[Robin Miller]

Hi,

I'm at work right now. For the time being, my desktop is back to normal. The blue background with the warnings on it is gone. Is it still necessary to do that step? Will that get rid of it if it's still lurking around in my computer?

[Advertisements]

Okay, here's the ComboFix log:

ComboFix 08-05-21.3 - Robin Miller 2008-05-23 22:53:09.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.597 [GMT -5:00]
Running from: C:\Documents and Settings\Robin Miller\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Robin Miller\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Robin Miller\Application Data\shb.dat
C:\Program Files\wt3d.ini
C:\WINDOWS\ctions.dll
C:\WINDOWS\estrictions.dll
C:\WINDOWS\ictions.dll
C:\WINDOWS\index.html
C:\WINDOWS\strictions.dll
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\trictions.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Robin Miller\Application Data\shb.dat
C:\Program Files\wt3d.ini
C:\WINDOWS\ctions.dll
C:\WINDOWS\estrictions.dll
C:\WINDOWS\ictions.dll
C:\WINDOWS\index.html
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\trictions.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))
.

2008-05-18 18:47 . 2008-05-18 19:01 <DIR> d-------- C:\Documents and Settings\Robin Miller\DoctorWeb
2008-05-18 15:09 . 2008-05-18 15:09 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-05-17 18:10 . 2008-05-17 18:10 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-17 18:10 . 2008-05-17 18:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-17 17:29 . 2008-05-17 17:29 <DIR> d-------- C:\_OTMoveIt
2008-05-17 12:02 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-17 12:01 . 2008-05-17 12:01 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-15 22:33 . 2008-05-15 22:33 <DIR> d-------- C:\Deckard
2008-05-15 06:50 . 2008-05-15 22:10 <DIR> d-------- C:\Documents and Settings\J.E. Miller\Application Data\AVGTOOLBAR
2008-05-14 23:25 . 2008-05-14 23:25 <DIR> d-------- C:\Documents and Settings\Amanda Miller\Application Data\Malwarebytes
2008-05-14 23:11 . 2008-05-15 17:55 <DIR> d-------- C:\Documents and Settings\Amanda Miller\Application Data\AVGTOOLBAR
2008-05-13 22:45 . 2008-05-13 22:45 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-13 22:45 . 2008-05-14 17:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-13 22:03 . 2008-05-13 22:03 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-13 19:55 . 2008-05-23 13:05 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-13 19:38 . 2008-05-22 19:21 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-13 19:38 . 2008-05-13 19:38 <DIR> d-------- C:\Program Files\AVG
2008-05-13 19:38 . 2008-05-18 21:06 <DIR> d-------- C:\Documents and Settings\Robin Miller\Application Data\AVGTOOLBAR
2008-05-13 19:38 . 2008-05-13 19:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-13 19:38 . 2008-05-13 19:38 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-13 19:38 . 2008-05-13 19:38 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-13 19:38 . 2008-05-13 19:38 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-13 17:55 . 2008-05-13 17:57 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-13 17:55 . 2008-05-13 17:55 <DIR> d-------- C:\Documents and Settings\Robin Miller\Application Data\Malwarebytes
2008-05-13 17:55 . 2008-05-13 17:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-13 17:55 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-13 17:55 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-12 17:47 . 2008-05-12 17:47 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-12 17:45 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-12 17:45 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-12 17:45 . 2008-04-24 08:10 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-12 17:45 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-12 17:45 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-11 21:31 . 2008-05-11 21:31 <DIR> d-------- C:\Program Files\Common Files\Download Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 02:29 4,184 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-05-17 17:02 --------- d-----w C:\Program Files\Java
2008-05-14 02:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-14 02:19 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-14 01:16 --------- d-----w C:\Program Files\DIGStream
2008-05-04 23:39 --------- d-----w C:\Program Files\FinePixViewer
2008-04-26 22:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Musicnotes
2008-04-24 22:18 --------- d-----w C:\Program Files\NCH Swift Sound
2008-04-24 22:18 --------- d-----w C:\Documents and Settings\Amanda Miller\Application Data\NCH Swift Sound
2008-04-04 20:49 --------- d-----w C:\Program Files\VCW VicMan's Photo Editor
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-01 23:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
.

((((((((((((((((((((((((((((( snapshot@2008-05-22_21.29.21.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-23 02:24:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-24 03:40:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
2008-05-13 19:38 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-05-13 19:38 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-05-13 19:38 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"BlueLight_uoltray"="C:\Program Files\BlueLight Internet\exec.exe" [2007-03-07 20:38 1629184]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-11-16 09:45 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-16 09:45 98304]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 06:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 06:00 455168]
"PE2CKFNT SE"="C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [1998-07-03 12:51 25088]
"P17Helper"="P17.dll" [2004-06-10 17:51 60928 C:\WINDOWS\system32\P17.dll]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 06:00 59392]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 20:20 110592]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 20:20 8192]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12 221184]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-10 06:00 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 06:00 44032]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-07 11:45 196608]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56 64512]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 11:43 57344]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-11-16 18:08 106496]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-11-07 06:20 122940]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32 53248]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-13 19:38 1177368]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 22:05 344064]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-11-16 09:44:44 156784]
ExifLauncher2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [2008-02-24 20:37:32 303104]
Photo Express Calendar Checker SE.lnk - C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe [2006-04-26 21:38:12 55296]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 12:59:36 806912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\MUSICMATCH\\Musicmatch Jukebox\\mim.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-13 19:38]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-13 19:38]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-13 19:38]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-13 19:38]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-23 22:55:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-23 22:56:16
ComboFix-quarantined-files.txt 2008-05-24 03:56:13
ComboFix2.txt 2008-05-23 02:29:39

Pre-Run: 125,373,128,704 bytes free
Post-Run: 125,363,122,176 bytes free

187 --- E O F --- 2008-05-16 04:11:11

[Robin Miller]

Okay, here's the ComboFix log:

ComboFix 08-05-21.3 - Robin Miller 2008-05-23 22:53:09.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.597 [GMT -5:00]
Running from: C:\Documents and Settings\Robin Miller\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Robin Miller\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Robin Miller\Application Data\shb.dat
C:\Program Files\wt3d.ini
C:\WINDOWS\ctions.dll
C:\WINDOWS\estrictions.dll
C:\WINDOWS\ictions.dll
C:\WINDOWS\index.html
C:\WINDOWS\strictions.dll
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\trictions.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Robin Miller\Application Data\shb.dat
C:\Program Files\wt3d.ini
C:\WINDOWS\ctions.dll
C:\WINDOWS\estrictions.dll
C:\WINDOWS\ictions.dll
C:\WINDOWS\index.html
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\trictions.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))
.

2008-05-18 18:47 . 2008-05-18 19:01 <DIR> d-------- C:\Documents and Settings\Robin Miller\DoctorWeb
2008-05-18 15:09 . 2008-05-18 15:09 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-05-17 18:10 . 2008-05-17 18:10 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-17 18:10 . 2008-05-17 18:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-17 17:29 . 2008-05-17 17:29 <DIR> d-------- C:\_OTMoveIt
2008-05-17 12:02 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-17 12:01 . 2008-05-17 12:01 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-15 22:33 . 2008-05-15 22:33 <DIR> d-------- C:\Deckard
2008-05-15 06:50 . 2008-05-15 22:10 <DIR> d-------- C:\Documents and Settings\J.E. Miller\Application Data\AVGTOOLBAR
2008-05-14 23:25 . 2008-05-14 23:25 <DIR> d-------- C:\Documents and Settings\Amanda Miller\Application Data\Malwarebytes
2008-05-14 23:11 . 2008-05-15 17:55 <DIR> d-------- C:\Documents and Settings\Amanda Miller\Application Data\AVGTOOLBAR
2008-05-13 22:45 . 2008-05-13 22:45 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-13 22:45 . 2008-05-14 17:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-13 22:03 . 2008-05-13 22:03 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-13 19:55 . 2008-05-23 13:05 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-13 19:38 . 2008-05-22 19:21 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-13 19:38 . 2008-05-13 19:38 <DIR> d-------- C:\Program Files\AVG
2008-05-13 19:38 . 2008-05-18 21:06 <DIR> d-------- C:\Documents and Settings\Robin Miller\Application Data\AVGTOOLBAR
2008-05-13 19:38 . 2008-05-13 19:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-13 19:38 . 2008-05-13 19:38 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-13 19:38 . 2008-05-13 19:38 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-13 19:38 . 2008-05-13 19:38 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-13 17:55 . 2008-05-13 17:57 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-13 17:55 . 2008-05-13 17:55 <DIR> d-------- C:\Documents and Settings\Robin Miller\Application Data\Malwarebytes
2008-05-13 17:55 . 2008-05-13 17:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-13 17:55 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-13 17:55 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-12 17:47 . 2008-05-12 17:47 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-12 17:45 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-12 17:45 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-12 17:45 . 2008-04-24 08:10 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-12 17:45 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-12 17:45 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-11 21:31 . 2008-05-11 21:31 <DIR> d-------- C:\Program Files\Common Files\Download Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 02:29 4,184 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-05-17 17:02 --------- d-----w C:\Program Files\Java
2008-05-14 02:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-14 02:19 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-14 01:16 --------- d-----w C:\Program Files\DIGStream
2008-05-04 23:39 --------- d-----w C:\Program Files\FinePixViewer
2008-04-26 22:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Musicnotes
2008-04-24 22:18 --------- d-----w C:\Program Files\NCH Swift Sound
2008-04-24 22:18 --------- d-----w C:\Documents and Settings\Amanda Miller\Application Data\NCH Swift Sound
2008-04-04 20:49 --------- d-----w C:\Program Files\VCW VicMan's Photo Editor
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-01 23:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
.

((((((((((((((((((((((((((((( snapshot@2008-05-22_21.29.21.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-23 02:24:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-24 03:40:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
2008-05-13 19:38 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-05-13 19:38 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-05-13 19:38 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"BlueLight_uoltray"="C:\Program Files\BlueLight Internet\exec.exe" [2007-03-07 20:38 1629184]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-11-16 09:45 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-16 09:45 98304]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 06:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 06:00 455168]
"PE2CKFNT SE"="C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [1998-07-03 12:51 25088]
"P17Helper"="P17.dll" [2004-06-10 17:51 60928 C:\WINDOWS\system32\P17.dll]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 06:00 59392]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 20:20 110592]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 20:20 8192]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12 221184]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-10 06:00 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 06:00 44032]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-07 11:45 196608]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56 64512]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 11:43 57344]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-11-16 18:08 106496]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-11-07 06:20 122940]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32 53248]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-13 19:38 1177368]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 22:05 344064]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-11-16 09:44:44 156784]
ExifLauncher2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [2008-02-24 20:37:32 303104]
Photo Express Calendar Checker SE.lnk - C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe [2006-04-26 21:38:12 55296]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 12:59:36 806912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\MUSICMATCH\\Musicmatch Jukebox\\mim.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-13 19:38]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-13 19:38]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-13 19:38]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-13 19:38]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-23 22:55:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-23 22:56:16
ComboFix-quarantined-files.txt 2008-05-24 03:56:13
ComboFix2.txt 2008-05-23 02:29:39

Pre-Run: 125,373,128,704 bytes free
Post-Run: 125,363,122,176 bytes free

187 --- E O F --- 2008-05-16 04:11:11

[Robin Miller]

Here's the SmitFraudFix log:

SmitFraudFix v2.322

Scan done at 23:13:47.95, Fri 05/23/2008
Run from C:\Documents and Settings\Robin Miller\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\time.exe Deleted
C:\WINDOWS\waol.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

[Robin Miller]

And the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:14 PM, on 5/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BlueLight Internet\exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\BlueLight Internet\exec.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Robin Miller\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\BlueLight Internet\SearchEnh1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: MyBlueLight - {25EEFF3E-58EE-4811-95CC-78F922605006} - C:\Program Files\BlueLight Internet\Toolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BlueLight_uoltray] C:\Program Files\BlueLight Internet\exec.exe regrun
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 9589 bytes

[Mike]

Hi there Robin Miller,

Your logs are looking better, I want to re-run OTScanIt to make sure some files are gone, as well as remove two files with ComboFix.

Step 1. Making a CFscript

Please click Start then Run, in the window appears type in Notepad.exe.
Now Copy (Control + C) and Paste (Control + V) the entire content of the codebox below into the notepad window:

File::
 C:\WINDOWS\system32\hljwugsf.bin
 C:\WINDOWS\system32\KGyGaAvL.sys

Now in Notepad, go to File and in the menu that drops down click on Save As...
Save the file as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.


After that please reboot your computer if it asks you to and post ComboFix.txt (the report the ComboFix will generate) in your next reply.

Step 2. Re-running OTScanIt

Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

• Close ALL OTHER PROGRAMS.
• Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
• In the Drivers section click on Non-Microsoft.
• Under Additional Scans click the checkboxes in front of the following items to select them:
  
  • Reg - BotCheck
    File - Additional Folder Scans
    
• Do not change any other settings.
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. Make sure that the first line is code with brackets around it [] and that the last line is /code with brackets around it [].

Important: If, after posting, the last line is not <End of Report> then the log is too big to fit into a single post and you will need to split it into multiple posts or attach it as a file.

In your next reply

Please post the log from ComboFix.
Please post the log from OTScanIt.

If the logs are to big to fit in one reply please spread them out over multiple replies.

Edited by Mike, 24 May 2008 - 04:34 AM.

[Robin Miller]

Here's the combofix log:

ComboFix 08-05-21.3 - Robin Miller 2008-05-25 9:12:57.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.575 [GMT -5:00]
Running from: C:\Documents and Settings\Robin Miller\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Robin Miller\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\KGyGaAvL.sys

.
((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))
.

2008-05-24 21:54 . 2008-05-24 21:54 21,504 --a------ C:\WINDOWS\jestertb.dll
2008-05-23 23:14 . 2008-05-23 23:14 5,360 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-23 23:13 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-23 23:13 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-23 23:13 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-18 18:47 . 2008-05-18 19:01 <DIR> d-------- C:\Documents and Settings\Robin Miller\DoctorWeb
2008-05-17 18:10 . 2008-05-17 18:10 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-17 18:10 . 2008-05-17 18:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-17 17:29 . 2008-05-17 17:29 <DIR> d-------- C:\_OTMoveIt
2008-05-17 12:02 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-17 12:01 . 2008-05-17 12:01 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-15 22:33 . 2008-05-15 22:33 <DIR> d-------- C:\Deckard
2008-05-15 06:50 . 2008-05-15 22:10 <DIR> d-------- C:\Documents and Settings\J.E. Miller\Application Data\AVGTOOLBAR
2008-05-14 23:25 . 2008-05-14 23:25 <DIR> d-------- C:\Documents and Settings\Amanda Miller\Application Data\Malwarebytes
2008-05-14 23:11 . 2008-05-15 17:55 <DIR> d-------- C:\Documents and Settings\Amanda Miller\Application Data\AVGTOOLBAR
2008-05-13 22:45 . 2008-05-13 22:45 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-13 22:45 . 2008-05-14 17:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-13 22:03 . 2008-05-13 22:03 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-13 19:55 . 2008-05-24 12:53 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-13 19:38 . 2008-05-22 19:21 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-13 19:38 . 2008-05-13 19:38 <DIR> d-------- C:\Program Files\AVG
2008-05-13 19:38 . 2008-05-18 21:06 <DIR> d-------- C:\Documents and Settings\Robin Miller\Application Data\AVGTOOLBAR
2008-05-13 19:38 . 2008-05-13 19:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-13 19:38 . 2008-05-13 19:38 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-13 19:38 . 2008-05-13 19:38 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-13 19:38 . 2008-05-13 19:38 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-13 17:55 . 2008-05-13 17:57 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-13 17:55 . 2008-05-13 17:55 <DIR> d-------- C:\Documents and Settings\Robin Miller\Application Data\Malwarebytes
2008-05-13 17:55 . 2008-05-13 17:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-13 17:55 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-13 17:55 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-12 17:47 . 2008-05-12 17:47 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-12 17:45 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-12 17:45 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-12 17:45 . 2008-04-24 08:10 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-12 17:45 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-12 17:45 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-11 21:31 . 2008-05-11 21:31 <DIR> d-------- C:\Program Files\Common Files\Download Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 03:16 --------- d-----w C:\Program Files\Free Video Converter
2008-05-17 17:02 --------- d-----w C:\Program Files\Java
2008-05-14 02:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-14 02:19 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-14 01:16 --------- d-----w C:\Program Files\DIGStream
2008-05-04 23:39 --------- d-----w C:\Program Files\FinePixViewer
2008-04-26 22:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Musicnotes
2008-04-24 22:18 --------- d-----w C:\Program Files\NCH Swift Sound
2008-04-24 22:18 --------- d-----w C:\Documents and Settings\Amanda Miller\Application Data\NCH Swift Sound
2008-04-04 20:49 --------- d-----w C:\Program Files\VCW VicMan's Photo Editor
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-01 23:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
.

((((((((((((((((((((((((((((( snapshot@2008-05-22_21.29.21.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-23 02:24:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-25 04:45:03 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
2008-05-13 19:38 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-05-13 19:38 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-05-13 19:38 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"BlueLight_uoltray"="C:\Program Files\BlueLight Internet\exec.exe" [2007-03-07 20:38 1629184]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-11-16 09:45 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-16 09:45 98304]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 06:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 06:00 455168]
"PE2CKFNT SE"="C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [1998-07-03 12:51 25088]
"P17Helper"="P17.dll" [2004-06-10 17:51 60928 C:\WINDOWS\system32\P17.dll]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 06:00 59392]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 20:20 110592]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 20:20 8192]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12 221184]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-10 06:00 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 06:00 44032]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-07 11:45 196608]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56 64512]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 11:43 57344]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-11-16 18:08 106496]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-11-07 06:20 122940]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32 53248]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-13 19:38 1177368]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 22:05 344064]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-11-16 09:44:44 156784]
ExifLauncher2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [2008-02-24 20:37:32 303104]
Photo Express Calendar Checker SE.lnk - C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe [2006-04-26 21:38:12 55296]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 12:59:36 806912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\MUSICMATCH\\Musicmatch Jukebox\\mim.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-13 19:38]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-13 19:38]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-13 19:38]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-13 19:38]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 09:15:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-25 9:16:06
ComboFix-quarantined-files.txt 2008-05-25 14:15:59
ComboFix2.txt 2008-05-24 03:56:17
ComboFix3.txt 2008-05-23 02:29:39

Pre-Run: 123,735,117,824 bytes free
Post-Run: 123,749,650,432 bytes free

178 --- E O F --- 2008-05-16 04:11:11

[Robin Miller]

Here's the OTScanIt log attached as a file:

Attached Files

•  OTScanIt.Txt   213.03KB   157 downloads

Edited by Robin Miller, 25 May 2008 - 08:45 AM.

[Mike]

Hi there Robin Miller,

Step 1. Making a CFScript

Please click Start then Run, in the window appears type in Notepad.exe.
Highlight the entire content of the codebox below. Copy (Control + C) and Paste (Control + V) the content into the notepad window:

File::
 C:\Windows\ctfmon32.exe
 C:\Windows\ctrlpan.dll
 C:\Windows\directx32.exe
 C:\Windows\dnsrelay.dll
 C:\Windows\editpad.exe
 C:\Windows\explorer32.exe
 C:\Windows\funniest.exe
 C:\Windows\funny.exe
 C:\Windows\gfmnaaa.dll
 C:\Windows\helpcvs.exe
 C:\Windows\inetinf.exe
 C:\Windows\internet.exe
 C:\Windows\msconfd.dll
 C:\Windows\msspi.dll
 C:\Windows\mswsc10.dll
 C:\Windows\mswsc20.dll
 C:\Windows\qttasks.exe
 C:\Windows\quicken.exe
 C:\Windows\rundll16.exe
 C:\Windows\rundll32.vbe
 C:\Windows\searchword.dll
 C:\Windows\sistem.exe
 C:\Windows\svchost32.exe
 C:\Windows\svcinit.exe

Now in Notepad, go to File and in the menu that drops down click on Save As...
Save the file as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.


After that please reboot your computer if it asks you to and post ComboFix.txt (the report the ComboFix will generate) in your next reply.

Step 2. Fixes With OTScanIt

Start OTScanIt. Copy/Paste the information in the Code box below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Registry - Non-Microsoft Only]
 < Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
 YN -> ipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
 YN -> msdaipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
 [Files Created - Additional Folder Scans - Non-Microsoft Only]
 NY -> @Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\ATF-Cleaner.exe:Zone.Identifier
 NY -> @Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\ComboFix.exe:Zone.Identifier
 NY -> @Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\drweb-cureit.exe:Zone.Identifier
 [Files Modified - Additional Folder Scans - Non-Microsoft Only]
 NY -> @Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\ATF-Cleaner.exe:Zone.Identifier
 NY -> @Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\ComboFix.exe:Zone.Identifier
 NY -> @Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\drweb-cureit.exe:Zone.Identifier
 NY -> @Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\OTScanIt.exe:Zone.Identifier
 [Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTScanIt scan.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

If everything goes well, next step will be an online scan to see if we have any stragglers.

[Robin Miller]

Here's the ComboFix log:

ComboFix 08-05-21.3 - Robin Miller 2008-05-27 19:10:44.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.564 [GMT -5:00]
Running from: C:\Documents and Settings\Robin Miller\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Robin Miller\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Windows\ctfmon32.exe
C:\Windows\ctrlpan.dll
C:\Windows\directx32.exe
C:\Windows\dnsrelay.dll
C:\Windows\editpad.exe
C:\Windows\explorer32.exe
C:\Windows\funniest.exe
C:\Windows\funny.exe
C:\Windows\gfmnaaa.dll
C:\Windows\helpcvs.exe
C:\Windows\inetinf.exe
C:\Windows\internet.exe
C:\Windows\msconfd.dll
C:\Windows\msspi.dll
C:\Windows\mswsc10.dll
C:\Windows\mswsc20.dll
C:\Windows\qttasks.exe
C:\Windows\quicken.exe
C:\Windows\rundll16.exe
C:\Windows\rundll32.vbe
C:\Windows\searchword.dll
C:\Windows\sistem.exe
C:\Windows\svchost32.exe
C:\Windows\svcinit.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\ctfmon32.exe
C:\Windows\ctrlpan.dll
C:\Windows\directx32.exe
C:\Windows\dnsrelay.dll
C:\Windows\editpad.exe
C:\Windows\explorer32.exe
C:\Windows\funniest.exe
C:\Windows\funny.exe
C:\Windows\gfmnaaa.dll
C:\Windows\helpcvs.exe
C:\Windows\inetinf.exe
C:\Windows\internet.exe
C:\Windows\msconfd.dll
C:\Windows\msspi.dll
C:\Windows\mswsc10.dll
C:\Windows\mswsc20.dll
C:\Windows\qttasks.exe
C:\Windows\quicken.exe
C:\Windows\rundll16.exe
C:\Windows\rundll32.vbe
C:\Windows\searchword.dll
C:\Windows\sistem.exe
C:\Windows\svchost32.exe
C:\Windows\svcinit.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-28 )))))))))))))))))))))))))))))))
.

2008-05-25 17:20 . 2008-05-25 17:20 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-24 21:54 . 2008-05-24 21:54 21,504 --a------ C:\WINDOWS\jestertb.dll
2008-05-23 23:14 . 2008-05-23 23:14 5,360 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-23 23:13 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-23 23:13 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-23 23:13 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-18 18:47 . 2008-05-18 19:01 <DIR> d-------- C:\Documents and Settings\Robin Miller\DoctorWeb
2008-05-17 18:10 . 2008-05-17 18:10 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-17 18:10 . 2008-05-17 18:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-17 17:29 . 2008-05-17 17:29 <DIR> d-------- C:\_OTMoveIt
2008-05-17 12:02 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-17 12:01 . 2008-05-17 12:01 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-15 22:33 . 2008-05-15 22:33 <DIR> d-------- C:\Deckard
2008-05-15 06:50 . 2008-05-15 22:10 <DIR> d-------- C:\Documents and Settings\J.E. Miller\Application Data\AVGTOOLBAR
2008-05-14 23:25 . 2008-05-14 23:25 <DIR> d-------- C:\Documents and Settings\Amanda Miller\Application Data\Malwarebytes
2008-05-14 23:11 . 2008-05-15 17:55 <DIR> d-------- C:\Documents and Settings\Amanda Miller\Application Data\AVGTOOLBAR
2008-05-13 22:45 . 2008-05-13 22:45 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-13 22:45 . 2008-05-25 17:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-13 22:03 . 2008-05-13 22:03 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-13 19:55 . 2008-05-24 12:53 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-13 19:38 . 2008-05-25 16:52 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-13 19:38 . 2008-05-13 19:38 <DIR> d-------- C:\Program Files\AVG
2008-05-13 19:38 . 2008-05-18 21:06 <DIR> d-------- C:\Documents and Settings\Robin Miller\Application Data\AVGTOOLBAR
2008-05-13 19:38 . 2008-05-13 19:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-13 19:38 . 2008-05-13 19:38 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-13 19:38 . 2008-05-13 19:38 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-13 19:38 . 2008-05-13 19:38 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-13 17:55 . 2008-05-13 17:57 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-13 17:55 . 2008-05-13 17:55 <DIR> d-------- C:\Documents and Settings\Robin Miller\Application Data\Malwarebytes
2008-05-13 17:55 . 2008-05-13 17:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-13 17:55 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-13 17:55 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-12 17:47 . 2008-05-12 17:47 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-12 17:45 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-12 17:45 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-12 17:45 . 2008-04-24 08:10 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-12 17:45 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-12 17:45 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-11 21:31 . 2008-05-11 21:31 <DIR> d-------- C:\Program Files\Common Files\Download Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 03:16 --------- d-----w C:\Program Files\Free Video Converter
2008-05-17 17:02 --------- d-----w C:\Program Files\Java
2008-05-14 02:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-14 02:19 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-14 01:16 --------- d-----w C:\Program Files\DIGStream
2008-05-04 23:39 --------- d-----w C:\Program Files\FinePixViewer
2008-04-26 22:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Musicnotes
2008-04-24 22:18 --------- d-----w C:\Program Files\NCH Swift Sound
2008-04-24 22:18 --------- d-----w C:\Documents and Settings\Amanda Miller\Application Data\NCH Swift Sound
2008-04-04 20:49 --------- d-----w C:\Program Files\VCW VicMan's Photo Editor
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-01 23:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
.

((((((((((((((((((((((((((((( snapshot@2008-05-22_21.29.21.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-23 02:24:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-27 22:15:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-25 22:21:38 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
+ 2008-05-25 22:21:38 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
+ 2008-05-25 22:21:38 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
+ 2008-05-25 22:21:38 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
+ 2007-07-11 19:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-08-07 18:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-08-07 18:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
+ 2007-12-14 17:32:52 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
2008-05-13 19:38 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-05-13 19:38 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-05-13 19:38 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"BlueLight_uoltray"="C:\Program Files\BlueLight Internet\exec.exe" [2007-03-07 20:38 1629184]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-11-16 09:45 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-16 09:45 98304]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 06:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 06:00 455168]
"PE2CKFNT SE"="C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [1998-07-03 12:51 25088]
"P17Helper"="P17.dll" [2004-06-10 17:51 60928 C:\WINDOWS\system32\P17.dll]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 06:00 59392]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 20:20 110592]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 20:20 8192]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12 221184]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-10 06:00 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 06:00 44032]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-07 11:45 196608]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56 64512]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 11:43 57344]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-11-16 18:08 106496]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-11-07 06:20 122940]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32 53248]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-13 19:38 1177368]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 22:05 344064]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-11-16 09:44:44 156784]
ExifLauncher2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [2008-02-24 20:37:32 303104]
Photo Express Calendar Checker SE.lnk - C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe [2006-04-26 21:38:12 55296]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 12:59:36 806912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\MUSICMATCH\\Musicmatch Jukebox\\mim.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-13 19:38]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-13 19:38]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-13 19:38]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-13 19:38]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 19:13:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-27 19:13:49
ComboFix-quarantined-files.txt 2008-05-28 00:13:43
ComboFix2.txt 2008-05-25 14:16:07
ComboFix3.txt 2008-05-24 03:56:17
ComboFix4.txt 2008-05-23 02:29:39

Pre-Run: 123,946,962,944 bytes free
Post-Run: 123,965,222,912 bytes free

232 --- E O F --- 2008-05-16 04:11:11

[Robin Miller]

Here's the OTScanIt log:

[Registry - Non-Microsoft Only]
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ipp\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msdaipp\ deleted successfully.
[Files Created - Additional Folder Scans - Non-Microsoft Only]
ADS C:\Documents and Settings\Robin Miller\Desktop\ATF-Cleaner.exe:Zone.Identifier deleted successfully.
ADS C:\Documents and Settings\Robin Miller\Desktop\ComboFix.exe:Zone.Identifier deleted successfully.
ADS C:\Documents and Settings\Robin Miller\Desktop\drweb-cureit.exe:Zone.Identifier deleted successfully.
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
Unable to delete ADS C:\Documents and Settings\Robin Miller\Desktop\ATF-Cleaner.exe:Zone.Identifier .
Unable to delete ADS C:\Documents and Settings\Robin Miller\Desktop\ComboFix.exe:Zone.Identifier .
Unable to delete ADS C:\Documents and Settings\Robin Miller\Desktop\drweb-cureit.exe:Zone.Identifier .
Unable to delete ADS C:\Documents and Settings\Robin Miller\Desktop\OTScanIt.exe:Zone.Identifier .
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Robin Miller\Local Settings\temp\JET709A.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Robin Miller\Local Settings\temp\Perflib_Perfdata_610.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Robin Miller\Local Settings\temp\~DFE671.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Robin Miller\Local Settings\temp\~DFE67E.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
RecycleBin -> emptied.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.14.1 fix logfile created on 05272008_192132

Files moved on Reboot...
File C:\Documents and Settings\Robin Miller\Local Settings\temp\JET709A.tmp not found!
File C:\Documents and Settings\Robin Miller\Local Settings\temp\Perflib_Perfdata_610.dat not found!
File C:\Documents and Settings\Robin Miller\Local Settings\temp\~DFE671.tmp not found!
File C:\Documents and Settings\Robin Miller\Local Settings\temp\~DFE67E.tmp not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

[Robin Miller]

And here's a new OTScanIt scan:


 OTScanIt.Txt   198.41KB   90 downloads

Edited by Robin Miller, 27 May 2008 - 06:43 PM.

[Robin Miller]

Hi,

I didn't have any trouble with the above steps. And my computer is working lots better! No more pop-ups, and no more red or blue desktop backgrounds!

[Mike]

Hi there Robin Miller,

Looking much better I would like to run an online scan to see if we have any stragglers. Question, do you or did you ever have anything related to My little pony? Maybe a game for your kids?

Did you install Free Video Converter? If not uninstall it through add or remove programs and delete this folder C:\Program Files\Free Video Converter

Fixes With OTScanIt

Start OTScanIt. Copy/Paste the information in the Code box below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Registry - Non-Microsoft Only]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> 
YN -> HKEY_LOCAL_MACHINE\: Main\\Local Page -> C:\windows\system32\blank.htm
[Files/Folders - Created Within 30 days]
NY -> 28 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files/Folders - Modified Within 30 days]
NY -> 28 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> 1 C:\Documents and Settings\Robin Miller\Local Settings\temp\*.tmp files -> C:\Documents and Settings\Robin Miller\Local Settings\temp\*.tmp
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTScanIt scan.

I will review the information when it comes back in.

Running Kaspersky Online Virusscaner

Please run a free online scan with Kaspersky AntiVirus (works only with MS Internet Explorer 5.0 or higher).
Go to http://www.kaspersky.com/virusscanner and click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").

• In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
• When you get the Windows dialog asking if you want to install this software, click the "Install" button.
• When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
• Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
• Under "Please select a target to scan:", click My Computer to start the scan.

When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply.

Edited by Mike, 28 May 2008 - 05:42 AM.

[Robin Miller]

Yep, my daughter had a My Little Pony game, not sure if it's still around here somewhere, most probably. I did install the Free Video Converter, trying to learn how to convert videos for her new mp3 player, but it's really not needed, so I just uninstalled it.

Okay, here's the first one:

[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\\Local Page deleted successfully.
[Files/Folders - Created Within 30 days]
[Files/Folders - Modified Within 30 days]
File delete failed. C:\Documents and Settings\Robin Miller\Local Settings\temp\JETFEF2.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Robin Miller\Local Settings\temp\~DFF110.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Robin Miller\Local Settings\temp\~DFF11D.tmp scheduled to be deleted on reboot.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Robin Miller\Local Settings\temp\JETFEF2.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Robin Miller\Local Settings\temp\Perflib_Perfdata_7dc.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Robin Miller\Local Settings\temp\~DFF110.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Robin Miller\Local Settings\temp\~DFF11D.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
RecycleBin -> emptied.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.14.1 fix logfile created on 05282008_204522

Files moved on Reboot...
File C:\Documents and Settings\Robin Miller\Local Settings\temp\JETFEF2.tmp not found!
File C:\Documents and Settings\Robin Miller\Local Settings\temp\~DFF110.tmp not found!
File C:\Documents and Settings\Robin Miller\Local Settings\temp\~DFF11D.tmp not found!
File C:\Documents and Settings\Robin Miller\Local Settings\temp\Perflib_Perfdata_7dc.dat not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

[Robin Miller]

Here's the OTScanIt log:

 OTScanIt.Txt   198.18KB   79 downloads


And the Kaspersky online:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, May 28, 2008 10:40:05 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/05/2008
Kaspersky Anti-Virus database records: 810423
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 82506
Number of viruses found: 5
Number of infected objects: 17
Number of suspicious objects: 10
Duration of the scan process: 00:59:53

Infected Object Name / Virus Name / Last Action
C:\d055753fc35576d481\update\update.exe Object is locked skipped
C:\d055753fc35576d481\update\updspapi.dll Object is locked skipped
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\All Users\Application Data\avg8\emc\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avglng.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgsched.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgui.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\commonpriv.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\BlueLight\Isp\BootExceptions.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\BlueLight\Isp\ExecExceptions.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\BlueLight\Isp\IspDblog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\BlueLight\Isp\MainExceptions.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\34b6b454f78f576ac2d0552f39fe259d_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll2.zip/iedll.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchBootconf1.zip/msupdate.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchBootconf1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSvcinit.zip/mssys.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSvcinit.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC10.zip/olehelp.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC10.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC26.zip/systeem.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC26.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\SupportSoft\DellSupportCenter\SYSTEM\state\logs\sprtcmd.log Object is locked skipped
C:\Documents and Settings\Amanda Miller\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Robin Miller\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Robin Miller\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Robin Miller\Desktop\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Robin Miller\Desktop\SmitfraudFix.exe RAR: infected - 1 skipped
C:\Documents and Settings\Robin Miller\DoctorWeb\Quarantine\A0092524.dll Object is locked skipped
C:\Documents and Settings\Robin Miller\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Robin Miller\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Robin Miller\Local Settings\Application Data\Musicmatch\Jukebox\mmjbaltlog.txt Object is locked skipped
C:\Documents and Settings\Robin Miller\Local Settings\Application Data\Musicmatch\Jukebox\mmjblog.txt Object is locked skipped
C:\Documents and Settings\Robin Miller\Local Settings\Application Data\Musicmatch\MIM\Database\Default.ldb Object is locked skipped
C:\Documents and Settings\Robin Miller\Local Settings\Application Data\Musicmatch\MIM\Database\Default.mdb Object is locked skipped
C:\Documents and Settings\Robin Miller\Local Settings\Application Data\SupportSoft\DellSupportCenter\Robin Miller\state\logs\sprtcmd.log Object is locked skipped
C:\Documents and Settings\Robin Miller\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Robin Miller\Local Settings\temp\JET1392.tmp Object is locked skipped
C:\Documents and Settings\Robin Miller\Local Settings\temp\Perflib_Perfdata_4a0.dat Object is locked skipped
C:\Documents and Settings\Robin Miller\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Robin Miller\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Robin Miller\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Robin Miller\ntuser.dat.LOG Object is locked skipped
C:\fbba63bf00fc7b896631ff26\update\update.exe Object is locked skipped
C:\fbba63bf00fc7b896631ff26\update\updspapi.dll Object is locked skipped
C:\fbba63bf00fc7b896631ff26\update\wpdinstallutil.dll Object is locked skipped
C:\Program Files\filesubmit\megaman_x4.zip\atoolbar400134.exe/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped
C:\Program Files\filesubmit\megaman_x4.zip\atoolbar400134.exe WiseSFX: infected - 1 skipped
C:\Program Files\filesubmit\megaman_x4.zip\atoolbar400134.exe WiseSFXDropper: infected - 1 skipped
C:\Program Files\filesubmit\mmxserieszero.exe\atoolbar400134.exe/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped
C:\Program Files\filesubmit\mmxserieszero.exe\atoolbar400134.exe WiseSFX: infected - 1 skipped
C:\Program Files\filesubmit\mmxserieszero.exe\atoolbar400134.exe WiseSFXDropper: infected - 1 skipped
C:\Program Files\Morpheus\morpheustoolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP787\A0096908.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP796\A0097691.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0097844.exe/WISE0009.BIN Infected: not-a-virus:AdWare.Win32.Accoona.f skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0097844.exe WiseSFX: infected - 1 skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0097844.exe WiseSFXDropper: infected - 1 skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP806\A0100830.dll Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP806\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Intel® 537EP V9x DF PCI Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{B5E407FB-3362-4258-B196-F8C83EEE5A7D}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{3026EE76-A191-4AAE-AC0D-247B19F7152B}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.