
2008-03-01 10:55 . 2008-03-01 10:55 268 --ah----- C:\sqmdata06.sqm
2008-03-01 10:55 . 2008-03-01 10:55 244 --ah----- C:\sqmnoopt06.sqm
2008-02-29 23:56 . 2008-03-04 11:00 <DIR> d-------- C:\Documents and Settings\Todd\Application Data\DivX
2008-02-29 23:54 . 2008-03-06 10:09 <DIR> d-------- C:\Program Files\DivX
2008-02-29 19:24 . 2008-02-29 19:24 <DIR> d-------- C:\Program Files\Ligos
2008-02-29 19:24 . 2000-06-23 15:05 136,704 --a------ C:\WINDOWS\system32\iacenc.dll
2008-02-29 18:58 . 2008-02-29 18:58 36 ---h----- C:\WINDOWS\system32\swk.ini
2008-02-29 18:41 . 2008-02-29 18:41 <DIR> d-------- C:\Program Files\WinAVIVideoConverter
2008-02-29 03:21 . 2008-02-29 03:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Software
2008-02-28 22:11 . 2005-09-25 21:11 2,494,464 --a------ C:\WINDOWS\system\advrcntr2.dll
2008-02-28 21:56 . 2008-02-28 21:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Musicnotes
2008-02-28 17:43 . 2008-02-28 17:43 <DIR> d-------- C:\Program Files\Apple Software Update
2008-02-28 17:43 . 2008-02-28 17:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-02-28 14:58 . 2008-02-28 14:58 <DIR> d-------- C:\Documents and Settings\Todd\Application Data\Smith Micro
2008-02-28 14:53 . 2007-02-08 20:28 26,656 --a------ C:\WINDOWS\system32\kwutil2k.dll
2008-02-28 14:52 . 2008-02-28 14:53 <DIR> d-------- C:\Program Files\Kyocera Wireless Corp
2008-02-28 14:52 . 2008-02-28 14:52 <DIR> d-------- C:\Program Files\Alltel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-24 20:11 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-24 14:35 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-03-23 22:10 --------- d-----w C:\Program Files\Photo DVD Maker Professional
2008-03-23 22:02 --------- d-----w C:\Program Files\DVD Photo Slideshow Professional
2008-03-23 19:18 --------- d-----w C:\Documents and Settings\Todd\Application Data\SUPERAntiSpyware.com
2008-03-23 19:07 --------- d-----w C:\Documents and Settings\Todd\Application Data\LimeWire
2008-03-22 18:11 --------- d-----w C:\Program Files\LimeWire
2008-03-18 17:16 --------- d-----w C:\Program Files\d2
2008-03-18 16:42 --------- d-----w C:\Program Files\Diablo II
2008-03-18 02:36 --------- d-----w C:\Program Files\XoftSpySE
2008-03-18 02:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-18 02:30 --------- d-----w C:\Program Files\Eusing Free Registry Cleaner
2008-03-08 17:08 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-06 15:02 --------- d-----w C:\Program Files\NCH Swift Sound
2008-03-06 14:59 --------- d-----w C:\Documents and Settings\Todd\Application Data\NCH Swift Sound
2008-02-28 05:55 --------- d-----w C:\Program Files\Pure Sudoku
2008-02-21 02:05 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-02-18 16:15 --------- d-----w C:\Program Files\Instafinder
2008-02-18 15:06 --------- d-----w C:\Program Files\Need2Find
2008-02-18 15:05 --------- d-----w C:\Program Files\Kazaa
2008-02-18 15:03 905 ----a-w C:\WINDOWS\Fonts\acrsecI.fon
2008-02-18 14:00 --------- d-----w C:\Program Files\Java
2008-02-15 00:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-02-14 18:06 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-02-14 16:25 --------- d-----w C:\Program Files\BearShare Applications
2008-02-10 14:28 --------- d-----w C:\Program Files\Trend Micro
2008-02-08 20:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-08 17:33 --------- d-----w C:\Documents and Settings\Todd\Application Data\Grisoft
2008-02-08 17:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-08 15:37 --------- d-----w C:\Documents and Settings\Todd\Application Data\SpywareBot
2008-01-26 17:42 --------- d-----w C:\Program Files\Paint.NET
2008-01-26 17:20 --------- d-----w C:\Program Files\MSBuild
2008-01-26 17:19 --------- d-----w C:\Program Files\Reference Assemblies
2008-01-26 17:01 --------- d-----w C:\Program Files\MSXML 6.0
2007-12-16 18:09 18,432 ----a-w C:\Documents and Settings\Todd\Application Data\internaldb41.dat
2007-12-16 15:35 374 ----a-w C:\Documents and Settings\Todd\Application Data\internaldb6334.dat
2007-12-16 15:25 555 ----a-w C:\Documents and Settings\Todd\Application Data\internaldb8467.dat
2006-11-30 01:33 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-06-07 13:44 91,480 ----a-w C:\Documents and Settings\Todd\Application Data\GDIPFONTCACHEV1.DAT
2006-02-11 13:51 0 ----a-w C:\Documents and Settings\Todd\Application Data\wklnhst.dat
2004-10-19 21:38 11,052,037 ----a-w C:\Documents and Settings\Todd\Application Data\HCSetup2.0_IW.5.1.exe
2001-07-26 22:58 47 ----a-w C:\Program Files\ACMonitor_X73.ini
2001-07-05 18:46 8,116 ----a-w C:\Program Files\OSLO3071b2.USB
2001-05-11 17:39 53,248 ----a-w C:\Program Files\ACMonitor_X73.exe
2001-05-08 22:36 114,688 ----a-w C:\Program Files\lxarscan.dll
2001-04-23 20:22 1,437 ----a-w C:\Program Files\gtx73.ini
2001-02-22 15:54 768 ----a-w C:\Program Files\x73_lut.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 12:00 339968]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 17:11 794624]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 07:12 102492]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 07:11 692316]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 01:11 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 15:24 290816]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-02-17 16:01 233534]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 15:54 253952]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 18:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 18:50 81920]
"hpqSRMon"="C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 17:31 80896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 04:42 144784]
"Instafinder"="C:\Program Files\Instafinder\instafinder.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogOff"= 1

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcdaaa]
efcdaaa.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2004-12-15 10:18]
R3 kwkpcusb;Kyocera CDMA Wireless Modem Driver for KPC;C:\WINDOWS\system32\DRIVERS\kwusbnt.sys [2007-02-08 20:28]
R3 VmbInfce;VmbInfce;C:\WINDOWS\system32\drivers\vmbinfce.sys [2007-01-29 11:32]
S3 DMSKSSRh;DMSKSSRh;C:\DOCUME~1\Todd\LOCALS~1\Temp\DMSKSSRh.sys []
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 03:00]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-06 02:14:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-26 08:00:00 C:\WINDOWS\Tasks\MacroVirus Scheduled Scan.job"
- C:\Program Files\MacroVirus\MacroVirus.ex
- C:\Program Files\MacroVirus
"2008-03-26 08:00:00 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.ex
- C:\Program Files\SpywareBot
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-26 14:43:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????6?9?9?8??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
.
**************************************************************************
.
Completion time: 2008-03-26 14:48:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-26 19:47:56
.
2008-03-25 08:01:28 --- E O F ---
  • 0

#3
Lusitano
Posted 27 March 2008 - 07:31 AM

Lusitano

    Trusted Helper

  • Malware Removal
  • 525 posts
Hi, Wellcome to GeeksToGo!

You might want to save this page on your favorites, so you can find it again when you return.


Please take note of the following:
  • I will be handling your log and helping you, please do not make any system changes yet.
  • The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.
  • 0

#4
nugent1
Posted 27 March 2008 - 08:44 AM

nugent1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I've noticed that there's no more pop ups. So combofix did it. But I do have problems with pages loading. Most of the time at normal speed then they never load.
  • 0

#5
Lusitano
Posted 27 March 2008 - 12:10 PM

Lusitano

    Trusted Helper

  • Malware Removal
  • 525 posts
Hello nugent1,

:) Please do not make any system changes at your own. Be patience and continue to review my answers. This is very important!

# Step 1 #

Your log doesn't show an antivirus software running. :)
This is somewhat suicidal in today's digital world. If you have disabled your antivirus software, please re-enable it or you need to install an antivirus program as soon as you can and run a complete scan of the computer.
Please download and install one of these good (and free) products:

Avira Antivir
BitDefender
AVG

Install just one of these products and then run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.

Note: I do not recommend that you have more than one anti virus product installed and running on your computer at a time.
The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.



# Step 2 #

Your log(s) also show that you are using so called peer-to-peer or file-sharing programmes (in your case BearShare, LimeWire and KaZaa).
These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and
you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."



# Step 3 #

Please uninstall any of the following program(s) using Add/Remove Programs if they are present. To do this, go to Start > Settings > Control Panel and double-click on Add/Remove Programs. From within Add/Remove Programs highlight each one and select Remove.

PartyPoker - Read more here
Limewire - Read more here
KaZaa - Read more here
BearShare - Read more here
MySidesearch Search Assistant - Read more here
Instafinder - Read more here
Need2Find - Read more here
MacroVirus - Read more here
SpywareBot - Read more here



# Step 3 #

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.



# Step 3 #

Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.geekstogo.com/forum/Pop-ups-Slow-ie-t192337.html&p=1198417#entry1198417
Suspect::
C:\WINDOWS\system32\recybhvr.ini
C:\Documents and Settings\Todd\lsass.exe
C:\WINDOWS\system32\cpmsky.dll
File::
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\mysidesearch_sidebar.dll
C:\WINDOWS\system32\adzgalore-remove.exe
C:\WINDOWS\system32\cpmsky-uninst.exe
C:\WINDOWS\mrofinu1188.exe.tmp
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\17PHolmes1000106.exe
C:\dllhost.exe
C:\WINDOWS\da.exe
C:\WINDOWS\Fonts\acrsecI.fon
Folder::
C:\WINDOWS\system32\usnv
C:\WINDOWS\system32\mp2
C:\Program Files\BearShare Applications
C:\Program Files\LimeWire
C:\WINDOWS\system32\FxTmp
C:\Program Files\Instafinder
C:\Program Files\Need2Find
C:\Program Files\Kazaa
C:\Program Files\MacroVirus
C:\Program Files\SpywareBot
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Instafinder"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcdaaa]
IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Save the above as CFScript.txt
  • Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
  • Posted Image
  • This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed, and read it carefully.
  • With the above script, ComboFix will capture a file to submit for analysis.
  • Ensure you are connected to the internet and click OK.
  • A browser will open. Simply follow the instructions to copy/paste/send the requested file.



# Step 4 #

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • C:\Documents and Settings\Todd\lsass.exe
  • Click on the submit button
  • Please post the results in your next reply.
  • Repeat for these:
    • C:\WINDOWS\system32\recybhvr.ini
    • C:\WINDOWS\system32\cpmsky.dll
  • If Jotti's too busy, try on VirusTotal


# Step 5 #

In your next reply, please post:
  • The results from ComboFix (step nº 3)
  • The results from Jotti or VirusTotal (step nº 4)
  • A new HijackThis log.

Regards
  • 0

#6
nugent1
Posted 27 March 2008 - 02:56 PM

nugent1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
OK

1 - DL'd Aviar, it found 20+ nasties and quarantined
2 - All p2p programs were unistalled before I posted this problem
3 - Not all were on the program add/remove list....but I removed the one's I found
Here is combofix log

ComboFix 08-03-25.4 - Todd 2008-03-27 15:26:21.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.136 [GMT -5:00]
Running from: C:\Documents and Settings\Todd\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Todd\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\dllhost.exe
C:\WINDOWS\17PHolmes1000106.exe
C:\WINDOWS\da.exe
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\mrofinu1188.exe.tmp
C:\WINDOWS\system32\adzgalore-remove.exe
C:\WINDOWS\system32\cpmsky-uninst.exe
C:\WINDOWS\system32\mysidesearch_sidebar.dll
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Todd\lsass.exe
C:\Program Files\BearShare Applications
C:\Program Files\BearShare Applications\BearShare\WMHelper.log
C:\Program Files\Kazaa
C:\Program Files\LimeWire
C:\Program Files\LimeWire\Incomplete\downloads.bak
C:\Program Files\LimeWire\Incomplete\downloads.dat
C:\Program Files\MacroVirus
C:\Program Files\MacroVirus\mav.log
C:\Program Files\Need2Find
C:\Program Files\Need2Find\bar\History\search
C:\WINDOWS\17PHolmes1000106.exe
C:\WINDOWS\da.exe
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\system32\adzgalore-remove.exe
C:\WINDOWS\system32\cpmsky-uninst.exe
C:\WINDOWS\system32\FxTmp
C:\WINDOWS\system32\mp2
C:\WINDOWS\system32\mp2\dr32gb.exe
C:\WINDOWS\system32\usnv

.
((((((((((((((((((((((((( Files Created from 2008-02-27 to 2008-03-27 )))))))))))))))))))))))))))))))
.

2008-03-27 13:46 . 2008-03-27 13:46 <DIR> d-------- C:\Program Files\Avira
2008-03-27 13:46 . 2008-03-27 13:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-03-25 16:46 . 2008-03-25 16:46 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-25 16:46 . 2008-03-25 16:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-25 03:01 . 2008-03-25 03:01 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-25 00:42 . 2008-03-25 00:42 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-25 00:42 . 2008-03-25 09:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-24 22:56 . 2008-03-25 00:26 354 ---hs---- C:\WINDOWS\system32\recybhvr.ini
2008-03-24 15:10 . 2008-03-24 15:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-03-24 13:31 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-24 13:31 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-03-24 13:31 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-23 22:38 . 2008-03-23 22:38 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2008-03-23 22:26 . 2008-03-23 22:44 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-23 22:25 . 2008-03-23 22:47 <DIR> d-------- C:\Program Files\Windows Live
2008-03-23 22:24 . 2008-03-23 22:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-23 14:17 . 2008-03-25 16:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-23 10:03 . 2008-03-23 10:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-03-22 11:43 . 2008-03-22 11:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Banner Maker Pro for Flash
2008-03-17 21:28 . 2008-03-17 21:28 268 --ah----- C:\sqmdata15.sqm
2008-03-17 21:28 . 2008-03-17 21:28 244 --ah----- C:\sqmnoopt15.sqm
2008-03-13 22:49 . 2008-03-13 22:49 268 --ah----- C:\sqmdata14.sqm
2008-03-13 22:49 . 2008-03-13 22:49 244 --ah----- C:\sqmnoopt14.sqm
2008-03-08 13:26 . 2008-03-08 13:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PopCap
2008-03-07 08:58 . 2008-03-07 08:58 60,416 --a------ C:\WINDOWS\system32\cpmsky.dll
2008-03-06 14:27 . 2008-03-06 14:27 268 --ah----- C:\sqmdata13.sqm
2008-03-06 14:27 . 2008-03-06 14:27 244 --ah----- C:\sqmnoopt13.sqm
2008-03-06 10:07 . 2008-03-06 10:07 268 --ah----- C:\sqmdata12.sqm
2008-03-06 10:07 . 2008-03-06 10:07 244 --ah----- C:\sqmnoopt12.sqm
2008-03-06 08:46 . 2008-03-06 08:46 268 --ah----- C:\sqmdata11.sqm
2008-03-06 08:46 . 2008-03-06 08:46 244 --ah----- C:\sqmnoopt11.sqm
2008-03-05 23:29 . 2008-03-05 23:29 268 --ah----- C:\sqmdata10.sqm
2008-03-05 23:29 . 2008-03-05 23:29 244 --ah----- C:\sqmnoopt10.sqm
2008-03-05 02:45 . 2008-03-05 02:45 268 --ah----- C:\sqmdata09.sqm
2008-03-05 02:45 . 2008-03-05 02:45 244 --ah----- C:\sqmnoopt09.sqm
2008-03-04 22:30 . 2008-03-04 22:30 268 --ah----- C:\sqmdata08.sqm
2008-03-04 22:30 . 2008-03-04 22:30 244 --ah----- C:\sqmnoopt08.sqm
2008-03-01 17:54 . 2008-03-01 17:54 268 --ah----- C:\sqmdata07.sqm
2008-03-01 17:54 . 2008-03-01 17:54 244 --ah----- C:\sqmnoopt07.sqm
2008-03-01 10:55 . 2008-03-01 10:55 268 --ah----- C:\sqmdata06.sqm
2008-03-01 10:55 . 2008-03-01 10:55 244 --ah----- C:\sqmnoopt06.sqm
2008-02-29 23:56 . 2008-03-04 11:00 <DIR> d-------- C:\Documents and Settings\Todd\Application Data\DivX
2008-02-29 23:54 . 2008-03-06 10:09 <DIR> d-------- C:\Program Files\DivX
2008-02-29 19:24 . 2008-02-29 19:24 <DIR> d-------- C:\Program Files\Ligos
2008-02-29 19:24 . 2000-06-23 15:05 136,704 --a------ C:\WINDOWS\system32\iacenc.dll
2008-02-29 18:58 . 2008-02-29 18:58 36 ---h----- C:\WINDOWS\system32\swk.ini
2008-02-29 18:41 . 2008-02-29 18:41 <DIR> d-------- C:\Program Files\WinAVIVideoConverter
2008-02-29 03:21 . 2008-02-29 03:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Software
2008-02-28 22:11 . 2005-09-25 21:11 2,494,464 --a------ C:\WINDOWS\system\advrcntr2.dll
2008-02-28 21:56 . 2008-02-28 21:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Musicnotes
2008-02-28 17:43 . 2008-02-28 17:43 <DIR> d-------- C:\Program Files\Apple Software Update
2008-02-28 17:43 . 2008-02-28 17:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-02-28 14:58 . 2008-02-28 14:58 <DIR> d-------- C:\Documents and Settings\Todd\Application Data\Smith Micro
2008-02-28 14:53 . 2007-02-08 20:28 26,656 --a------ C:\WINDOWS\system32\kwutil2k.dll
2008-02-28 14:52 . 2008-02-28 14:53 <DIR> d-------- C:\Program Files\Kyocera Wireless Corp
2008-02-28 14:52 . 2008-02-28 14:52 <DIR> d-------- C:\Program Files\Alltel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-24 20:11 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-24 14:35 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-03-23 22:10 --------- d-----w C:\Program Files\Photo DVD Maker Professional
2008-03-23 22:02 --------- d-----w C:\Program Files\DVD Photo Slideshow Professional
2008-03-23 19:18 --------- d-----w C:\Documents and Settings\Todd\Application Data\SUPERAntiSpyware.com
2008-03-23 19:07 --------- d-----w C:\Documents and Settings\Todd\Application Data\LimeWire
2008-03-18 17:16 --------- d-----w C:\Program Files\d2
2008-03-18 16:42 --------- d-----w C:\Program Files\Diablo II
2008-03-18 02:36 --------- d-----w C:\Program Files\XoftSpySE
2008-03-18 02:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-18 02:30 --------- d-----w C:\Program Files\Eusing Free Registry Cleaner
2008-03-08 17:08 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-06 15:02 --------- d-----w C:\Program Files\NCH Swift Sound
2008-03-06 14:59 --------- d-----w C:\Documents and Settings\Todd\Application Data\NCH Swift Sound
2008-02-28 05:55 --------- d-----w C:\Program Files\Pure Sudoku
2008-02-21 02:05 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-02-21 02:03 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-02-18 14:00 --------- d-----w C:\Program Files\Java
2008-02-15 00:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-02-14 18:06 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-02-10 14:28 --------- d-----w C:\Program Files\Trend Micro
2008-02-08 20:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-08 17:33 --------- d-----w C:\Documents and Settings\Todd\Application Data\Grisoft
2008-02-08 17:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-08 15:37 --------- d-----w C:\Documents and Settings\Todd\Application Data\SpywareBot
2008-02-01 09:21 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-16 18:09 18,432 ----a-w C:\Documents and Settings\Todd\Application Data\internaldb41.dat
2007-12-16 15:35 374 ----a-w C:\Documents and Settings\Todd\Application Data\internaldb6334.dat
2007-12-16 15:25 555 ----a-w C:\Documents and Settings\Todd\Application Data\internaldb8467.dat
2006-11-30 01:33 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-06-07 13:44 91,480 ----a-w C:\Documents and Settings\Todd\Application Data\GDIPFONTCACHEV1.DAT
2006-02-11 13:51 0 ----a-w C:\Documents and Settings\Todd\Application Data\wklnhst.dat
2004-10-19 21:38 11,052,037 ----a-w C:\Documents and Settings\Todd\Application Data\HCSetup2.0_IW.5.1.exe
2001-07-26 22:58 47 ----a-w C:\Program Files\ACMonitor_X73.ini
2001-07-05 18:46 8,116 ----a-w C:\Program Files\OSLO3071b2.USB
2001-05-11 17:39 53,248 ----a-w C:\Program Files\ACMonitor_X73.exe
2001-05-08 22:36 114,688 ----a-w C:\Program Files\lxarscan.dll
2001-04-23 20:22 1,437 ----a-w C:\Program Files\gtx73.ini
2001-02-22 15:54 768 ----a-w C:\Program Files\x73_lut.dat
.

((((((((((((((((((((((((((((( snapshot@2008-03-26_14.47.39.79 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-08-09 18:04:11 40,768 ----a-w C:\WINDOWS\system32\drivers\avgntdd.sys
+ 2007-07-18 19:22:19 21,312 ----a-w C:\WINDOWS\system32\drivers\avgntmgr.sys
+ 2008-03-27 18:51:42 61,632 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2007-03-01 15:34:36 28,352 ----a-w C:\WINDOWS\system32\drivers\ssmdrv.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 12:00 339968]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 17:11 794624]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 07:12 102492]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 07:11 692316]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 01:11 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 15:24 290816]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-02-17 16:01 233534]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 15:54 253952]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 18:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 18:50 81920]
"hpqSRMon"="C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 17:31 80896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 04:42 144784]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-03-27 13:51 249896]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogOff"= 1

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2004-12-15 10:18]
R3 kwkpcusb;Kyocera CDMA Wireless Modem Driver for KPC;C:\WINDOWS\system32\DRIVERS\kwusbnt.sys [2007-02-08 20:28]
R3 VmbInfce;VmbInfce;C:\WINDOWS\system32\drivers\vmbinfce.sys [2007-01-29 11:32]
S3 DMSKSSRh;DMSKSSRh;C:\DOCUME~1\Todd\LOCALS~1\Temp\DMSKSSRh.sys []
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 03:00]

*Newly Created Service* - ANTIVIRSCHEDULER
*Newly Created Service* - ANTIVIRSERVICE
*Newly Created Service* - AVGIO
*Newly Created Service* - AVGNTFLT
*Newly Created Service* - AVIPBB
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-03-06 02:14:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-26 08:00:00 C:\WINDOWS\Tasks\MacroVirus Scheduled Scan.job"
- C:\Program Files\MacroVirus\MacroVirus.ex
- C:\Program Files\MacroVirus
"2008-03-26 08:00:00 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.ex
- C:\Program Files\SpywareBot
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-27 15:31:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????6?9?9?8??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-27 15:32:03
ComboFix-quarantined-files.txt 2008-03-27 20:31:42
ComboFix2.txt 2008-03-26 19:48:03
.
2008-03-25 08:01:28 --- E O F ---


4. I could not locate C:\Documents and Settings\Todd\lsass.exe to scan. recybhvr.ini came back clean, and here is report for cpmsky.dll
File cpmsky.dll received on 03.27.2008 09:48:41 (CET)
Current status: finished

Result: 8/32 (25.00%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.3.26.0 2008.03.27 -
AntiVir 7.6.0.75 2008.03.27 ADSPY/TrafficSol.AE
Authentium 4.93.8 2008.03.27 -
Avast 4.7.1098.0 2008.03.26 -
AVG 7.5.0.516 2008.03.26 Adware Generic3.RZ
BitDefender 7.2 2008.03.27 -
CAT-QuickHeal 9.50 2008.03.26 -
ClamAV 0.92.1 2008.03.27 -
DrWeb 4.44.0.09170 2008.03.27 -
eSafe 7.0.15.0 2008.03.18 -
eTrust-Vet 31.3.5646 2008.03.27 -
Ewido 4.0 2008.03.26 -
FileAdvisor 1 2008.03.27 -
Fortinet 3.14.0.0 2008.03.27 -
F-Prot 4.4.2.54 2008.03.26 -
F-Secure 6.70.13260.0 2008.03.27 -
Ikarus T3.1.1.20 2008.03.26 not-a-virus:AdWare.Win32.TrafficSol.f
Kaspersky 7.0.0.125 2008.03.27 not-a-virus:AdWare.Win32.TrafficSol.ae
McAfee 5260 2008.03.26 -
Microsoft 1.3301 2008.03.27 Adware:Win32/AdPanel
NOD32v2 2976 2008.03.26 -
Norman 5.80.02 2008.03.26 -
Panda 9.0.0.4 2008.03.26 -
Prevx1 V2 2008.03.27 Generic.Malware
Rising 20.37.30.00 2008.03.27 -
Sophos 4.27.0 2008.03.27 -
Sunbelt 3.0.978.0 2008.03.18 -
Symantec 10 2008.03.27 -
TheHacker 6.2.92.256 2008.03.27 -
VBA32 3.12.6.3 2008.03.25 AdWare.Win32.TrafficSol.ae
VirusBuster 4.3.26:9 2008.03.26 -
Webwasher-Gateway 6.6.2 2008.03.27 Ad-Spyware.TrafficSol.AE
Additional information
File size: 60416 bytes
MD5: c3b2dba8c51f123d6c3cf37c73985262
SHA1: 0388bf020cce10e4ff554e99a28a8a7e6d21987a
PEiD: -
packers: UPX
packers: UPX
packers: PE_Patch.UPX, UPX
Prevx info: http://info.prevx.co...1F4ED0008D50484


5. Hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:48:44 PM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Alltel\QuickLink Mobile\QuickLink Mobile.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide....ageUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{20F66A4B-A3E6-4ADC-92B1-0B72EC828167}: NameServer = 166.102.165.11 166.102.165.13
O17 - HKLM\System\CS1\Services\Tcpip\..\{20F66A4B-A3E6-4ADC-92B1-0B72EC828167}: NameServer = 166.102.165.11 166.102.165.13
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 7856 bytes
  • 0

#7
Lusitano
Posted 28 March 2008 - 05:54 AM

Lusitano

    Trusted Helper

  • Malware Removal
  • 525 posts
Hello nugent1,

# Step 1 #

Go to Start » Run » type: regedit » OK.
  • On the leftside, click to highlight My Computer at the top.
  • Go up to File » Export
    • Make sure in that window there is a tick next to "All" under Export Branch.
      Leave the "Save As Type" as "Registration Files".
      Under "Filename" put RegBackup.
  • Choose to save it to C:\
  • Click save and then go to File » Exit.


# Step 2 #

Go to Start » Run » type: Notepad » OK.
Copy (Ctrl+C) and paste (Ctrl+V) the following text inside the code box below (starting with REGEDIT4) to Notepad. (Be sure to use Notepad, not Wordpad, otherwise it won't work). 

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}]
  • Click File at the top and then choose Save As.
  • Change Save As Type to All Files.
  • Name it Fixme.reg and save it on your desktop.
  • Double click Fixme.reg. It will ask you if you want to merge it to the registry, click Yes.



# Step 3 #

Please set your system to show all files.
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.


# Step 4 #

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files and Folders, "if present":

Folders:
C:\Documents and Settings\Todd\Application Data\LimeWire <- this folder
C:\Program Files\MacroVirus <- this folder
C:\Program Files\SpywareBot <- this folder

Files:
C:\WINDOWS\system32\cpmsky.dll <- this file
C:\WINDOWS\Tasks\MacroVirus Scheduled Scan.job <- this file
C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job <- this file



# Step 5 #

Reconfigure Windows XP to hide hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading deselect "Show hidden files and folders".
Check the "Hide protected operating system files (recommended)" option.
Check the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.



# Step 6 #

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 5...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u5-windows-i586-p.exe to install the newest version.



# Step 7 #

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


# Step 8 #

Please do an online scan with Kaspersky WebScanner

Click on Posted Image

You will be prompted to install an ActiveX component from Kaspersky, Click Posted Image
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on Posted Image
  • Now click on Posted Image
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click Posted Image
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post, along whit a new HijackThis log. Also let me know how i your computer its running.


# Step 9 #

In your next reply, please post:
  • The results from Kaspersky online scan (step nº 8)
  • A new HijackThis log and let me know how your computer its running now

Regards
  • 0

#8
nugent1
Posted 28 March 2008 - 02:27 PM

nugent1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Completed. No more pop ups but they stopped after the first time I ran combo fix. IE loads as good as to be expected. It lags a little but not bad.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:22:24 PM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Alltel\QuickLink Mobile\QuickLink Mobile.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide....ageUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{20F66A4B-A3E6-4ADC-92B1-0B72EC828167}: NameServer = 166.102.165.11 166.102.165.13
O17 - HKLM\System\CS1\Services\Tcpip\..\{20F66A4B-A3E6-4ADC-92B1-0B72EC828167}: NameServer = 166.102.165.11 166.102.165.13
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 7646 bytes



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, March 28, 2008 3:18:42 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/03/2008
Kaspersky Anti-Virus database records: 668879
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 64080
Number of viruses found: 30
Number of infected objects: 121
Number of suspicious objects: 0
Duration of the scan process: 01:23:07

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Application Data\SpywareBot\Quarantine\24-12-2007-18-48-15\45.qit/mySetp.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.o skipped
C:\Documents and Settings\Administrator\Application Data\SpywareBot\Quarantine\24-12-2007-18-48-15\45.qit CAB: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn.zip/BigFishGames - The Da Vinci Code.zip/Setup.exe Infected: Trojan-Downloader.Win32.VB.dck skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn.zip/BigFishGames - The Da Vinci Code.zip Infected: Trojan-Downloader.Win32.VB.dck skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn.zip ZIP: infected - 2 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Todd\Application Data\SpywareBot\Quarantine\07-01-2008-07-30-12\82.qit Infected: not-a-virus:PSWTool.Win32.PassView.p skipped
C:\Documents and Settings\Todd\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Todd\Desktop\[4][email protected]/cpmsky.dll.vir Infected: not-a-virus:AdWare.Win32.TrafficSol.ae skipped
C:\Documents and Settings\Todd\Desktop\[4][email protected] ZIP: infected - 1 skipped
C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Todd\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Todd\Local Settings\History\History.IE5\MSHist012008032820080329\index.dat Object is locked skipped
C:\Documents and Settings\Todd\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Todd\Local Settings\Temporary Internet Files\Content.IE5\RPNT0MLK\300x250fe[1].swf Object is locked skipped
C:\Documents and Settings\Todd\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Todd\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dgqboift.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\fdqctvte.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gdtjjlhi.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ibxnblhc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ikmlswxq.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\inouparb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jxafoovb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mwckcsqp.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tuvstus.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-03-26_144330.23.zip/awtsr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-03-26_144330.23.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP293\A0092261.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP294\A0092274.exe Infected: not-a-virus:FraudTool.Win32.SpywareBot.j skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP294\A0092276.exe Infected: not-a-virus:FraudTool.Win32.SpywareBot.g skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP294\A0092283.dll Infected: not-a-virus:AdWare.Win32.TrafficSol.x skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP294\A0092284.dll Infected: not-a-virus:AdWare.Win32.Beginto.j skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP297\A0092438.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP297\A0092439.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP297\A0092440.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP297\A0092441.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP297\A0092442.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP297\A0092443.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP297\A0092444.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP297\A0092445.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP297\A0092446.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP297\A0092447.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP297\A0092448.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP297\A0092449.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP297\A0092450.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP297\A0092451.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP310\A0093257.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP310\A0093258.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.o skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP310\A0093262.DLL Infected: not-a-virus:AdWare.Win32.MySearch.e skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP311\A0093298.dll Infected: not-a-virus:AdWare.Win32.MySearch.e skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0098324.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.e skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0099426.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0099427.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0099428.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0099435.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0099437.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0099438.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0099439.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0099440.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0099441.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0099442.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0099443.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0099444.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0099445.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0099446.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0099447.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0099448.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0099449.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0099451.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0099452.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0099454.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0099456.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0099457.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0099458.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0099460.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0099461.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0099462.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0099463.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0099619.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0099620.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0099621.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0099622.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0099623.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP325\A0101621.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.e skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP325\A0101622.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP325\A0101623.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP325\A0101624.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP325\A0101625.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP325\A0101626.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP325\A0101627.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP329\A0102619.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP330\A0105649.exe/data0009/stream/data0004 Infected: not-a-virus:AdWare.Win32.TrafficSol.ae skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP330\A0105649.exe/data0009/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.ae skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP330\A0105649.exe/data0009 Infected: not-a-virus:AdWare.Win32.TrafficSol.ae skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP330\A0105649.exe/data0010/stream/data0005 Infected: not-a-virus:Downloader.Win32.AdLoad.b skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP330\A0105649.exe/data0010/stream Infected: not-a-virus:Downloader.Win32.AdLoad.b skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP330\A0105649.exe/data0010 Infected: not-a-virus:Downloader.Win32.AdLoad.b skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP330\A0105649.exe NSIS: infected - 6 skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP330\A0105654.exe Infected: Trojan-Downloader.Win32.VB.dck skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP331\A0105717.exe Infected: Trojan-Downloader.Win32.VB.dht skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP331\A0105718.exe Infected: Trojan-Downloader.Win32.Agent.lqu skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP332\A0107738.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP332\A0107739.exe Infected: Trojan-Downloader.Win32.VB.dck skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP332\A0107740.dll Infected: not-a-virus:Downloader.Win32.AdLoad.b skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP334\A0107898.exe Infected: Trojan-Downloader.Win32.VB.dck skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP336\A0109919.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP338\A0110284.exe Infected: Trojan-Downloader.Win32.VB.dht skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP338\A0110292.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP338\A0110293.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP338\A0110294.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP338\A0110295.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP338\A0110297.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP338\A0110298.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP338\A0110299.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP338\A0110300.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP338\A0110301.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP338\A0110302.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP338\A0110303.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP338\A0110304.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP338\A0110305.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP338\A0110306.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP338\A0110307.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP338\A0110308.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP338\A0110309.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP338\A0110310.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP339\A0110385.exe Infected: Trojan-Downloader.Win32.Agent.lqu skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP339\A0110388.dll Infected: not-a-virus:AdWare.Win32.Agent.bds skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP339\A0110389.dll Infected: not-a-virus:AdWare.Win32.TopSearch.b skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP342\A0110611.dll Infected: not-a-virus:AdWare.Win32.TrafficSol.ae skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP342\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Kyocera CDMA Wireless Modem.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{745DC3F2-1AC2-4125-A700-D490CBD20F36}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{966CA4E0-7930-4B69-B5AB-39B31DB96169}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Edited by nugent1, 28 March 2008 - 02:29 PM.

  • 0

#9
Lusitano
Posted 29 March 2008 - 03:30 PM

Lusitano

    Trusted Helper

  • Malware Removal
  • 525 posts
Good job :)

» To clear out Spybot Search & Destroy's quarantine:

* Run Spybot Search & Destroy
* Click the Recovery icon
* Select all the items present
* Click purge selected items


» Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files and Folders, "if present":

C:\Documents and Settings\Administrator\Application Data\SpywareBot <- this folder

C:\Documents and Settings\Todd\Desktop\[4][email protected] <- this file



Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
    • Posted Image
  • When shown the disclaimer, Select "2"
The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Reenable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Read the TonyKlein's good advice: So how did I get infected in the first place?

  • Also visit the Secunia Software Inspector

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

  • 0

#10
Lusitano
Posted 01 April 2008 - 03:37 AM

Lusitano

    Trusted Helper

  • Malware Removal
  • 525 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP