Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Another victim on TrojanDownloader.xs [RESOLVED]

Started by OldPeter , Mar 31 2008 06:05 PM

This topic is locked

#1
OldPeter

Posted 31 March 2008 - 06:05 PM

New Member

Member
7 posts

I've been following the posts of other 'victims' of this problem and have done all the scans proposed with the various scanners.

Only Panda found anything (2 Viruses, 9 Spyware and 3 Hackers Tools and Rootkits), but would not let me save a log file

I removed the unwanted icons and the monitor background scree message. There are 2 remaining annoyances, The first is a large RED message window telling me that TrojanDownloader.xs is threatening me and I should buy, what I now know to be useless software. The second one is from the tray, with a similar message.

Thanks to everyone.

Here is my 'HijackThis' log and other requested items.Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:32:38 PM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\lapelypg.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MRC] "C:\Program Files\Zone Labs\ZoneAlarm\PC Tune-Up\PCTuneUp.exe" /MBRSTART
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ehuftwcx] C:\WINDOWS\system32\wdsxinwf.exe
O4 - HKCU\..\Run: [nenidntw] C:\WINDOWS\system32\lapelypg.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.h...llMgr_v01_6.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1186411229500
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: ebahn - {8D32BA61-D15B-11D4-894B-000000000000} - C:\Program Files\eBahn\hsppp.dll
O18 - Protocol: x-cnote - {8D32BA61-D15B-11D4-894B-000000000000} - C:\Program Files\eBahn\hsppp.dll
O18 - Protocol: x-ebahn - {8D32BA61-D15B-11D4-894B-000000000000} - C:\Program Files\eBahn\hsppp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 9821 bytes

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/31/2008 at 00:19 AM

Application Version : 4.0.1154

Core Rules Database Version : 3412
Trace Rules Database Version: 1404

Scan type : Complete Scan
Total Scan Time : 01:55:09

Memory items scanned : 457
Memory threats detected : 0
Registry items scanned : 5883
Registry threats detected : 0
File items scanned : 147364
File threats detected : 77

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@imrworldwide[2].txt
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adlegend[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\owner@adecn[1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\owner@adinterax[1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\owner@adknowledge[2].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\owner@adultfriendfinder[1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\owner@apmebf[2].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\owner@azjmp[1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\owner@carfinderservice[1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\owner@centralmediaserver[1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\owner@clicktorrent[1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\owner@elitesense[1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\owner@exefind[1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\owner@findagrave[1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\owner@findlaw[1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\owner@hornymatches[2].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\owner@indexstats[2].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\owner@indextools[2].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\owner@kanoodle[2].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\owner@keywordmax[1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\owner@ljfind[1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\owner@nandomedia[1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\owner@nextag[2].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\owner@oddcast[1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\owner@partner2profit[2].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\owner@precisionclick[1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\owner@spamblockerutility[2].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\owner@specificclick[2].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\owner@statsW[2].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\owner@stats[1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\owner@tripod[1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\owner@usenext[1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\owner@vortexmediagroup[1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\owner@webstats4u[1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][7].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][8].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\My Backup -- 04-08-07 1436\Documents and Settings\Owner\Cookies\owner@xiti[1].txt

Adware.AdDynamix/PennyWeb
C:\MY BACKUP -- 04-08-07 1436\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\0HEV4XE3\BLANK[1].JS

Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat 6.0.1 Standard - English, Français, Deutsch
Adobe Acrobat and Reader 6.0.3 Update
Adobe Acrobat and Reader 6.0.4 Update
Adobe Acrobat and Reader 6.0.5 Update
Adobe Acrobat and Reader 6.0.6 Update
Adobe Flash Player ActiveX
Adobe Photoshop 7.0.1
Adobe SVG Viewer 3.0
Apple Mobile Device Support
Apple Software Update
Belarc Advisor 7.2
CCleaner (remove only)
Digital Media Reader
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DVD-CLONER V5.00 Build 965
DVDx 2.2
eBahn® Reader
Enfocus PitStop Professional
GoldWave v5.23
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB935448)
HP Driver Diagnostics
HP Image Zone 4.2
HP Product Detection
HP PSC & OfficeJet 4.2
HP Software Update
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Adapters and Drivers
iTunes
Java DB 10.3.1.4
Java™ 6 Update 5
Java™ SE Development Kit 6 Update 5
Learn2 Player (Uninstall Only)
Lizardtech DjVu Control
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Baseline Security Analyzer 2.1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Mozilla Firefox (2.0.0.13)
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Multimedia Keyboard Driver
Nero 7 Essentials
Nero BurnRights
neroxml
oobeFlagNetscape0
Panda ActiveScan
PC Tune-Up
PC Wizard 2005.1.643
Pdf995 (installed by TaxCut)
PdfEdit995 (installed by TaxCut)
PhotoNow! 1.0
Picasa 2
PowerDirector
PowerDVD
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Rhapsody Player Engine
ScanSoft PaperPort Viewer 7.0
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
SmartSound Quicktracks Plugin
SoftV92 Data Fax Modem with SmartCP
Spybot - Search & Destroy 1.4
Spyware Doctor 5.5
SUPERAntiSpyware Free Edition
TaxCut Premium + State 2007
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
VideoLAN VLC media player 0.8.6d
Windows Backup Utility
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
XEAN Extranet Access Client

#2
Stamper19

Posted 31 March 2008 - 07:43 PM

Expert

Expert
1,992 posts

Hi OldPeter,

Welcome to Geeks to Go!

My name is Stamper19 and I will be helping you with your Malware problem. During the course of our interactions please be sure to follow all instructions carefully, and ask questions if you are unsure of how to proceed at any point.

----------------------------------------------------------------

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

----------------------------------------------------------------

Please download Deckard's System Scanner (DSS) to your Desktop.

Close all applications and windows.
Double-click on DSS.exe to run it, and follow the prompts.
The scan may take a minute. When the scan is complete, two text files will open - Main.txt and Extra.txt

Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the Deckard's System Scanner to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)

Post the main.txt and extra.txt from the C:\Deckard\System Scanner folder into your next reply.

----------------------------------------------------------------

Information to include in your next post:

SmitfraudFix Log
main.txt and extra.txt from DSS

#3
OldPeter

Posted 01 April 2008 - 05:24 AM

New Member

Topic Starter
Member
7 posts

As requested

SmitFraudFix v2.309

Scan done at 7:09:14.39, Tue 04/01/2008
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\lapelypg.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 24.92.226.40
DNS Server Search Order: 24.92.226.41

HKLM\SYSTEM\CCS\Services\Tcpip\..\{13B32FA9-6A6A-49C3-BEBC-D305C800B0BC}: DhcpNameServer=24.92.226.40 24.92.226.41
HKLM\SYSTEM\CS1\Services\Tcpip\..\{13B32FA9-6A6A-49C3-BEBC-D305C800B0BC}: DhcpNameServer=24.92.226.40 24.92.226.41
HKLM\SYSTEM\CS2\Services\Tcpip\..\{13B32FA9-6A6A-49C3-BEBC-D305C800B0BC}: DhcpNameServer=24.92.226.40 24.92.226.41
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.92.226.40 24.92.226.41
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.92.226.40 24.92.226.41
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.92.226.40 24.92.226.41

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Deckard's System Scanner v20071014.68
Run by Owner on 2008-04-01 07:11:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
47: 2008-04-01 11:11:49 UTC - RP164 - Deckard's System Scanner Restore Point
46: 2008-04-01 00:23:32 UTC - RP163 - Removed oobeFlagNetscape0
45: 2008-03-31 14:21:34 UTC - RP162 - NewStartingPoint
44: 2008-03-31 02:17:52 UTC - RP161 - Installed SUPERAntiSpyware Free Edition
43: 2008-03-30 14:14:48 UTC - RP160 - Special

-- First Restore Point --
1: 2008-03-29 03:36:04 UTC - RP118 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:12:41 AM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\lapelypg.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ehuftwcx] C:\WINDOWS\system32\wdsxinwf.exe
O4 - HKCU\..\Run: [nenidntw] C:\WINDOWS\system32\lapelypg.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.h...llMgr_v01_6.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1186411229500
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: ebahn - {8D32BA61-D15B-11D4-894B-000000000000} - C:\Program Files\eBahn\hsppp.dll
O18 - Protocol: x-cnote - {8D32BA61-D15B-11D4-894B-000000000000} - C:\Program Files\eBahn\hsppp.dll
O18 - Protocol: x-ebahn - {8D32BA61-D15B-11D4-894B-000000000000} - C:\Program Files\eBahn\hsppp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 8940 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 BANTExt (Belarc SMBios Access) - c:\windows\system32\drivers\bantext.sys
R3 Eacfilt (Eacfilt Miniport) - c:\windows\system32\drivers\eacfilt.sys <Not Verified; Nortel Networks; Filter Driver for CVC>
R3 IPSECSHM (Nortel IPSECSHM Adapter) - c:\windows\system32\drivers\ipsecw2k.sys <Not Verified; Nortel Networks NA, Inc.; Contivity VPN Client>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
R3 SunkFilt39 (Alcor Micro Corp - 3239) - c:\windows\system32\drivers\sunkfilt39.sys <Not Verified; Alcor Micro Corp.; SunkFilt39>

S0 kl1 - c:\windows\system32\drivers\kl1.sys (file missing)
S3 catchme - c:\docume~1\owner\locals~1\temp\catchme.sys (file missing)
S3 IPSECEXT (Nortel Extranet Access Protocol) - c:\windows\system32\drivers\ipsecw2k.sys <Not Verified; Nortel Networks NA, Inc.; Contivity VPN Client>
S3 SunkFilt (Alcor Micro Corp - 9360) - c:\windows\system32\drivers\sunkfilt.sys <Not Verified; Alcor Micro Corp.; SunkFilt>
S3 Sunkfiltp (HP && Alcor Micro Corp for Phison) - c:\windows\system32\drivers\sunkfiltp.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 McAfeeFramework (McAfee Framework Service) - c:\program files\network associates\common framework\frameworkservice.exe /servicestart <Not Verified; Network Associates, Inc.; McAfee Common Framework>
R2 McTaskManager (Network Associates Task Manager) - "c:\program files\network associates\virusscan\vstskmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Enterprise>

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-03-30 21:15:48 496 --a------ C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job
2007-12-27 22:27:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2008-03-01 and 2008-04-01 -----------------------------

2008-03-31 17:26:00 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-03-30 22:18:04 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-30 22:17:53 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-03-30 22:17:53 0 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-03-30 22:16:59 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-30 22:07:13 0 d-------- C:\WINDOWS\pss
2008-03-30 21:27:03 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-30 21:15:47 0 d-------- C:\Documents and Settings\Owner\Application Data\AdwareAlert
2008-03-30 13:29:42 0 d-------- C:\Program Files\GoldWave
2008-03-30 12:11:35 0 d-------- C:\Program Files\Trend Micro
2008-03-30 11:37:18 3564 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-30 11:36:30 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-03-30 11:36:29 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-30 11:36:29 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-03-30 11:36:29 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-03-30 11:36:29 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-03-30 11:36:29 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-03-30 11:36:29 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-30 11:25:28 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-03-30 11:25:28 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-03-30 11:25:28 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-03-30 11:25:28 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-03-30 10:41:15 0 d-------- C:\Documents and Settings\Owner\Application Data\Talkback
2008-03-30 10:40:58 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2008-03-30 10:12:14 0 d-------- C:\Program Files\Sun
2008-03-30 10:06:30 0 d-------- C:\Program Files\Common Files\Java
2008-03-29 23:10:25 0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-03-29 23:09:18 0 d-------- C:\Program Files\CCleaner
2008-03-29 18:40:35 0 d-------- C:\WINDOWS\ERUNT
2008-03-29 15:28:09 0 d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-03-29 15:27:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-29 10:31:11 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-03-29 10:31:11 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-03-29 10:31:11 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-03-29 10:31:11 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-03-29 10:31:11 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-03-29 10:31:11 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-03-29 10:31:11 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-03-29 10:31:11 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-03-29 10:31:11 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-03-29 10:31:11 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-03-29 10:31:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-03-29 10:31:11 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-03-29 10:31:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\McAfee
2008-03-29 10:31:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-03-29 10:31:10 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-03-29 10:31:10 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-03-29 10:31:10 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-03-29 10:31:10 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-03-29 09:16:03 94208 --a------ C:\WINDOWS\system32\lapelypg.exe
2008-03-29 01:40:45 0 d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-03-28 23:17:42 0 d-------- C:\Documents and Settings\All Users\Application Data\ypcpipuj
2008-03-21 13:55:15 0 d-------- C:\WINDOWS\system32\Adobe

-- Find3M Report ---------------------------------------------------------------

2008-03-31 17:38:49 0 d-------- C:\Program Files\Digital Media Reader
2008-03-31 17:38:46 0 d-------- C:\Program Files\QuickTime
2008-03-31 17:38:46 0 d-------- C:\Program Files\iTunes
2008-03-31 17:38:42 0 d-------- C:\Program Files\Messenger
2008-03-31 17:38:41 0 d-------- C:\Program Files\Picasa2
2008-03-30 22:16:59 0 d-------- C:\Program Files\Common Files
2008-03-30 10:12:06 0 d-------- C:\Program Files\Java
2008-03-21 13:55:15 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-10 14:49:48 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-03-02 10:05:09 0 d-------- C:\Documents and Settings\Owner\Application Data\Real
2008-03-01 11:29:44 0 d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-02-29 15:49:27 0 d-------- C:\Program Files\iPod
2008-02-24 11:30:35 0 d-------- C:\Program Files\PC Wizard 2005
2008-02-23 10:26:28 249856 --a------ C:\WINDOWS\system32\pdfmona.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-02-23 10:26:28 51716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2008-02-23 10:26:25 0 d-------- C:\Program Files\PDF995
2008-02-10 12:36:24 336 --a------ C:\Program Files\temp995.bat
2008-02-04 16:58:53 0 d-------- C:\Program Files\TaxCut07
2008-02-04 16:56:34 0 d-------- C:\Documents and Settings\Owner\Application Data\TaxCut
2008-02-03 13:24:21 0 d-------- C:\Program Files\ACW
2008-01-21 15:49:20 664 --a------ C:\WINDOWS\system32\d3d9caps.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [09/13/2002 04:42 PM]
"CHotkey"="zHotkey.exe" [05/17/2004 09:30 PM C:\WINDOWS\zHotkey.exe]
"ShowWnd"="ShowWnd.exe" [09/19/2003 12:09 PM C:\WINDOWS\ShowWnd.exe]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [03/17/2004 06:10 PM C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [10/31/2003 10:42 PM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [08/20/2004 06:55 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [08/20/2004 06:51 PM]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [10/18/2004 05:05 PM]
"SoundMan"="SOUNDMAN.EXE" [09/23/2004 10:27 PM C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [09/24/2004 09:06 PM C:\WINDOWS\ALCWZRD.EXE]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [02/12/2004 01:38 PM]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [05/12/2004 03:18 PM]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [09/29/2003 07:10 AM]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [09/10/2003 03:11 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [08/24/2007 09:18 AM]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [03/15/2007 09:02 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [02/01/2008 12:13 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 02:10 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:00 PM]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [10/23/2007 05:18 PM]
"ehuftwcx"="C:\WINDOWS\system32\wdsxinwf.exe" []
"nenidntw"="C:\WINDOWS\system32\lapelypg.exe" [03/29/2008 09:16 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/29/2008 04:03 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [10/24/2003 12:37:56 AM]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [8/8/2007 5:37:37 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/28/2004 10:31:38 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

-- End of Deckard's System Scanner: finished at 2008-04-01 07:13:20 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.06GHz
Percentage of Memory in Use: 40%
Physical Memory (total/avail): 1013.86 MiB / 600.01 MiB
Pagefile Memory (total/avail): 2441.3 MiB / 2102.3 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1927.3 MiB

C: is Fixed (NTFS) - 144.83 GiB total, 60.7 GiB free.
D: is Fixed (FAT32) - 4.2 GiB total, 1.68 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)

\\.\PHYSICALDRIVE0 - ST3160023AS - 149.05 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 144.83 GiB - C:
\PARTITION1 - Unknown - 4.21 GiB - D:

\\.\PHYSICALDRIVE1 - eM Bay Reader USB Device

\\.\PHYSICALDRIVE2 - eM Bay Reader USB Device

\\.\PHYSICALDRIVE3 - eM Bay Reader USB Device

\\.\PHYSICALDRIVE4 - eM Bay Reader USB Device

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Adobe\\Acrobat 6.0\\Acrobat\\Acrobat.exe"="C:\\Program Files\\Adobe\\Acrobat 6.0\\Acrobat\\Acrobat.exe:*:Enabled:Adobe Acrobat 6.0"
"C:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"="C:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe:*:Enabled:CyberLink PowerDirector"
"C:\\Program Files\\Xerox External Access Network\\Extranet.exe"="C:\\Program Files\\Xerox External Access Network\\Extranet.exe:*:Enabled:Contivity VPN Client"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=.;C:\Program Files\Java\j2re1.4.2_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PETERSDESK
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\PETERSDESK
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.2_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=PETERSDESK
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI

-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat - Reader 6.0.2 Update --> MsiExec.exe /I{AC76BA86-0000-0000-0000-6028747ADE01}
Adobe Acrobat 6.0.1 Standard - English, Français, Deutsch --> MsiExec.exe /I{AC76BA86-1033-F400-BA7E-000000000001}
Adobe Acrobat and Reader 6.0.3 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000603}
Adobe Acrobat and Reader 6.0.4 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000604}
Adobe Acrobat and Reader 6.0.5 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000605}
Adobe Acrobat and Reader 6.0.6 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000606}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop 7.0.1 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Belarc Advisor 7.2 --> C:\PROGRA~1\Belarc\Advisor\Uninstall.exe C:\PROGRA~1\Belarc\Advisor\INSTALL.LOG
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Digital Media Reader --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{81EED1A1-AE78-4B11-BE47-C6AE9F5E87F1}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD-CLONER V5.00 Build 965 --> "C:\Program Files\Dvd-cloner\unins000.exe"
DVDx 2.2 --> "C:\Program Files\DVDx\unins000.exe"
eBahn® Reader --> "C:\WINDOWS\eBahn\eBahn Reader Only - Online Updates.exe" "/U:C:\Program Files\eBahn\Uninstall\eBahn\eBahn Reader Only - Online Updates.xml"
Enfocus PitStop Professional --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D9D2055E-944D-4EF2-8E1E-E52D8C27C160}\Setup.exe" -l0x9
GoldWave v5.23 --> "C:\Program Files\GoldWave\unstall.exe" "GoldWave v5.23" "C:\Program Files\GoldWave\unstall.log"
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Driver Diagnostics --> MsiExec.exe /I{6314D540-E3C1-4F30-AEEB-4154C93375C3}
HP Image Zone 4.2 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Product Detection --> MsiExec.exe /I{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}
HP PSC & OfficeJet 4.2 --> "C:\Program Files\HP\Digital Imaging\{A1062847-0846-427A-92A1-BB8251A91E91}\setup\hpzscr01.exe" -datfile hposcr04.dat
HP Software Update --> MsiExec.exe /X{457791C5-D702-4143-A7B2-2744BE9573F2}
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2782 PCI\VEN_8086&DEV_2582
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
iTunes --> MsiExec.exe /I{80FD852F-5AAC-4129-B931-06AAFFA43138}
Java DB 10.3.1.4 --> MsiExec.exe /X{CD49361E-3FE6-457E-90A1-9C59E29B5D02}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Development Kit 6 Update 5 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160050}
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
Lizardtech DjVu Control --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{105CFC7C-6992-11D5-BD9D-000102C10FD8}\Setup.exe" -l0x9
McAfee VirusScan Enterprise --> MsiExec.exe /I{59224777-298D-4E9C-9AEB-4A91BDA01B27}
Microsoft Baseline Security Analyzer 2.1 --> MsiExec.exe /I{6AF5CAB9-FD0A-494F-8AA6-784D4B5D06C5}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Mozilla Firefox (2.0.0.13) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Multimedia Keyboard Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF262740-C85A-11D5-BBEC-00D0B740900A}\Setup.exe" -l0x9
Nero 7 Essentials --> MsiExec.exe /X{1196A3B6-9B62-4999-BF6C-1CCE1F581033}
Nero BurnRights --> C:\WINDOWS\UNNeroBurnRights.exe /UNINSTALL
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
oobeFlagNetscape0 --> MsiExec.exe /X{D95877BE-0165-42EC-B558-727F9F41372C}
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PC Wizard 2005.1.643 --> "C:\Program Files\PC Wizard 2005\unins000.exe"
Pdf995 (installed by TaxCut) --> C:\Program Files\pdf995\setup.exe uninstall
PdfEdit995 (installed by TaxCut) --> C:\Program Files\pdf995\res\utilities\thinsetup.exe - uninstall
PhotoNow! 1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D36DD326-7280-11D8-97C8-000129760CBE}\Setup.exe" -uninstall
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
PowerDirector --> "C:\Program Files\InstallShield Installation Information\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}\Setup.exe" -l0x000409 /z-uninstall
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" REMOVE
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
ScanSoft PaperPort Viewer 7.0 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ScanSoft\PaperPort Viewer\Uninst.isu"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
SmartSound Quicktracks Plugin --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}
SoftV92 Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1\HXFSETUP.EXE -U -IURSLST5K.inf
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
TaxCut Premium + State 2007 --> MsiExec.exe /X{663E217E-FC26-4249-9E8E-F190CD63E737}
VideoLAN VLC media player 0.8.6d --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
XEAN Extranet Access Client --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EF964A78-078C-11D1-B7A7-0000C0134CE6}\setup.exe" Uninstall

-- Application Event Log -------------------------------------------------------

Event Record #/Type2673 / Error
Event Submitted/Written: 03/31/2008 08:23:29 PM
Event ID/Source: 11306 / MsiInstaller
Event Description:
Product: oobeFlagNetscape0 -- Error 1306. Another application has exclusive access to the file 'C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb'. Please shut down all other applications, then click Retry.

Event Record #/Type2660 / Error
Event Submitted/Written: 03/31/2008 07:17:13 PM
Event ID/Source: 1008 / McLogEvent
Event Description:
The McShield service terminated unexpectedly.

Please review event 5019 or 5051 for details.
The McShield service will be restarted in 5 seconds;

Event Record #/Type2561 / Error
Event Submitted/Written: 03/30/2008 09:53:56 AM
Event ID/Source: 11306 / MsiInstaller
Event Description:
Product: oobeFlagNetscape0 -- Error 1306. Another application has exclusive access to the file 'C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb'. Please shut down all other applications, then click Retry.

Event Record #/Type2560 / Error
Event Submitted/Written: 03/30/2008 09:53:54 AM
Event ID/Source: 11306 / MsiInstaller
Event Description:
Product: oobeFlagNetscape0 -- Error 1306. Another application has exclusive access to the file 'C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb'. Please shut down all other applications, then click Retry.

Event Record #/Type2550 / Error
Event Submitted/Written: 03/29/2008 11:13:34 PM
Event ID/Source: 1008 / McLogEvent
Event Description:
The McShield service terminated unexpectedly.

Please review event 5019 or 5051 for details.
The McShield service will be restarted in 5 seconds;

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type47869 / Error
Event Submitted/Written: 04/01/2008 06:46:59 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
kl1

Event Record #/Type47842 / Error
Event Submitted/Written: 03/31/2008 08:26:53 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
kl1

Event Record #/Type47833 / Error
Event Submitted/Written: 03/31/2008 08:23:43 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126

Event Record #/Type47830 / Error
Event Submitted/Written: 03/31/2008 08:23:43 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126

Event Record #/Type47827 / Error
Event Submitted/Written: 03/31/2008 08:23:43 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126

-- End of Deckard's System Scanner: finished at 2008-04-01 07:13:20 ------------

Thank you

#4
Stamper19

Posted 01 April 2008 - 05:46 AM

Expert

Expert
1,992 posts

Hi OldPete,

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#5
OldPeter

Posted 01 April 2008 - 05:55 PM

New Member

Topic Starter
Member
7 posts

Hi Stamper19,

Here are the requested logs

ComboFix 08-04-01.2 - Owner 2008-04-01 19:42:53.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.554 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-01 to 2008-04-01 )))))))))))))))))))))))))))))))
.

2008-04-01 07:11 . 2008-04-01 07:11 <DIR> d-------- C:\Deckard
2008-03-31 17:26 . 2008-03-31 17:38 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-31 17:26 . 2008-03-31 17:26 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-31 17:26 . 2008-03-31 17:26 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-31 17:26 . 2008-03-31 17:26 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-30 22:18 . 2008-03-30 22:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-30 22:17 . 2008-03-31 17:39 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-30 22:17 . 2008-03-30 22:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-03-30 22:16 . 2008-03-30 22:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-30 21:27 . 2008-03-31 20:24 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-30 21:15 . 2008-03-30 21:15 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AdwareAlert
2008-03-30 13:29 . 2008-03-30 13:29 <DIR> d-------- C:\Program Files\GoldWave
2008-03-30 12:11 . 2008-03-30 12:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-30 11:58 . 2008-04-01 19:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-30 11:58 . 2008-03-30 11:58 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-30 11:39 . 2008-03-30 11:57 <DIR> d-------- C:\SDFix
2008-03-30 11:37 . 2008-04-01 07:09 3,564 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-30 11:36 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-30 11:36 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-30 11:36 . 2008-03-28 23:19 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-30 11:36 . 2008-03-26 08:50 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-30 11:36 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-30 11:36 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-30 11:36 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-30 10:41 . 2008-03-30 10:41 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Talkback
2008-03-30 10:12 . 2008-03-30 10:12 <DIR> d-------- C:\Program Files\Sun
2008-03-30 10:12 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-30 10:06 . 2008-03-30 10:06 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-29 23:09 . 2008-03-29 23:09 <DIR> d-------- C:\Program Files\CCleaner
2008-03-29 18:40 . 2008-03-29 18:40 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-29 15:28 . 2008-03-29 15:28 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-03-29 15:27 . 2008-03-29 15:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-29 10:31 . 2004-08-27 05:54 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-03-29 10:31 . 2007-08-04 15:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-03-29 10:31 . 2007-08-04 15:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\McAfee
2008-03-29 09:16 . 2008-03-29 09:16 94,208 --a------ C:\WINDOWS\system32\lapelypg.exe
2008-03-29 01:40 . 2008-03-29 01:40 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-03-28 23:17 . 2008-03-29 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ypcpipuj
2008-03-21 13:55 . 2008-03-21 13:55 <DIR> d-------- C:\WINDOWS\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 21:38 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-31 21:38 --------- d-----w C:\Program Files\QuickTime
2008-03-31 21:38 --------- d-----w C:\Program Files\Picasa2
2008-03-31 21:38 --------- d-----w C:\Program Files\iTunes
2008-03-31 21:38 --------- d-----w C:\Program Files\Digital Media Reader
2008-03-30 14:12 --------- d-----w C:\Program Files\Java
2008-03-30 03:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-21 17:55 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-10 18:49 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-03-01 15:29 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-02-29 19:49 --------- d-----w C:\Program Files\iPod
2008-02-24 15:30 --------- d-----w C:\Program Files\PC Wizard 2005
2008-02-23 14:26 51,716 ----a-w C:\WINDOWS\system32\pdf995mon.dll
2008-02-23 14:26 249,856 ----a-w C:\WINDOWS\system32\pdfmona.dll
2008-02-23 14:26 --------- d-----w C:\Program Files\PDF995
2008-02-10 16:36 336 ----a-w C:\Program Files\temp995.bat
2008-02-04 20:58 --------- d-----w C:\Program Files\TaxCut07
2008-02-04 20:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-02-04 20:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\TaxCut
2008-02-04 20:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\TaxCut
2008-02-03 17:24 --------- d-----w C:\Program Files\ACW
.

((((((((((((((((((((((((((((( snapshot@2008-03-30_11.29.41.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-31 12:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
- 2008-03-29 22:40:57 729,088 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-03-30 15:42:52 5,853,184 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2008-03-29 22:40:57 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-03-30 15:42:52 212,992 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-03-31 02:18:00 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-03-31 02:18:00 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2007-03-29 13:20:50 110,592 ----a-w C:\WINDOWS\system32\ActiveScan\as.dll
+ 2006-10-05 20:15:26 233,472 ----a-w C:\WINDOWS\system32\ActiveScan\ascontrol.dll
+ 2005-06-03 18:03:18 96,256 ----a-w C:\WINDOWS\system32\ActiveScan\asmdat.dll
+ 2003-08-01 15:00:16 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\certdll.dll
+ 2005-05-20 17:42:44 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\instlsp.dll
+ 2007-11-12 13:46:18 26,112 ----a-w C:\WINDOWS\system32\ActiveScan\JID.dll
+ 2006-02-16 22:20:20 4,608 ----a-w C:\WINDOWS\system32\ActiveScan\memvfile.dll
+ 2005-10-25 22:08:32 348,160 ----a-w C:\WINDOWS\system32\ActiveScan\msvcr71.dll
+ 2007-11-26 15:10:36 61,440 ----a-w C:\WINDOWS\system32\ActiveScan\NanoWrapper.dll
+ 2004-05-04 19:01:02 139,264 ----a-w C:\WINDOWS\system32\ActiveScan\pavaleas.dll
+ 2006-07-14 17:04:10 45,056 ----a-w C:\WINDOWS\system32\ActiveScan\pavdr.exe
+ 2006-04-10 14:50:02 159,832 ----a-w C:\WINDOWS\system32\ActiveScan\pavexcom.dll
+ 2006-02-14 17:05:38 94,208 ----a-w C:\WINDOWS\system32\ActiveScan\pavinas.dll
+ 2006-02-16 22:35:38 180,224 ----a-w C:\WINDOWS\system32\ActiveScan\pavoe.dll
+ 2006-10-05 20:15:38 122,880 ----a-w C:\WINDOWS\system32\ActiveScan\pavpz.dll
+ 2007-06-04 15:31:52 57,344 ----a-w C:\WINDOWS\system32\ActiveScan\pavsddl.dll
+ 2006-06-30 18:13:38 8,704 ----a-w C:\WINDOWS\system32\ActiveScan\pfdnnt.exe
+ 2004-02-04 18:08:42 49,152 ----a-w C:\WINDOWS\system32\ActiveScan\port32.dll
+ 2007-10-30 14:04:14 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\Prescan.dll
+ 2006-08-01 17:23:10 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pscpu.dll
+ 2007-11-21 14:00:06 376,832 ----a-w C:\WINDOWS\system32\ActiveScan\pskahk.dll
+ 2007-10-31 17:05:06 32,768 ----a-w C:\WINDOWS\system32\ActiveScan\PSKAHKPRESCAN.dll
+ 2006-08-17 15:38:14 10,752 ----a-w C:\WINDOWS\system32\ActiveScan\pskalloc.dll
+ 2006-09-04 15:49:54 61,440 ----a-w C:\WINDOWS\system32\ActiveScan\pskas.dll
+ 2006-08-18 12:46:18 779,264 ----a-w C:\WINDOWS\system32\ActiveScan\pskavs.dll
+ 2007-03-26 18:25:34 417,792 ----a-w C:\WINDOWS\system32\ActiveScan\pskcmp.dll
+ 2006-08-09 14:42:24 90,112 ----a-w C:\WINDOWS\system32\ActiveScan\pskfss.dll
+ 2006-07-19 14:55:58 208,896 ----a-w C:\WINDOWS\system32\ActiveScan\pskhtml.dll
+ 2006-01-20 20:57:00 9,728 ----a-w C:\WINDOWS\system32\ActiveScan\pskmas.dll
+ 2006-05-17 13:50:12 14,336 ----a-w C:\WINDOWS\system32\ActiveScan\pskmdfs.dll
+ 2006-08-16 14:58:12 33,280 ----a-w C:\WINDOWS\system32\ActiveScan\pskpack.dll
+ 2006-06-30 18:42:36 266,240 ----a-w C:\WINDOWS\system32\ActiveScan\pskscs.dll
+ 2006-08-17 18:33:14 62,976 ----a-w C:\WINDOWS\system32\ActiveScan\pskutil.dll
+ 2006-08-08 17:13:10 13,312 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfile.dll
+ 2006-08-18 12:53:08 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfs.dll
+ 2006-08-18 12:49:50 167,936 ----a-w C:\WINDOWS\system32\ActiveScan\pskvm.dll
+ 2007-10-18 13:30:16 105,472 ----a-w C:\WINDOWS\system32\ActiveScan\psnahk.dll
+ 2007-11-23 18:29:08 10,752 ----a-w C:\WINDOWS\system32\ActiveScan\psndsk.dll
+ 2007-10-18 13:30:38 42,496 ----a-w C:\WINDOWS\system32\ActiveScan\psnflg.dll
+ 2007-10-30 15:19:22 98,304 ----a-w C:\WINDOWS\system32\ActiveScan\psnglknt.dll
+ 2007-08-22 12:52:00 20,272 ----a-w C:\WINDOWS\system32\ActiveScan\psnhsh.dll
+ 2007-11-12 19:49:34 11,776 ----a-w C:\WINDOWS\system32\ActiveScan\psnjidsign.dll
+ 2007-08-22 12:52:04 76,080 ----a-w C:\WINDOWS\system32\ActiveScan\psnkrnl.dll
+ 2007-08-22 12:52:06 21,296 ----a-w C:\WINDOWS\system32\ActiveScan\psnmem.dll
+ 2007-10-04 19:26:28 28,672 ----a-w C:\WINDOWS\system32\ActiveScan\PsnPen.dll
+ 2007-10-23 15:40:10 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\psntuc.dll
+ 2007-05-24 15:27:36 27,136 ----a-w C:\WINDOWS\system32\ActiveScan\PSNXprs.dll
+ 2007-04-18 21:16:04 353,840 ----a-w C:\WINDOWS\system32\ActiveScan\psscan.dll
+ 2007-01-22 18:42:48 35,328 ----a-w C:\WINDOWS\system32\ActiveScan\rawvfile.dll
+ 2007-06-08 13:44:36 8,576 ----a-w C:\WINDOWS\system32\ActiveScan\RKPavProc.sys
+ 2007-06-05 14:56:40 44,928 ----a-w C:\WINDOWS\system32\ActiveScan\sdthook.sys
+ 1997-09-18 10:12:32 9,488 ----a-w C:\WINDOWS\system32\ActiveScan\sporder.dll
+ 2006-02-28 21:23:40 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\tcpvfile.dll
+ 2007-09-17 13:14:08 126,976 ----a-w C:\WINDOWS\system32\ActiveScan\Tucan.dll
+ 2006-08-02 16:39:06 73,728 ----a-w C:\WINDOWS\system32\asuninst.exe
- 2008-03-30 14:03:11 53,812 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-01 23:40:18 53,812 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-30 14:03:12 383,584 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-01 23:40:18 383,584 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2003-03-25 22:53:50 11,776 ----a-w C:\WINDOWS\system32\ZPORT4AS.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 17:18 443968]
"ehuftwcx"="C:\WINDOWS\system32\wdsxinwf.exe" [ ]
"nenidntw"="C:\WINDOWS\system32\lapelypg.exe" [2008-03-29 09:16 94208]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 16:42 212992]
"CHotkey"="zHotkey.exe" [2004-05-17 21:30 543232 C:\WINDOWS\zHotkey.exe]
"ShowWnd"="ShowWnd.exe" [2003-09-19 12:09 36864 C:\WINDOWS\ShowWnd.exe]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 18:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 22:42 32768]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 18:55 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 18:51 118784]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-10-18 17:05 135168]
"SoundMan"="SOUNDMAN.EXE" [2004-09-23 22:27 77824 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-09-24 21:06 2559488 C:\WINDOWS\ALCWZRD.EXE]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2003-09-29 07:10 81990]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2003-09-10 03:11 135251]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-24 09:18 185632]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-15 21:02 153136]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 00:37:56 217194]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-08-08 17:37:37 113664]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 22:31:38 241664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Adobe\\Acrobat 6.0\\Acrobat\\Acrobat.exe"=
"C:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"=
"C:\\Program Files\\Xerox External Access Network\\Extranet.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2006-08-14 22:22]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2006-08-14 22:22]
S3 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2006-08-14 22:22]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-31 01:15:48 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2007-12-28 02:27:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-01 19:45:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-01 19:46:47
ComboFix-quarantined-files.txt 2008-04-01 23:46:44
ComboFix2.txt 2008-03-30 15:30:06
Pre-Run: 65,102,860,288 bytes free
Post-Run: 65,089,122,304 bytes free
.
2008-03-20 11:25:42 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:50:33 PM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\lapelypg.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ehuftwcx] C:\WINDOWS\system32\wdsxinwf.exe
O4 - HKCU\..\Run: [nenidntw] C:\WINDOWS\system32\lapelypg.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.h...llMgr_v01_6.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1186411229500
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: ebahn - {8D32BA61-D15B-11D4-894B-000000000000} - C:\Program Files\eBahn\hsppp.dll
O18 - Protocol: x-cnote - {8D32BA61-D15B-11D4-894B-000000000000} - C:\Program Files\eBahn\hsppp.dll
O18 - Protocol: x-ebahn - {8D32BA61-D15B-11D4-894B-000000000000} - C:\Program Files\eBahn\hsppp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 8955 bytes

Thank you

#6
Stamper19

Posted 02 April 2008 - 09:00 AM

Expert

Expert
1,992 posts

Hi OldPeter,

We still have some work to do.

----------------------------------------------------------------

Please download VundoFix.exe to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

----------------------------------------------------------------

We are going to use ComboFix to delete some things.

Copy the entire contents of the Code Box below to Notepad.
Name the file as CFScript.txt
Change the Save as Type to All Files
and Save it on the desktop

File::
C:\WINDOWS\system32\wdsxinwf.exe
C:\WINDOWS\system32\lapelypg.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehuftwcx"=-
"nenidntw"=-

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

----------------------------------------------------------------

Please clean out your temp files.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

----------------------------------------------------------------

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

----------------------------------------------------------------

Information to include in your next post:

Vundofix.txt
ComboFix Log
Kapersky Scan Log

#7
OldPeter

Posted 02 April 2008 - 05:38 PM

New Member

Topic Starter
Member
7 posts

Hi Stamper19,

Here are the new logs as requested

VundoFix V7.0.3

Scan started at 4:15:53 PM 4/2/2008

Listing files found while scanning....

No infected files were found.

Beginning removal...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:26:16 PM, on 4/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\lapelypg.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ehuftwcx] C:\WINDOWS\system32\wdsxinwf.exe
O4 - HKCU\..\Run: [nenidntw] C:\WINDOWS\system32\lapelypg.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.h...llMgr_v01_6.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1186411229500
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: ebahn - {8D32BA61-D15B-11D4-894B-000000000000} - C:\Program Files\eBahn\hsppp.dll
O18 - Protocol: x-cnote - {8D32BA61-D15B-11D4-894B-000000000000} - C:\Program Files\eBahn\hsppp.dll
O18 - Protocol: x-ebahn - {8D32BA61-D15B-11D4-894B-000000000000} - C:\Program Files\eBahn\hsppp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 8955 bytes

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 02, 2008 7:30:50 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/04/2008
Kaspersky Anti-Virus database records: 678409
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 152508
Number of viruses found: 7
Number of infected objects: 24
Number of suspicious objects: 0
Duration of the scan process: 02:24:13

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_PETERSDESK.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_PETERSDESK.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\admparse.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\admparse.dll.mui Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\advpack.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\advpack.dll.mui Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\browseui.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\corpol.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\custsat.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\dxtmsft.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\dxtrans.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\extmgr.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\extmgr.dll.mui Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\feeddisc.wav Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\hmmapi.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\hmmapi.dll.mui Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\html.iec Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\html.iec.mui Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\icardie.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\icardie.dll.mui Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\icrav03.rat Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\ie4uinit.exe Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\ie4uinit.exe.mui Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\ieakeng.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\ieakeng.dll.mui Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\ieakmmc.chm Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\ieaksie.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\ieaksie.dll.mui Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\ieakui.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\ieakui.dll.mui Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\ieapfltr.dat Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\ieapfltr.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\iedkcs32.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\iedkcs32.dll.mui Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\iedw.exe Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\iedw.exe.mui Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\ieencode.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\ieeula.chm Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\ieframe.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\ieframe.dll.mui Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\iepeers.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\iepeers.dll.mui Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\ieproxy.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\iernonce.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\iernonce.dll.mui Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\iertutil.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\iesetup.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\iesetup.dll.mui Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\iesupp.chm Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\ieudinit.exe Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\ieui.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\ieui.dll.mui Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\ieuinit.inf Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\ieunatt.exe.mui Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\iexplore.chm Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\iexplore.exe Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\iexplore.exe.mui Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\imgutil.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\inetcorp.iem Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\inetcpl.cpl Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\inetcpl.cpl.mui Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\inetres.adm Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\inetset.iem Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\infobar.wav Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\inseng.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\inseng.dll.mui Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\install.ins Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\jscript.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\jsproxy.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\licmgr10.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\licmgr10.dll.mui Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\msfeeds.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\msfeeds.mof Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\msfeedsbs.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\msfeedsbs.dll.mui Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\msfeedsbs.mof Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\msfeedssync.exe Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\mshta.exe Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\mshta.exe.mui Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\mshtml.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\mshtml.dll.mui Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\mshtml.tlb Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\mshtmled.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\mshtmled.dll.mui Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\mshtmler.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\mshtmler.dll.mui Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\msls31.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\msrating.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\msrating.dll.mui Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\mstime.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\navstart.wav Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\occache.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\occache.dll.mui Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\occache.ini Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\pngfilt.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\popupblk.wav Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\shdocvw.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\shlwapi.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\spmsg.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\spuninst.exe Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\spupdsvc.exe Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\tdc.ocx Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\update\eula.rtf Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\update\idndl.exe Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\update\ie7.cat Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\update\iecustom.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\update\iereseticons.exe Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\update\iesetup.exe Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\update\legitlibm.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\update\nlsdl.exe Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\update\update.exe Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\update\update.exe.manifest Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\update\update.inf Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\update\update.ver Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\update\updspapi.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\update\xmllitesetup.exe Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\url.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\urlmon.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\urlmon.dll.mui Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\vbscript.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\vgx.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\webcheck.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\webcheck.dll.mui Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\webcheck.ini Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\winfxdocobj.exe Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\winfxdocobj.exe.mui Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\wininet.dll Object is locked skipped
C:\My Backup -- 04-08-07 1436\04b23c08950ee2bbea7e08bece\wininet.dll.mui Object is locked skipped
C:\My Backup -- 04-08-07 1436\993fbdb133a4982436f8\msxml4-KB927978-enu.log Object is locked skipped
C:\My Backup -- 04-08-07 1436\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5d30da12ac40aa9ce1ab55ff049f6dc4_d696b102-c006-4e63-9f0b-a06f6a77c2e7 Object is locked skipped
C:\My Backup -- 04-08-07 1436\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\QUARANTINE\Av-test.txt.Vir Infected: EICAR-Test-File skipped
C:\QUARANTINE\Av-test.txt.Vir.0 Infected: EICAR-Test-File skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP152\A0034150.dll Infected: not-a-virus:AdWare.Win32.Vapsup.ddz skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP152\A0034151.dll Infected: not-a-virus:AdWare.Win32.Vapsup.deb skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP152\A0034152.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dgg skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP152\A0034153.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dgf skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP152\A0035231.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP152\A0035249.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP155\A0035647.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP155\A0035647.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP155\A0035647.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP157\A0035845.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP157\A0035845.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP157\A0035845.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP157\A0035856.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP162\A0040092.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP163\A0042179.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP163\A0042179.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP163\A0042179.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP163\A0042187.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP166\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP166\change.log Object is locked skipped

Scan process completed.

Thank you once again.

#8
OldPeter

Posted 02 April 2008 - 05:41 PM

New Member

Topic Starter
Member
7 posts

Sorry, I forgot combofix. Here it is

ComboFix 08-04-01.2 - Owner 2008-04-02 16:29:13.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.566 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\lapelypg.exe
C:\WINDOWS\system32\wdsxinwf.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\lapelypg.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-02 to 2008-04-02 )))))))))))))))))))))))))))))))
.

2008-04-02 16:15 . 2008-04-02 16:15 <DIR> d-------- C:\VundoFix Backups
2008-04-01 07:11 . 2008-04-01 07:11 <DIR> d-------- C:\Deckard
2008-03-31 17:26 . 2008-03-31 17:38 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-31 17:26 . 2008-03-31 17:26 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-31 17:26 . 2008-03-31 17:26 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-31 17:26 . 2008-03-31 17:26 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-30 22:18 . 2008-03-30 22:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-30 22:17 . 2008-03-31 17:39 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-30 22:17 . 2008-03-30 22:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-03-30 22:16 . 2008-03-30 22:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-30 21:27 . 2008-03-31 20:24 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-30 21:15 . 2008-03-30 21:15 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AdwareAlert
2008-03-30 13:29 . 2008-03-30 13:29 <DIR> d-------- C:\Program Files\GoldWave
2008-03-30 12:11 . 2008-03-30 12:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-30 11:58 . 2008-04-02 16:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-30 11:58 . 2008-03-30 11:58 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-30 11:39 . 2008-03-30 11:57 <DIR> d-------- C:\SDFix
2008-03-30 11:37 . 2008-04-01 07:09 3,564 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-30 11:36 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-30 11:36 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-30 11:36 . 2008-03-28 23:19 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-30 11:36 . 2008-03-26 08:50 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-30 11:36 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-30 11:36 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-30 11:36 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-30 10:41 . 2008-03-30 10:41 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Talkback
2008-03-30 10:12 . 2008-03-30 10:12 <DIR> d-------- C:\Program Files\Sun
2008-03-30 10:12 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-30 10:06 . 2008-03-30 10:06 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-29 23:09 . 2008-03-29 23:09 <DIR> d-------- C:\Program Files\CCleaner
2008-03-29 18:40 . 2008-03-29 18:40 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-29 15:28 . 2008-03-29 15:28 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-03-29 15:27 . 2008-03-29 15:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-29 10:31 . 2004-08-27 05:54 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-03-29 10:31 . 2007-08-04 15:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-03-29 10:31 . 2007-08-04 15:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\McAfee
2008-03-29 01:40 . 2008-03-29 01:40 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-03-28 23:17 . 2008-03-29 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ypcpipuj
2008-03-21 13:55 . 2008-03-21 13:55 <DIR> d-------- C:\WINDOWS\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 21:38 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-31 21:38 --------- d-----w C:\Program Files\QuickTime
2008-03-31 21:38 --------- d-----w C:\Program Files\Picasa2
2008-03-31 21:38 --------- d-----w C:\Program Files\iTunes
2008-03-31 21:38 --------- d-----w C:\Program Files\Digital Media Reader
2008-03-30 14:12 --------- d-----w C:\Program Files\Java
2008-03-30 03:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-21 17:55 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-10 18:49 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-03-01 15:29 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-02-29 19:49 --------- d-----w C:\Program Files\iPod
2008-02-24 15:30 --------- d-----w C:\Program Files\PC Wizard 2005
2008-02-23 14:26 51,716 ----a-w C:\WINDOWS\system32\pdf995mon.dll
2008-02-23 14:26 249,856 ----a-w C:\WINDOWS\system32\pdfmona.dll
2008-02-23 14:26 --------- d-----w C:\Program Files\PDF995
2008-02-10 16:36 336 ----a-w C:\Program Files\temp995.bat
2008-02-04 20:58 --------- d-----w C:\Program Files\TaxCut07
2008-02-04 20:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-02-04 20:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\TaxCut
2008-02-04 20:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\TaxCut
2008-02-03 17:24 --------- d-----w C:\Program Files\ACW
.

((((((((((((((((((((((((((((( snapshot_2008-04-01_19.46.37.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-01 23:40:18 53,812 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-02 20:04:21 53,812 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-01 23:40:18 383,584 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-02 20:04:21 383,584 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 17:18 443968]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 16:42 212992]
"CHotkey"="zHotkey.exe" [2004-05-17 21:30 543232 C:\WINDOWS\zHotkey.exe]
"ShowWnd"="ShowWnd.exe" [2003-09-19 12:09 36864 C:\WINDOWS\ShowWnd.exe]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 18:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 22:42 32768]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 18:55 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 18:51 118784]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-10-18 17:05 135168]
"SoundMan"="SOUNDMAN.EXE" [2004-09-23 22:27 77824 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-09-24 21:06 2559488 C:\WINDOWS\ALCWZRD.EXE]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2003-09-29 07:10 81990]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2003-09-10 03:11 135251]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-24 09:18 185632]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-15 21:02 153136]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 00:37:56 217194]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-08-08 17:37:37 113664]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 22:31:38 241664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Adobe\\Acrobat 6.0\\Acrobat\\Acrobat.exe"=
"C:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"=
"C:\\Program Files\\Xerox External Access Network\\Extranet.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2006-08-14 22:22]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2006-08-14 22:22]
S3 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2006-08-14 22:22]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-31 01:15:48 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2007-12-28 02:27:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-02 16:31:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-02 16:32:16
ComboFix-quarantined-files.txt 2008-04-02 20:32:14
ComboFix2.txt 2008-04-01 23:47:30
ComboFix3.txt 2008-03-30 15:30:06
Pre-Run: 65,102,245,888 bytes free
Post-Run: 65,088,413,696 bytes free
.
2008-03-20 11:25:42 --- E O F ---

Thanks

#9
Stamper19

Posted 02 April 2008 - 06:09 PM

Expert

Expert
1,992 posts

Can you please post a fresh HiJack This log? It looks like the one you posted was run before combofix - I need to see one from after

Thanks.

#10
OldPeter

Posted 02 April 2008 - 07:14 PM

New Member

Topic Starter
Member
7 posts

Sorry, here it is

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:13 PM, on 4/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.h...llMgr_v01_6.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1186411229500
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: ebahn - {8D32BA61-D15B-11D4-894B-000000000000} - C:\Program Files\eBahn\hsppp.dll
O18 - Protocol: x-cnote - {8D32BA61-D15B-11D4-894B-000000000000} - C:\Program Files\eBahn\hsppp.dll
O18 - Protocol: x-ebahn - {8D32BA61-D15B-11D4-894B-000000000000} - C:\Program Files\eBahn\hsppp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 8958 bytes

Cheers and thank you.

#11
Stamper19

Posted 02 April 2008 - 08:24 PM

Expert

Expert
1,992 posts

Hi Old Peter,

Congrats - your logs are all clean

There are still a couple of things you should do for the sake of cleaning up.

---------------------------------------------------------------

Time for some housekeeping

Click START then RUN
Now type Combofix /u in the runbox and click OK
When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
- ComboFix and its associated files and folders.
- VundoFix backups, if present
- The C:\Deckard folder, if present
- The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

----------------------------------------------------------------

Otherwise, unless you have any questions, you are all set. Included below are some tips for keeping your computer malware free in the future.

Cheers,
Stamper

----------------------------------------------------------------

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
  - Change the Download signed ActiveX controls to Prompt
  - Change the Download unsigned ActiveX controls to Disable
  - Change the Initialize and script ActiveX controls not marked as safe to Disable
  - Change the Installation of desktop items to Prompt
  - Change the Launching programs and files in an IFRAME to Prompt
  - Change the Navigate sub-frames across different domains to Prompt
  - When all these settings have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software

#12
OldPeter

Posted 03 April 2008 - 05:03 AM

New Member

Topic Starter
Member
7 posts

Hi Stamper19,

My computer is clean and working well. Thank you for the very good work. A donation has been sent.

Cheers,
Peter

#13
Stamper19

Posted 03 April 2008 - 06:56 AM

Expert

Expert
1,992 posts

Happy to hear that everything is running as it should, and thank you very much for the donation

#14
Stamper19

Posted 03 April 2008 - 06:56 AM

Expert

Expert
1,992 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.